New guidance to replace existing single technique with a toolbox of approaches
The National Cyber Security Centre (NCSC) is planning to replace the existing recommended technique for cyber risk management with a more flexible approach involving a number of approaches.
It said that it is working on new guidance in the field to update the existing version developed by one of its precursor organisations, CESG. This will move away from the view that there is a single “wrapper” in which any risk analysis technique could fit.
“Our forthcoming guidance will present a range of different risk management techniques,” said the risk research lead for NCSC, named as John Y. “So, where we have previously talked about one technique, now we are talking about a toolbox of techniques.”
This reflects a belief that there is no single method that can be applied universally to good effect as risk management for cyber security has become too complex. Subsequently, cyber risk managers should be more flexible in response to different risks.
The official said it will draw on insights, concepts and methods from other established domains of risk management, such as industrial safety management, and apply them to cyber security.
“Different tools within these different categories add value in totally different ways,” he said. “Our guidance aims to identify these techniques, and explain what they’re good (or not so good) at.”
NCSC plans to deliver the guidance in stages, the first to include discussions of the fundamentals of risk management and how to get the basics right. It will focus on two approaches: looking at the technical components and the associated threats and vulnerabilities; and an analysis of a system as a whole.
Further techniques will be added as the research progresses, and the NCSC’s current risk management collection will be retired – although its features that are considered useful will be repurposed in the new guidance.
Image from Metaloxyd, CC BY 2.0 through flickr