Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

Crafting an effective risk register

By Ran Shahor
risk management freepik

<a href='https://www.freepik.com/photos/marketing'>Marketing photo created by freepik - www.freepik.com</a>

March 15, 2021

Risk is much more than a report shown to the board every quarter. It’s a major point of discussion for any CISO regardless of industry, and not just on the mitigation side. The ability to effectively assess risk is a critical part of any program – but it has to be done realistically.

The Challenges

Risk is an inherently personal aspect of security because it is tied directly to what is important to the business. This makes it very difficult to have any sort of baseline, because two organizations even in the same industry might have two very different risk registers and tolerances. Take two banks for instance. One handles a large swath of clients with average wealth, and one manages few clients with enormous wealth. While they are technically in the same industry, they have two very different focuses. Thus, they have very different risk registers and tolerances. This is why it is difficult to define an effective blanket risk framework.  Here are some (of many) of the challenges that occur in creating a risk program:

  • Crafting a Risk Register ‘Power tool’ as the base for a multiyear cybersecurity plan
  • Evaluating your controls
  • Linking controls to “Best Practice” Frameworks
  • Linking the applicable controls to each risk
  • Calculating the controls effectiveness per risk automatically
  • Automatically calculating the importance of each control’s domain to the organization
  • Visually communicating this to the Board

Where to start

Business Impact Analysis

You can’t effectively create a risk program if you don’t have a full picture of just how large the risks are for your organization. “You can’t secure what you can’t see” so to speak. Risks don’t necessarily arise from lack of technology – oftentimes they are hidden in faulty business practices. We are well beyond the days of IT and security being segmented off in their own little world away from the business. IT and security are business drivers now in a lot of cases, which makes the risks associated with them a business impactor. The first step to crafting any successful risk program is assessing these practices and what kind of impact they have on the business. Every aspect of the business impact needs to be assessed and have a financial impact associated with it. As mentioned earlier, communicating these risks to the board or other managing bodies who do not live and breathe this every day can be difficult. Adding a dollar value to these risks helps mitigate that issue. Below is an example of this:

Business Impact and Risks Value

*Image courtesy of the author

The “Average Fog”

Domain averages can be the death of a risk program. Not only are they entirely subjective, the calculations are often intrinsically flawed. These averages can be based on several different parameters: whether something is in place, whether it’s being implemented, etc. – but those don’t really tell the whole story. For instance, if it’s being placed specifically on implementation status, you could potentially get a completely false sense of security as to where you are in your current situation. Instead of getting bogged down with averages, it is much more effective to take each domain and prioritize the criticality of them. Once that is done, weighting those percentages based on your determined criticality will give you a much different viewpoint.

Prioritization Tiers

Criticality Ratings

Giving each control a criticality milestone helps paint a much more realistic picture of what level of risk each control actually contains. Rather than looking at it as an “in place/not in place” mentality, assessing what level of implementation as well as adoption each control has can change your risk register quite a bit. For instance, if you have a secure file transfer system set up but your employees are still using their own personal cloud storage or email to transfer files, that translates to a significantly higher risk score than if you were looking at only implementation. The criticality ratings also have to be specific to your organization’s needs and concerns – not all controls will be top priority to you. Rather than focusing on every single control, find the ones that are most important to the business and get a very accurate look at where you stand.

Weighted Percentages

Once the criticality milestones are set, applying weights is the next step. Most organizations have weighted averages set up already, but they’re based on a domain average which as previously stated doesn’t always work. The criticality milestones set a maximum percentage of effectiveness to illustrate a more realistic view. For example: if you have a criticality milestone of 3, your highest possible score is 60%, and you are 76% implemented, your actual risk score is 46%. That’s a very different picture than just taking your overall average based on implementation. This works on the other side as well. If you have a control that has a low criticality milestone, you could actually be in a better place than you thought. The most important aspect of risk scoring is reality.

Understanding the Attacker’s Motivations, Not Just Compliance

When having a risk assessment, it’s also important that you or the third party who is assessing you takes into consideration the modus operandi of the attacker. Prioritization is key in risk, and if you are attempting to mold your risk register around a compliance framework, you are only getting one piece of the pie. Compliance ≠ security. It’s necessary to avoid fines and fill out vendor assessments, but it doesn’t give an accurate depiction of your risk register.

In Summary

  • Prioritize your domains by criticality and weight your scores accordingly
  • Focus on the business’ financial impact
  • Don’t rely on averages
  • Decide your criticality based on what an attacker would be looking for
KEYWORDS: cyber security data breach risk and resilience risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Ran shahor

Ran Shahor is the CEO and co-founder of HolistiCyber. He is a Brigadier General (Ret.) who founded the leading edge cybersecurity program of  the Israeli Defense Forces Intelligence branch. After 27 years of service, Ran had multiple leadership roles in the private sector. Prior to co-founding HolistiCyber, Ran was the founder and the Co-CEO of Focal Energy (clean energy power plant). Previous to Focal Energy, Ran was a Managing Partner of Star Ventures, a global venture capital group. Ran started his career in the elite IDF special forces which he also commanded. Ran received a LL.B. and MBA from Tel Aviv University.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cyber laptop2

    Defend like an attacker: 4 required approaches

    See More
  • 5mw Anderson

    5 minutes with Heath Anderson - Building an effective governance, risk management and compliance program

    See More
  • Geopolitical threats: From the oracle of Delphi to an effective risk management process

    Geopolitical threats: From the oracle of Delphi to an effective risk management process

    See More

Events

View AllSubmit An Event
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing