Turn Raw Risk Data into a Meaningful Risk Intelligence Report
Written by: Bob Maley
Risk intelligence reports are vital for modern companies working to reduce the risk in their cyber ecosystems, but for many, it can be hard to know precisely what should be included in the report. Security professionals are often stuck between gathering data for the sake of data and relying on insufficient or antiquated risk monitoring methods. The former results in an overwhelming volume of data, much of which isn’t relevant to your organization. The latter leaves significant gaps in your visibility, making it impossible to effectively manage risk.
Developing an impactful risk intelligence report requires building upon diverse intelligence gathering practices, broadening your understanding of vital risk intelligence data, and then filtering that data through personalized, contextual filters. With this more nuanced view of your organization’s cyber risk landscape, you can develop a robust and effective third-party risk management strategy.
Types of Risk Intelligence Data
There are simply too many factors in play to rely solely on a one-dimensional view of your organization’s risk. For example, many questionnaires offer a single point-in-time snapshot of vendor risk and are geared toward compliance — and many times, are aspirational at best. A vendor may tell you that they’re 74% compliant with a specific regulation on a questionnaire, but that doesn’t tell you which control failures are putting your company at risk.
For a more insightful, multi-dimensional view of your organization’s risk, you must first cast a wide net. Risk intelligence data should come from multiple internal and external sources, including:
- Security incident and event management (SIEM) tools
- Vulnerability assessments and/or pen-testing reports.
- Third-party vendor assessments.
- Open-source intelligence (OSINT).
- Industry reports and benchmarks.
- Legally mandated data breach reports.
- Government agency publications.
By synthesizing risk data from these various sources, you’ll create a risk intelligence report that considers a more holistic view of your organization’s cyber risk.
Create Your Risk Intelligence Report
A risk intelligence report dialed into your organization’s unique risk landscape presents important information in a digestible manner.
The contents of a risk intelligence report will vary, but they often include these elements:
- Threat Landscape Analysis: This section provides an overview of the current cyber threat landscape, highlighting the most prevalent attack methods, emerging threats, and relevant industry trends.
- Vulnerability Assessment: This section identifies and assesses the weaknesses within your organization’s systems, networks, and data. It may involve penetration testing, vulnerability scanning, and security posture assessments.
- Threat Actor Analysis: This section dives deeper into the profiles of potential attackers who might target your organization. It analyzes their motivations, tactics, techniques, and procedures (TTPs) to help predict their potential strategies.
- Risk Prioritization: Based on the gathered intelligence, the report prioritizes the identified risks by considering their likelihood of occurrence and potential impact on your organization. This helps you allocate resources and focus your efforts on the most critical areas.
- Recommendations and Mitigation Strategies: The report concludes by providing recommendations and mitigation strategies to address the identified risks. These may involve implementing specific security controls, patching vulnerabilities, and raising awareness among employees about cybersecurity best practices.
Determine What Data to Include in Your Risk Intel Report
True risk intelligence takes into account your company’s unique circumstances, along with greater industry trends and common threats, to highlight the actual risks your organization may be subject to. For this to be successful, security professionals need to find ways to turn the firehose of information they’re collecting into a manageable stream of practical recommendations.
Here are five considerations that might impact which findings you choose to include in your risk intelligence report.
#1 There Is a Clear and Present Danger to Your Company
First, determine the most clear and present danger. This can include anything from common threats in your industry to a vendor who is currently experiencing a data breach.For example, ransomware attacks have been on the rise. If you — or one of your vital vendors — are in manufacturing, technical services, or education, you’re more likely to be targeted. In this case, part of your report should be dedicated to ransomware susceptibility.
#2 A Risk Poses a Significant Financial Impact to Your Business
A security team’s goal is to reduce risk and, by extension, prevent adverse financial impact on the business. Your report should highlight both the likelihood of a security event and its potential cost to your business, within a specific time frame. This is vital for prioritizing your remediation efforts, so you can allocate resources appropriately.
#3 You’re Being Audited for a Specific Regulation, like HIPAA or PCI DSS
If you’re undergoing an audit for a specific regulation, the compliance level of your third-party vendors must also be assessed. It’s helpful for your report to include which vendors aren’t meeting those compliance requirements and also what pieces of your ecosystem they have access to.
Imagine being notified that your marketing partner, who handles your company’s branding elements and public website, is not compliant with data protection regulations. While this might raise concerns, it’s not as critical to your core operations. However, consider the scenario with your payment processing vendor, a key player in your financial transactions. If they, or any of their subcontractors, fail to meet industry-specific compliance standards, the stakes are much higher. This breach in compliance could lead to significant financial and reputational damage, emphasizing the vital need to ensure that your vendors adhere strictly to regulatory requirements.
#4 You’re Considering a New Vendor or Renewing a Contract with a Vendor
Before contracting with a new vendor, it’s a good idea to look into what risks they may introduce to your cyber ecosystem. If they have a history of regular data breaches or a high ransomware susceptibility score, they might not be your best option.
But context is vital here, too. Your decision to sign the contract or move on will depend on what service they’re providing and what pieces of your infrastructure they would have access to throughout the course of the engagement. For example, recurring data breaches in a marketing vendor that doesn’t have access to your sensitive data may be less concerning — and probably require less drastic action — than breaches in your payment processor.
#5 You Have an Application that Supports Business Critical Processes, and You’re Thinking About Acquiring an Additional Vendor for Redundancy
Many factors contribute to these decisions (e.g., your budget and the tool’s functionality), but let’s simplify by weighing the financial implications of this decision.
Say your report highlights that something has changed with one of your critical vendors, and as a result, they’ve become highly susceptible to ransomware. The report should also tell you the potential financial impact on your organization if that vendor is compromised. For example, if they fall prey to an attack and it takes your systems offline, it could cost your organization $20,000. But when you analyze a redundant vendor, the analysis shows a ransomware event with them could cost you $100,000 per year. In this case, you may decide to accept the risk associated with your original vendor or continue to look for other options for redundancy.
Data-Driven Decision Making
Risk intelligence data is nearly meaningless without understanding how it intersects with your organization’s specific circumstances and needs. But once that data has been filtered through your unique contextual lens, it becomes a powerful tool that can inform decision making, strengthen your third-party security strategy, and ultimately improve the safety of your organization.
If developing an impactful risk intelligence report — or improving the ones you already have — seems like a pie-in-the-sky goal, don’t worry. Check out The Ultimate Guide to Building a Third-Party Risk Program.
Ready to ramp up defense of your digital supply chain? Check The Ultimate Guide to Building a Third-Party Risk Program