There are many areas where organizations can improve security, but how do you know where to start?
That’s where a risk-based approach comes in! This is key to prioritizing a seemingly endless list of tasks.
Discover the Roles That Use a Risk-Based Approach
Cybersecurity risk analysts perform risk analyses based on predefined risk management processes. Their main tasks are to:
identify what the company wants to protect.
identify, assess and prioritize risks affecting the organization or specific areas of the organization.
put forward an action plan to address the risks identified.
approve and monitor the implementation of the risk management plan.
communicate with stakeholders and report relevant information.
In some organizations, there is also a person or team dedicated to non-cybersecurity risks.
How does this differ from the risk analyst’s role described earlier?
The risks this person or team addresses are business risks, linked to the organization’s core operations and not to its information system.
For example, at our Everwell Hospital, there are risks everywhere which must be identified and managed: risks to patients (hospital-acquired infections, diagnostic or medication errors, etc.) or risks to staff (cross infection from patients, assault, stress, etc.). The hospital director in particular is responsible for this task. The approach is similar to that used in cybersecurity risk management: identify, assess, and prioritize risks; put forward a treatment plan; and monitor treatment actions.
Business risk is intrinsically linked to those cyber crises that have a major impact on operations, and both risk and cybersecurity teams need to work together.
Some risks may have a significant legal impact. These are referred to as compliance risks. Factoring in compliance issues can also help in prioritizing cybersecurity projects.
Discover Who Manages Compliance Issues
The compliance officer manages compliance with cybersecurity standards and regulations. Their job lies at the crossroads between cybersecurity and legal—particularly where privacy protection is concerned. Their main tasks are to:
identify non-compliance with standards or regulations.
define a compliance plan and manage its implementation.
coordinate the internal and external stakeholders involved in compliance.
contribute to the cybersecurity strategy on compliance matters.
So, this person is part of the legal team?
It depends on the organization, but they certainly work closely with the legal team as the issues are similar.
The legal team works closely with the cybersecurity team on a daily basis on legal and contractual compliance issues: supplier and contract management, intellectual property rights, personal data protection, confidentiality clauses in employee contracts, and so on.
One area that has become critical in recent years, especially with the EU-wide enforcement of GDPR, is personal data protection, based around individuals' right to privacy. This regulation has resulted in a number of activities that fall under the responsibility of the Data Protection Officer (DPO), including:
preparing Data Protection Impact Assessments (DPIAs) for processing personal data.
helping with the legal aspects of a personal data breach, in particular by notifying the relevant authorities, as was the case for the Everwell Hospital.
defining the legal retention period for personal data stored by the organization.
ensuring that contracts with new service providers include personal data protection clauses.
The DPO may be part of the legal team or the cybersecurity team, depending on the organization. As you’ve already seen, these two teams work together closely anyway.
I can’t quite figure out what’s going on with all these teams. What’s their organizational structure? Who’s in charge?
That’s a very good question! And it’s what you’ll find out in the next chapter.
Let’s Recap!
In this chapter, you discovered yet more new roles within the cybersecurity team and beyond!
You met the risk analyst, whose work helps prioritize security tasks.
You met the compliance officer, whose work lies in the space where cybersecurity and the law overlap.
You understood the importance of working with the legal team, particularly when it comes to personal data protection and the role of the data protection officer.
Still don’t see the big picture when it comes to all these teams? That’s what we’ll look at in the next section. Join me there!
