Re-inventing the Risk Register

The cyber security risk register is a common concept for many organizations. A risk register is a centralized inventory, often a spreadsheet of risks that an organization identifies in its environment while performing risk management or assessment activities.

The problem with existing risk registers, however, is that they are often not effectively defined by best practice frameworks. Many frameworks simply require that a risk register be in place without any mention of how adequately it manages risk within an environment.

So, what is a risk register and why can it have such a large impact on your security effort?

Where Did the Risk Register Come From?

The origin of the security risk register can be traced back to the ISO 27001 best practice framework, which was one of the first systematic frameworks for cyber security. While the framework has done a lot of good for cyber security, many of the benefits it provides lie in the past.

One of the items suggested in the framework is the creation of an Information Security Management System (ISMS) that establishes how your organization identifies, communicates, treats, and manages risk within your environment.

The most common tangible artifact or document from the ISMS is the cyber security risk register, which ISO 27001 even provides a template for.

The risk register usually acts as evidence that your organization is utilizing an ISMS, and it’s one of the biggest things that auditors reviewing your organization for an ISO certification will look for.

But if an organization’s goal is compliance and an audit doesn’t check for the effectiveness of a risk register, then security teams won’t effectively make use of them.

ISO 27001 isn’t the only culprit in perpetuating the risk register as it exists in its current form — it was simply the first framework that required it.

Since many best practice security frameworks have taken on a risk-based approach, all of them now require some type of risk register. In each iteration, these risk registers tend to have some of the same flaws.

The Flaws in Risk Registers

Although most best practice security frameworks or certifications have risk management as a core of their approach, there has been no correlative research that suggests receiving a certification makes an organization more resistant to a breach, or adverse security event.

In other words, having your organization certified doesn’t necessarily mean that you’re operating in a more secure, less risky environment.

Organizations generally seek best practice security certifications for the sake of their customers and clients. Most people want to know that the organization they’re working with is secure, after all.

While receiving a certification isn’t at all a detriment, it isn’t enough if you want to do more with your security program than just having something on paper.

The core issues with the risk register approach can be found in their focus on compliance, scope, and overall lack of efficiency in an application:

Compliance-Focused

The origin of the cyber security risk register is based primarily in compliance. While compliance is important, it shouldn’t be the sole focus of your security program.

When your organization’s risk register is focused on compliance, your team ends up focusing on the findings without thinking about recommendations or projects on how to fix them. If you want your security program to prioritize and reduce risk rather than simply identify it, just finding the problems won’t be enough.

To further complicate the issue, most auditors that review organizations for compliance and certification are simply auditors — they don’t necessarily know how to identify something that’s built properly.

Relying on an auditor’s findings to help you strengthen and improve your security program is like relying on an inspector to make suggestions on the structure of your house based on blueprints alone.

Scope

With ISO 27001, your organization is responsible for defining the scope of which parts of your business are included under the security program, as well as the levels and types of risks that will be included in your register.

If an organization is motivated to receive certification solely for their clients, then limiting the scope to the bare minimum and only including hyper-specific risks would be the easiest thing to do, and this is what many organizations do.

They identify a single business unit within the scope and set a ridiculously high dollar amount — $5,000,000 — for the threshold of included risks.

The problem here is obvious — limiting the scope and only accounting for specific risks won’t give your organization a complete understanding of the risks to your environment. This results in an incomplete risk register with poor recommendations on how to address and improve them.

Operationally Inefficient

Organizations that use ISO 27001 or other best practice security frameworks are often operationally inefficient, both in the way that risks are collected and how they are fixed.

Building a compliant cyber security process isn’t the same as building an efficient process.

Best practice security frameworks don’t often account for building efficient processes, and if your organization doesn’t include any efficiency requirements, then your team will be stuck adhering to something that won’t match your organization’s needs.

Some of the most important efficiency requirements your organization should incorporate include service-level agreements for security processes, effective scoping and defining of your processes, and connecting identified risks to the appropriate recommendations.

Conclusion

Risk registers in their current state are highly problematic, but this doesn’t mean that they should be thrown out entirely.

Instead, our team has come up with a new concept that builds on the foundations of the risk register by filling in the need for an appropriate scope and moving away from an inefficient, compliance-focused model.