Think about the rate of change in your business, its use of technology and the threat landscape compounded together. With the resulting change in threat means, motives and opportunities it’s no surprise that some organizations are increasing their frequency of risk assessments from annually to quarterly or even monthly. That being said, there is still trepidation in implementing true threat-based risk management. What is driving this inaction? We see a combination of controls fixation and lack of emphasis on inherent risk discussions with business stakeholders. The result is a lack of traceability between security recommendations and business goals and that’s not good for anyone! In this blog we will discuss each component of the challenge and take it to the bottom line.
How do some risk frameworks miss the point?
Many approaches to risk management leave security practitioners describing risks as missing controls. This is due to the sole reliance on controls frameworks as a manner of baselining controls. Other times, it is the classification of cyber risks (via framework or taxonomy) based on types of events. The latter approach is closer to your business impact scenarios but can still end up yielding a wish list of missing capabilities instead of attack scenarios involving threats and business targets if you don’t approach it right. Also, beware that the taxonomy or categories of risks may not completely cover your organization’s products, services, people, and customers. You must think of your organizational assets from the eyes of an attacker motivated by crime, espionage, hacktivism and even warfare.
Business Continuity may actually be doing a better job of analyzing business impacting risks but their focus on availability may lead security practitioners to believe they need to start from scratch. Leveraging your Business Continuity risks assessment and business impact analysis can be a great jumpstart to your cyber-risk assessment processes. Working together improves overall organization prioritization of remediation activities.
Why are top risks deduced from inherent and residual risks?
Leveraging a taxonomy that makes sense for YOUR organization and populating a risk register with those worst-case scenario attacks should allow the business to chime in on which are most unacceptable given the operations and strategy of the organization. Before jumping in and looking at controls – use the inherent ratings as a “filter” to do a deeper dive assessment. You can also tune your IT governance processes (e.g. solution reviews, change control) focusing on changes in and around those sensitive parts of the enterprise architecture.
From here you can identify the controls that matter most. The more you do this the more you’ll see which controls are most key (the 80/20 rule of management) and HOW those controls should be architected (where, when, why). You’ll also look for controls that could be improved or added that address most risk scenarios with a better view of specifications for projects and return on investment.
How does this tie you into your business objectives?
Like business continuity, the taxonomy or risk categorization is critical and unique to your combination of services and assets, in other words it is specific to your organization and security posture.
You should self-assess your level of maturity by how close to business objectives you’re writing your risks. Ideally, the business tell you the inherent risk and you establish the likelihood, impact, inherent and residual risks.
TEST: Which of these is a risk statement?
- Configuration Management is not implemented
- Threat Intel Alert: An actor is motivated to attack my sector
- We have a vulnerability in this software
- A nation-state steals personal identifiable enrollment data through internet facing authenticated interfacing systems.
Hint: both business and IT stakeholders must be able to relate to a risk statement
If you focused on the 4th statement as one of your most inherently damaging and most likely to occur, then you may think very differently about your control priorities. Perhaps your SOC operations should be spending a proportional amount of time looking at DMZ based anomalies and not spend 100% of their energy on exfiltration analysis.
Inherent risk assessments are the first step towards identifying critical business risks of an organization and focusing the composition of your key security controls. Control assessments are fundamental towards assessing residual risks, and evaluating your overall security posture within the business context.
This approach also adds value for reporting to the Board of Directors (BOD) and other regulatory and business stakeholders. Consider the guidance shared by the National Association of Corporate Directors in 2015 regarding details involved with deducing top risks.
Source: Sky Chat IT Blog