NCSC’s 10 Steps Guidance – Chapter 1: What Is Risk Management?

In the first instalment of this series, we take a look at NCSC’s 10 Steps and address questions you have about Risk Management. For the next Chapter in the series, head over to our blog Chapter 2: Engagement and Training.

What is risk management?

Risk management doesn’t need to be depressing, rather it is the practice of finding, evaluating and controlling risks that can negatively impact your company. Examples of common risk factors include financial uncertainties, cyber security issues, human error, climate change and unforeseen natural disasters.  

As these factors demonstrate, risk management – as a practice – can extend far beyond information security. A holistic risk management strategy empowers organisations to better anticipate the potential risks they face and minimise and control the impact of these risks should they be realised.   

The purpose of risk management is not to become ‘risk-free’. This goal is unachievable. Many risks are unknown and cannot be predicted. However, while we cannot plan for every specific risk, we can prepare for the most likely and the most disruptive. Risk management, then, is thinking about what could go wrong, prioritising the risks that are most likely and would have the highest impact, and taking steps to reduce the likelihood and/or impact. Risk management is incredibly important. You ‘cannot manage what you do not measure’.  

We encourage organisations to make informed decisions about risk because you simply don’t have enough time or money to manage all security risks at the same level. We’ve seen this in large organisations in which steps are taken to mitigate all risks, in the same manner, resulting in lost productivity and opportunity and a lack of flexibility.   

The NCSC’s focus on risk management, of course, looks at the practice in the realm of cyber security. Gartner defines IT risk as “the potential for an unplanned, negative business outcome involving the failure or misuse of IT.” 

Cyber security risk management is the process of finding, evaluating and controlling the cyber security threats your organisation faces. Cyber security risk management should be embedded into a broader, holistic risk management programme that considers other business risks.  

Common examples of cyber risk include: 

• Malicious entities deliberately gaining unauthorised access to a company’s sensitive data for monetary gain,  
• An accidental data leak by an unwitting employee, leading to the exposure of confidential information, and 
• A malicious attack on an operational technology (“OT”) system results in physical repercussions (see, for example, the attack on Colonial pipeline 2021). 

Is the NCSC’s 10 Steps guidance right for my organisation?

The National Cyber Security Centre’s (“NCSC”) 10 Steps to Cyber Security is guidance that aims to help medium and large organisations improve their security posture. It takes the form of ten chapters – each on a separate topic or ‘step’. Combined, these 10 Steps deliver a holistic approach to information security.  In this series of articles, we will take a granular look at each of the NCSC’s 10 Steps in chronological order.  

The NCSC’s 10 Steps are suitable for medium to large companies with at least one employee whose role is dedicated to cyber security. 10 Steps focuses on more than critical security controls, which is the remit of Cyber Essentials, by covering security management considerations like risk management, incident management, supply chain security and security awareness. We have written a detailed guide on Cyber Essentials, which you can download for free.  

Step 1: Risk management – take a risk-based approach to secure your data and systems

The first step centres on risk management. The NCSC encourages organisations to take a risk-based approach to secure their data and systems. This involves taking proactive steps to identify and analyse potential security risks to the technology infrastructure that supports business operations.   

“The nicest thing about not planning is that failure comes as a complete surprise, rather than being preceded by a period of worry and depression.” Sir John Harvey-Jones. 

What is risk management?

Risk management doesn’t need to be depressing, rather it is the practice of finding, evaluating and controlling risks that can negatively impact your company. Examples of common risk factors include financial uncertainties, cyber security issues, human error, climate change and unforeseen natural disasters.  

As these factors demonstrate, risk management – as a practice – can extend far beyond information security. A holistic risk management strategy empowers organisations to better anticipate the potential risks they face and minimise and control the impact of these risks should they be realised.   

The purpose of risk management is not to become ‘risk-free’. This goal is unachievable. Many risks are unknown and cannot be predicted. However, while we cannot plan for every specific risk, we can prepare for the most likely and the most disruptive. Risk management, then, is thinking about what could go wrong, prioritising the risks that are most likely and would have the highest impact, and taking steps to reduce the likelihood and/or impact. Risk management is incredibly important. You ‘cannot manage what you do not measure’.  

We encourage organisations to make informed decisions about risk because you simply don’t have enough time or money to manage all security risks at the same level. We’ve seen this in large organisations in which steps are taken to mitigate all risks, in the same manner, resulting in lost productivity and opportunity and a lack of flexibility.   

The NCSC’s focus on risk management, of course, looks at the practice in the realm of cyber security. Gartner defines IT risk as “the potential for an unplanned, negative business outcome involving the failure or misuse of IT.” 

Cyber security risk management is the process of finding, evaluating and controlling the cyber security threats your organisation faces. Cyber security risk management should be embedded into a broader, holistic risk management programme that considers other business risks.  

Common examples of cyber risk include: 

• Malicious entities deliberately gaining unauthorised access to a company’s sensitive data for monetary gain,  
• An accidental data leak by an unwitting employee, leading to the exposure of confidential information, and 
• A malicious attack on an operational technology (“OT”) system results in physical repercussions (see, for example, the attack on Colonial pipeline 2021). 

Why does cyber security risk management matter?

Over the past two decades, technology has transformed the business landscape, changing how people communicate, collaborate and work entirely. Nearly all companies now rely on data, cloud services and the internet to function. 

The pace of technological development shows no sign of slowing and, while it has brought great benefits, it has also ushered in an era of cyber risks. While these risks are ‘new’, in that they are part of the blossoming digital age, established frameworks exist to help manage them.  To ensure your systems are secure and that sensitive data remains protected, it is important that the security pitfalls of cloud services are assessed – read our latest blog on addressing the information security risks of cloud services. 

Despite this, cyber risk management uptake continues to be slow across organisations. McKinsey research found 75% of companies have not conducted a formal, holistic risk assessment for digital and analytics transformations, while 14% have never formally assessed the risks for these initiatives.  

Whether organisations are underestimating the importance of risk management or overestimating their ability to deal with the fallout of a cyber security incident will depend on the individual case. However, the important takeaway is cyber security risk management is a necessity to remain competitive.  

The security vendor, VMWare, found 88% of UK companies suffered security incidents in the last 12 months. With a risk management strategy in place, organisations should be better placed to handle such incidents. A risk management strategy can help by:  

• Mitigating cyber risks: Implementing a cyber risk management strategy helps companies identify potential security threats and determine the level of risk they are willing to accept for such threats in pursuit of their business objectives. By developing a corresponding risk treatment plan, companies can reduce these risks to an extent by improving their defences. In some cases, a company may choose to accept and monitor a risk – but there is a difference between accepting and monitoring, and simply ignoring a risk. 
• Protecting the bottom line:  Financial gain is the number one motivation for today’s threat actors. By putting robust defences in place, companies reduce the likelihood of a successful attack and the financial damage associated with it. Financial damage includes direct losses, like incident response, clean-up costs and secondary costs such as affected share price and reputational damage resulting in loss of custom. 
• Providing assurance: Certifying to a recognised risk management standard, such as ISO 27001, provides assurance to your clients, partners and suppliers that you have robust risk management measures in place. 
• Reducing the impact of a security incident: Risk management goes hand–in–hand with incident response – how you ‘respond to a security incident. This should be built on thorough planning, preparation, agreeing on strategies to follow, rehearsing and improvement. We’ve written a detailed guide on incident response with further information on this topic.  

How to start with cyber security risk management 

There is no precise formula for effective risk-based decision making. How you go about managing risks will depend on your organisation’s unique risk tolerance levels. Indeed, what one company deems an intolerable threat, another might think bearable.  

Broadly speaking, the cyber security risk management process involves four steps:  

• Identify risk: Assess the company’s environment to discover current and potential security risks   
• Assess risk: Analyse identified risks to gain an understanding of how likely they are to impact the business and understand the severity of this impact   
• Control risk: Put in place measures and procedures to treat these risks, prioritising those risks that are the most severe – the four options are to avoid, reduce, accept or transfer risk. 
• Review controls: Continuously evaluate how effective controls are at mitigating risk, and adjust them as needed 

Cyber Risk Management Frameworks

There are numerous reputable cyber risk management frameworks designed to help organisations streamline and strategize the process of risk management.  

Well-regarded frameworks to consider include:  

The NIST Risk Management Framework: This provides a comprehensive, measurable 7-step process that companies can use to manage security and privacy risks. It links to a suite of NIST standards and guidelines that assist in implementing risk management programmes. 

ISO 27001: This is the international standard for an information security management system (ISMS). An ISMS manages the risks to information security within an organisation. Organisations can certify against ISO 27001 to provide assurance security is embedded throughout, and that data are appropriately managed against risks to ensure confidentiality, integrity and availability. 

NCSC Guidance: Risk management is a theme running through all the NCSC’s 10 Steps, and the NCSC also has dedicated guidance on risk management. While the NCSC’s advice concerning risk management is less granular than other frameworks, it provides several thoughtful questions and considerations to help build your risk management approach.  

Risk management challenges

As organisations embark on risk management strategies, they must be aware risk management is not a tick-box exercise. A poor risk management programme can lull you into a false sense of security about your propensity to risks.   

In examining risk management failures, TechTarget highlighted that, when risk management goes awry, it is usually due to a lack of internal expertise and putting short-term profits over long-term revenue sustainability. 

To that end, we advise organisations to work with dedicated external advisors as they approach risk management. Security risk management experts can help your company build a holistic risk management strategy from the ground up, so you are better equipped to face the threats of today and tomorrow.  

Need help with managing your cyber risk?

If you’re looking to improve your company’s cyber security risk management approach, we can help. Our risk assessment services can help you understand whether your security posture is sufficient. Because no two organisations are the same, we tailor every assessment to the client’s specific objectives. Please get in touch. You can call us or request a callback using our contact form.