We mentioned in a previous blog that the NCSC is working on producing some guidance on risk management for cyber security. The first stage of this guidance is nearly ready and will be delivered to you as an early Christmas present. Before that, we wanted to give you an overview of what this guidance is, and what our customers will get from it.
Why is the NCSC producing guidance on risk management?
CESG (one of the NCSC’s precursor organisations) produced standards and guidance on cyber risk management for years. Many other organisations produce similar products. What does the NCSC hope to add to this picture?
Most cyber risk management guidance presents an individual risk management technique, or a managerial 'wrapper' within which any risk analysis technique could fit. Our forthcoming guidance will present a range of different risk management techniques. So, where we have previously talked about one technique, now we are talking about a toolbox of techniques.
This toolbox will draw on insights, concepts and methods from other established domains of risk management (such as industrial safety engineering) and apply them to cyber security. Our research around these other domains of risk management tells us that there are broad categories of risk management technique, which are fundamentally different from each other. Different tools within these different categories add value in totally different ways. Our guidance aims to identify these techniques, and explain what they’re good (or not so good) at.
Why a toolbox?
The short answer is that there is no single method for doing risk management for cyber security which can be applied universally, to good effect.
CESG had spent many years promoting a single method for conducting cyber risk management within the UK government. This experience has shown us that mandating the use of specific techniques across a field as broad as the UK public sector, can have unintended consequences. Risk management for cyber security is simply too complex to be managed using a single method. One consequence of recognising this is that cyber risk managers will need to know which kind of technique is best applied to which kind of problem. As such, this guidance will be neither prescriptive nor a standard. It will never be correct to say that someone has ‘complied’ with our guidance - only that they have considered it in light of the problem at hand.
What’s in the toolbox?
We're delivering this guidance in stages. The first stage, to be released shortly, will include some discussions of the fundamentals of risk management (why we do it, how it can improve cyber security). It will summarise how to 'get the basics right' if you're a small organisation with few resources to spend on cyber risk management. It will also present two very different (but complementary) ways of looking at risk.
- The first approach focuses on technical components, and the threats and vulnerabilities they face. We call this 'component-driven risk management'.
- The second takes the opposite view, and analyses systems as a whole. We call this 'system-driven risk management'.
The techniques we cover are all based on an ongoing programme of research by the NCSC's Sociotechnical Security Group. As we progress our research, we will add further types of cyber risk technique to this guidance. We intend to cover causal analysis of cyber risk (such as attack trees), techniques for quantitatively analysing cyber risk, and discussions of the perception & communication of cyber risk. We will also supplement this guidance with a series of blogs and worked examples, which will add some real-world context.
No jargon, no buzzwords
The last thing we want to do is produce a huge document that nobody will read. So, we’ll be ruthless with size. No jargon, no buzzwords, just succinct and useful guidance. Where we must introduce new terms, we will make sure they are clear.
We also recognise that the NCSC’s customer base is hugely varied, particularly according to how much resource it is appropriate to spend on cyber risk management. To meet these varied needs, we will clearly indicate how smaller organisations should approach cyber risk management. We will then separate this message from guidance on more expensive methodologies. The aim here is to make it clear what ‘good enough’ looks like, for those working with very limited resources.
The NCSC's current risk management collection will be retired. Don't worry, all the useful stuff from there has been taken out and repurposed. The collection includes two pieces on security governance. We will be keeping these for the time being, but we will be adding to them in the near future.
We are developing this guidance in collaboration with a range of external partners, and we’re more than happy to take comments and suggestions from anyone. We're particularly keen to get feedback once we've published guidance. If you’re interested in what we’re talking about here, and would like to be involved, do get in touch.
Risk Research Lead