Mar 26 2025

How to Begin with Cybersecurity Risk Management

Cyber security risk management is a critical aspect of data security, underpinning various frameworks and regulations such as GDPR, NIST CSF, and ISO 27001. The process begins by establishing a common vocabulary to ensure clear communication across the organization. Risk in this context typically refers to potential negative outcomes for the organization, with the goal of identifying and mitigating these risks while considering time and cost implications.

When assessing risks, two key factors are considered: likelihood and impact. These need to be clearly defined and quantified to ensure consistent interpretation throughout the organization. Risk levels are often categorized as low, medium, or high, with corresponding color-coding for easy visualization. A low risk might be something the organization can tolerate, while a high risk could have catastrophic consequences requiring immediate action.

Impact categories can include financial, strategic, customer-related, employee-related, regulatory, operational, and reputational aspects. Not all categories apply to every organization, and some may overlap. Defining the values for these categories is crucial for establishing a common language and meeting ISO 27001 requirements for consistent risk assessments.

Financial impact is typically the easiest to define, using currency figures or percentages of annual turnover. Non-financial impacts, such as operational or reputational, require more nuanced definitions. For example, operational impact might be measured by the duration of business disruption, while reputational impact could be assessed based on the level of media interest.

Likelihood categories are usually defined on a scale from “very unlikely” to “very likely,” with clear descriptions of what each category means. These can be based on expected frequency of occurrence, such as annually, monthly, weekly, or daily. Estimating likelihood can be based on past experiences within the organization or industry-wide occurrences.

Using multiple impact categories is important because security is everyone’s responsibility, and different departments may need to assess impact in different terms. For instance, a chemical manufacturer might need to define impact levels in terms of employee health and safety, while other departments might focus on financial or operational impacts.

A risk heat map, which combines likelihood and impact levels, is a useful tool for visualizing risk severity. The highest risk area (typically colored red) represents what would be catastrophic for the organization, regardless of the specific impact category. This approach allows for a comprehensive view of risks across different aspects of the business, enabling more effective risk management strategies.

DISC InfoSec offer free initial high level assessment – Based on your needs DISC InfoSec offer ongoing compliance management or vCISO retainer.

The best approach for SMBs to start the cybersecurity risk management process involves the following steps:

Understand Your Risks:

  • Conduct a basic risk assessment to identify critical assets, potential threats, and vulnerabilities.
  • Prioritize risks based on their potential impact and likelihood.

Set Clear Goals:

  • Define your cybersecurity objectives, such as protecting customer data, complying with regulations, or avoiding downtime.

Develop a Security Policy:

  • Create a simple, easy-to-follow cybersecurity policy that outlines acceptable use, password management, and data handling practices.

Start with the Basics:

  • Implement basic cybersecurity measures like using firewalls, antivirus software, and regular system updates.
  • Use strong passwords and enable multi-factor authentication (MFA).

Train Your Employees:

  • Provide ongoing security awareness training to help employees recognize phishing, social engineering, and other threats.

Back Up Your Data:

  • Regularly back up critical data and store it in a secure, offsite location.
  • Test your backup and recovery process to ensure it works effectively.

Monitor and Respond:

  • Set up basic monitoring to detect suspicious activity (e.g., failed login attempts).
  • Establish an incident response plan to know what to do in case of an attack.

Leverage External Resources:

  • Work with a trusted Managed Security Service Provider (MSSP) or consultant to cover any expertise gaps.
  • Consider using frameworks like NIST Cybersecurity Framework (CSF) or CIS Controls for guidance.

Start Small and Scale Up:

  • Focus on quick wins that provide maximum risk reduction with minimal effort.
  • Gradually invest in more advanced tools and processes as your cybersecurity maturity grows.

Regularly Review and Update:

  • Reassess risks, policies, and controls periodically to stay ahead of evolving threats.

This structured approach helps SMBs build a solid foundation without overwhelming resources or budgets.

Cybersecurity Risk Management for Small Businesses

Building a Cyber Risk Management Program: Evolving Security for the Digital Age

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Building a Cyber Risk Management Program, Cybersecurity Risk Management


Jan 29 2025

The $75 Million Secret: How a Fortune 50 Company Paid to Hide a Massive Cyberattack

Category: cyber security,Security programdisc7 @ 10:02 am

A Fortune 50 company recently made the largest known ransomware payment—a staggering $75 million—to the Dark Angels ransomware gang after 100 terabytes of data were stolen. Surprisingly, the company did not disclose the attack, even though SEC regulations require public companies to report significant cyber incidents. Unlike typical ransomware cases, the company’s systems were not shut down; they paid purely to keep the data private, highlighting the immense value organizations place on reputation.

Many companies choose to silence cyberattacks out of fear—concerned that disclosure could lead to customer loss, stock declines, and lawsuits. Executives often believe they won’t be targeted, treat each attack as an isolated event, or try to downplay incidents. Even with stricter SEC rules, businesses are finding ways to disclose as little as possible, fueling a cycle where ransom payments encourage more attacks.

This quiet ransom-paying culture increases risks across industries, making companies more attractive targets. Hackers are incentivized to continue their attacks, knowing that major corporations would rather pay up than risk public fallout. The more companies cave to these demands, the more cybercriminals are emboldened.

The solution? Proactive cybersecurity investments to build resilience before an attack happens. However, as history shows, preventive measures are a hard sell—many organizations react only after a crisis, rather than prioritizing security before disaster strikes. Breaking this cycle requires a mindset shift toward long-term cyber preparedness over short-term damage control.

Mastering Cyber Detection Engineering: A Comprehensive Guide to Proactive Cybersecurity

InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat botĀ |Ā Comprehensive vCISO ServicesĀ |Ā ISMS ServicesĀ |Ā Security Risk Assessment Services

Tags: Proactive Cybersecurity


Oct 14 2023

Best implementers of InfoSec program

Category: CISO,Security program,vCISOdisc7 @ 11:48 am

Best implementers of InfoSec program (ISMS) are those who possess both management and leadership capabilities…

CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers

2020 Cybersecurity CANON Hall of Fame Winner

Todd Fitzgerald, co-author of the ground-breaking (ISC)2 CISO Leadership: Essential Principles for Success, Information Security Governance Simplified: From the Boardroom to the Keyboard, co-author for the E-C Council CISO Body of Knowledge, and contributor to many others including Official (ISC)2 Guide to the CISSP CBK, COBIT 5 for Information Security, and ISACA CSX Cybersecurity Fundamental Certification, is back with this new book incorporating practical experience in leading, building, and sustaining an information security/cybersecurity program.

CISO COMPASS includes personal, pragmatic perspectives and lessons learned of over 75 award-winning CISOs, security leaders, professional association leaders, and cybersecurity standard setters who have fought the tough battle. Todd has also, for the first time, adapted the McKinsey 7S framework (strategy, structure, systems, shared values, staff, skills and style) for organizational effectiveness to the practice of leading cybersecurity to structure the content to ensure comprehensive coverage by the CISO and security leaders to key issues impacting the delivery of the cybersecurity strategy and demonstrate to the Board of Directors due diligence. The insights will assist the security leader to create programs appreciated and supported by the organization, capable of industry/ peer award-winning recognition, enhance cybersecurity maturity, gain confidence by senior management, and avoid pitfalls.

The book is a comprehensive, soup-to-nuts book enabling security leaders to effectively protect information assets and build award-winning programs by covering topics such as developing cybersecurity strategy, emerging trends and technologies, cybersecurity organization structure and reporting models, leveraging current incidents, security control frameworks, risk management, laws and regulations, data protection and privacy, meaningful policies and procedures, multi-generational workforce team dynamics, soft skills, and communicating with the Board of Directors and executive management. The book is valuable to current and future security leaders as a valuable resource and an integral part of any college program for information/ cybersecurity.

Previous articles on the subject of Chief Information Security Officers (CISOs)

Previous articles on the subject of Virtual Chief Information Security Officers (vCISOs).

InfoSec toolsĀ |Ā InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO Directory

Tags: isms, security program


Dec 04 2022

8 Reasons Why Enterprises Use Java

Category: Security programDISC @ 11:53 am

What is an enterprise application in java?

An enterprise application in Java is a software program whose backend was created with the help of the Java programming language. Java is an excellent choice for creating back-end functionality.

In addition, the use of Java microservices enables the creation of large-scale, complex but well-performing solutions, that’s why it is often chosen by enterprises that are dealing with large amounts of data and need to create multi-functional complex solutions for their business.

What is Java used for?

8 Reasons Why Enterprises Use Java

8 Reasons Why Enterprises Use Java

Tags: Java


Aug 24 2022

Programming, software development, ISO27k and AWS online courses

Find programming and software development online courses, created by experts to help you take your career to the next level.

Programming Online Courses

AWS Online Courses

Product Preview

You can choose the course based on your specific needs:

  • ISO 27001 Foundations course ā€“ you’ll learn about all of the standard’s requirements and the best practices for compliance.
  • ISO 27001 Internal Auditor course ā€“ besides the knowledge about the standard, you’ll also learn how to perform an internal audit in the company.
  • ISO 27001 Lead Auditor course ā€“ besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
  • ISO 27001 Lead Implementer course ā€“ besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.

The online courses are suitable both for beginners and experienced professionals.

Learn at your preferred speed from any location at any time.

If you have any questions, feel free to send us an email toĀ info@deurainfosec.com

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: aws online courses, Online courses, software development


Feb 08 2022

3 key elements of a strong cybersecurity program

The world relies on technology. So, a strong cybersecurity program is more important than ever. The challenge of achieving good cyber hygiene can be especially acute for small- and medium-sized businesses. This is particularly true for those with fully remote or hybrid work environments. Add to the mix limited resources and limited talent focused on cybersecurity, and the challenges can seem overwhelming.

Considering this, we’ve simplified things down to three key elements of a strong cybersecurity program. You need to know how to assess, remediate, and implement security best practices at scale. In more detail, this means:

  • Assessing your organization’s current cybersecurity program and its prioritization
  • Remediating endpoints at scale, bringing them into compliance with security best practices
  • Implementing cybersecurity policies and monitoring them to stay in compliance

1. Assess your organization’s current cybersecurity program

Taking the first step toward better cyber hygiene means understanding where your organization stands today. Conduct an honest assessment of your strengths and weaknesses in order to prioritize where to focus your efforts for your cybersecurity program. The challenge here is finding the right bar to measure yourself against. There are several frameworks that will do the job. Thus, it can be daunting to figure out which one is the right fit, especially if this is the first time you’re doing an assessment. Starting with the CIS Controls and CIS Benchmarks can help take the guesswork out of your assessment and provide peace of mind that you’re covering all of your bases.

Here’s what makes these two sets of best practices especially useful:

  • They tell you the ā€œwhatā€ and the ā€œhowā€: Many frameworks tell you what you should do, but not how to do it. CIS best practices give you both.
  • They are comprehensive and consensus-based: CIS best practices are developed in collaboration with a global community of cybersecurity experts. They’re also data-driven as explained in the CIS Community Defense Model.
  • They are mapped to other industry regulatory frameworks: CIS best practices have been mapped or referenced by several other industry regulatory requirements, including: NIST, FINRA, PCI DSS, FedRAMP, DISA STIGs, and many others. This means you can get the proverbial ā€œtwo birds with one stoneā€ by assessing against CIS best practices.

The CIS Controls are a prioritized and prescriptive set of safeguards that mitigate the most common cyber-attacks against systems and networks. The CIS Benchmarks are more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against today’s evolving cyber threats. Both are available as free PDF downloads to help you get started.

2. Remediate endpoints at scale with CIS Build Kits

One of the challenges in applying any best practice framework is dedicating the time and resources to do the work. Luckily, CIS offers tools and resources to help automate and track the assessment process. TheĀ CIS Controls Self Assessment Tool (CIS CSAT)Ā helps organizations assess the implementation of the CIS Controls. Additionally, theĀ CIS Configuration Assessment ToolĀ (CIS-CAT Pro Assessor) scans target systems for conformance to the CIS Benchmarks. CIS-CAT Pro Assessor allows you to move more quickly toward analyzing results and setting a strategy to remediate your gaps.

CIS resources and tools are designed to help you move toward compliance with best practices by remediating the gaps. Once you understand where your gaps are and how to fix them, you can useĀ CIS Build KitsĀ to achieve compliance at scale. CIS Build Kits are automated, efficient, repeatable, and scalable resources for rapid implementation of CIS Benchmark recommendations. You can apply them via the group policy management console in Windows, or through a shell script in Linux (Unix,*nix) environments.

Interested in trying out a Build Kit? CIS offersĀ sample Build KitsĀ that contain a subset of the recommendations within the CIS Benchmark. They provide you a snapshot of what to expect with the full CIS Build Kit.

3. Implement cybersecurity policies and monitor for compliance

Lastly, creating strong policies and monitoring conformance helps ensure that an organization is working toward a more robust cybersecurity program. Regularly monitoring conformance over time is critical. It helps you avoid configuration drift, and helps identify any new issues quickly. CIS tools can help monitor conformance and identify gaps.

CIS-CAT Pro Dashboard provides an easy-to-use graphical user interface for viewing CIS Benchmark conformance assessment results over time. Similarly, CIS CSAT Pro enables an organization to monitor implementation of the CIS Controls over time.

A strong cybersecurity program with CIS SecureSuite Membership

Any organization can start improving its cyber hygiene by downloading CIS’s free best practices, like the PDF versions of the CIS Benchmarks. But it’s important to know that you don’t have to go it alone. A cost-effectiveĀ CIS SecureSuite MembershipĀ can be both a solution to your immediate security needs, as well as a long-term resource to help optimize your organization’s cybersecurity program.

You’ll get access to:

  • CIS-CAT Pro Assessor and Dashboard
  • CIS CSAT Pro
  • CIS Build Kits
  • CIS Benchmarks in various formats (Microsoft Word, Microsoft Excel, XCCDF, OVAL, XML) and more

Get the most out of CIS best practices for your cybersecurity program by signing up for a cost-effective CIS SecureSuite Membership.

Learn more about CIS SecureSuite

Building an Effective Cybersecurity Program

Information Security Governance: Framework and Toolset for CISOs and Decision Makers

Tags: strong cybersecurity program