Imagine you’ve been tasked with building a pyramid. The particular building materials and tools have been selected, block-carving systems and block-laying operations are being implemented, there’s an assessment process in place to ensure that the pyramid’s blocks are properly aligned, the general contractor is ready to authorize the various batches of work, and the project champion and contractor are monitoring the details of the project.

Suddenly, someone yells, “What about all of the preparatory activities?” Has the project identified key roles and responsibilities? Has the risk tolerance been specified, and a risk strategy selected (e.g., uneven or damaged blocks)? Was there a risk assessment conducted prior to all of this building activity (e.g., shifting sands)? Is there a continuous start-to-finish monitoring process in place?

This example helps us understand just how significant the preparation step of risk management really is.

In December 2018, the National Institute of Standards and Technology (NIST) officially unveiled revision two of its Risk Management Framework (RMF). In the accompanying press release, NIST pointed to changes that make the RMF more useful for organizations that are putting it into practice, specifically to improve communication and governance of cyber risks, to integrate privacy risk into the RMF process, and to “institutionalize” essential risk management activities throughout the organization to improve the value delivered by the risk management process. How did NIST accomplish these improvements? With the addition of a new seventh step: Prepare.

In its justification for the new step, NIST stated that it was needed to “achieve more effective, efficient, and cost-effective security and privacy risk management processes.” Let’s explore what the Prepare step entails, who is responsible for it, and what benefits organizations can expect from going through the additional step.

Prepare: A New, Critical Step in the NIST RMF

The Prepare step ensures that high-level and essential umbrella risk management activities are carried out to guide the rest of the steps and derive better value out of the risk management process. In particular, the Risk Management Framework states that the Prepare step improves communication between senior IT/security/privacy leaders and top executives, both at the mission/business (strategic) level and the system owners (operational) level.

NIST further commented that the new step helps reduce complexity by identifying and eliminating risk management activities that don’t effectively impact security and privacy risk. This is accomplished by identifying, prioritizing and focusing on high value assets (HVAs), and by deploying appropriate risk mitigation measures. For NIST, the Prepare step is key to consolidating, optimizing and standardizing risk management controls across both IT and operational technology (OT) infrastructure.

Who should be involved in the Prepare step? In an accompanying document, NIST specified the key responsibilities of the head of agency, the chief information officer (CIO), the risk executive, and both the security and privacy officers. These range from overseeing the entire risk management process to monitoring and reviewing the effectiveness of the process and the controls implemented.

Key Tasks and Outcomes

The value that the Prepare step provides becomes clear once we look at the list of tasks and outcomes that it comprises. We’ll focus on a subset of those key tasks and outcomes to highlight their particular relevance and value.

  • Risk Management Roles (P-1) — This particular task ensures that the organization has properly identified key individuals and specified their roles and responsibilities in the risk management process. This includes reviewing and dealing with potential conflicts of interest (e.g., one person in charge of a process and also auditing/authorizing that same process). This task connects with the NIST Cybersecurity Framework (CSF) governance (ID.GV) activity.
  • Risk Management Strategy (P-2) — At this point, the organization has specified its level of risk tolerance and has determined a particular strategy for the road ahead. This strategy should include the threats, assumptions, constraints, priorities and trade-offs that will be used when making business decisions and when determining which areas to invest in. This task connects with the NIST CSF risk management (ID.RM) and supply chain (ID.SC) activities.
  • Organizational Risk Assessment (P-3) — While the concept of risk assessments was already present in the previous RMF version, it was primarily focused on tactical and operational issues. The addition of an organizational-level risk assessment ensures that top leadership, the CIO, and the security and privacy officers are all on the same page. It also helps the organization with its prioritization efforts by focusing on high-value assets. This task connects with the NIST CSF risk assessment (ID.RA) activity.
  • Continuous Monitoring Strategy (P-7) — This task specifies how ongoing assessments will be performed and with what frequency. The goal is to move the organization closer to “near real-time risk management” to enable rapid and effective response to changes in the risk landscape or changes in the effectiveness of controls. This task connects with the NIST CSF continuous monitoring (DE.CM) element.

Begin Your Risk Management Process With Preparation

While NIST insisted that the steps in its framework do not have to be performed in order, it is clear that going through the Prepare step surfaces key decisions and parameters that are crucial to implementing an effective risk management process. In essence, the addition of the step helps elevate the value of the Risk Management Framework from tactical and operational to organizational and strategic.

For first-time NIST RMF adopters, the Prepare step is a logical, necessary place to start — at the top. For organizations that have already implemented an RMF-based process, be sure to add the Prepare step as part of your next iteration; you’ll get strategic value out of it.

More from Risk Management

Did Brazil DSL Modem Attacks Change Device Security?

From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims' computers.According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil's Computer Emergency Response Team, the attack ultimately infected…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…