5. Mitigation of cyber risks
Risk mitigation is first of all a company decision-making process

When you opt to mitigate a risk, the company does not need to be involved in the technical details, the Fractional CISO however, for transparency, it must share with the Company the criteria that guide the solution search process:

to. An intervention on the risk has the objective of reducing it; it is very unlikely, if not impossible, that a risk can be eliminated.

b. Risk mitigation can be pursued with different methods and / or tools and often with a combination of the same.

c. The cost of mitigation must not exceed the benefit in terms of risk reduction.

d. Mitigation tools inevitably introduce further complexity, they can suffer from imperfections and implementation errors, it is good practice to adopt only those strictly necessary.

It is important to know that risk mitigation can be of three types:

Administrative: policies / regulations, managerial and administrative controls, procedures, training, etc.

Technical / Logical: access control systems, encryption, HW devices, SW systems etc.

Physicist: locks, controlled accesses, sensors, cameras, alarms etc.

The devices used to mitigate a risk are named Checks, can have different purposes and are often complementary:

Prevention: security regulations and procedures, training, anti-malware system, anti-intrusion system, access control, screen-saver, encryption, firewall etc.

Inspection: monitoring, supervision, controls, etc.

Correction: backup and restore, anti-malware, Security Operation Center (SOC)

Compensation: redundant systems (servers, devices, connections) etc.

The value at risk, L?effectiveness of controls, the cost of controls are the criteria guide the Fractional CISO and the company to choose the right solution.