2May
Cyber Risk Management Strategy Implementation
I’m developing a Risk Management Implementation strategy for my small SaaS organization, and I’d appreciate your feedback on the soundness of the approach outlined below. We’re hosted in the cloud, have a physical office and presence and operate on a cybersecurity budget of about $10k USD. The CTO and Board are interested in tracking our Risk Posture Metric, but find the FAIR model too complex for our needs.
Approach Overview:
- We plan to structure the Risk Management Implementation Program (RMIP) into five phases, each correlating with a CMMI Maturity Level (1-5).
- Develop a questionnaire based on CAN/CIOSC 104:2021 standards and client-specific requirements.
- For 25 established controls, assign weighted points where controls scoring above 37.5 points are mandatory, utilizing a basic 4x4 Risk Matrix.
- Implement a Risk Posture Dial to display organizational risk from 0-100%. Set a Risk Acceptance threshold at 35%, aiming to keep Target Risk below 35% of Posed Risk.
- Ongoing Phases: Continuously add and reassess controls, adjusting weightings based on evolving requirements.
- Regularly monitor and adjust the Risk Posture Dial to ensure compliance and manage risk exposure as organizational needs change.
(i) Does this strategy seem scalable and suitable for a small organization like ours?
(ii) Are there adjustments or considerations we might have overlooked?
