risk-based security

Risk-based security: Managing through the minefield

Cyber-attacks continue to become more innovative and sophisticated than ever before. In today’s cyber age, a company’s reputation—and the trust dynamic that exists amongst suppliers, customers and partners—has become a very real target for cybercriminals and hacktivists.

The commercial, reputational and financial risks that go with cyberspace are real and growing. In the drive to become cyber resilient, organizations need to extend their risk management focus from pure information confidentiality, integrity and availability to include other risks, such as those to reputation and customer channels, and recognize the unintended business consequences from activity in cyberspace.

Increasing Regulation and Legislation

As pressure from regulatory compliance increases, Chief Information Security Officers (CISOs) must take a progressively integrated and holistic approach to information risk management. By implementing strong information security measures, the CISO is more likely to stay ahead of regulatory mandates.

There is no way to get around data privacy laws and regulations. Businesses must either comply or pay a stiff penalty. Few jurisdictions, if any, are alike in their regulations, privacy legislation, fraud and breach prevention. Traditional information protection methods may be difficult to apply or useless when it comes to storing or harnessing data in the cloud. Unless you are continuously monitoring the rules, and put mechanisms in place to do so, you might not only be compromising your data but also your corporate responsibility.

Most governments have created, or are in the process of creating, regulations that impose conditions on the protection and use of Personally Identifiable Information (PII), with penalties for organizations that fail to sufficiently protect it. As a result, organizations need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches.

Different countries’ regulations impose different requirements on whether PII can be transferred across borders. Some have no additional requirements; others have detailed requirements. In order to determine what cross-border transfers will occur with a particular cloud-based system, an organization needs to work with their cloud provider to determine where the information will be stored and processed.

The Growing Mobile Landscape

The surge in personal mobile devices being used in the workplace—Bring Your Own Device (BYOD) and Bring Your Own Everything (BYOx)—has been widely documented. Gartner predicts that by 2016, two-thirds of the mobile workforce will own a smartphone and 40 percent of the workforce will be mobile. Furthermore, the variety of connected devices, usage contexts, mobile applications and cloud computing services add even more complexity.

As the trend of employees bringing mobile devices, applications and cloud-based storage and access in the workplace grows, businesses of all sizes continue to see information security risks being exploited. These risks stem from both internal and external threats including mismanagement of the device itself, external manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications.

BYOx initiatives present considerable challenges, as does the widespread adoption of social media. Today’s CISO must embrace these technologies or risk being sidelined by those more agile. While safeguarding your organization’s data is of paramount importance, empowering employees to use their own devices, applications and cloud-based storage safely and flexibly is essential to better workplace productivity and competitiveness, as well as keeping workforce morale and talent retention high.

Cyber Security is a Board Issue

I’ve talked about increasing global regulation and legislation as well as the growing trend of mobile devices in the workplace. So what can organizations do to better prepare themselves?

Today’s CISOs need to take leadership and drive better engagement with the board. This starts by changing the conversation. They must translate the complex world of information security and information risk into understandable business issues and solutions. CISOs must also change their way of thinking and the resulting conversation, so that information risk can be considered alongside other risks that boards oversee.

The roles of executives in the C-Suite have undergone significant transformation over the past decade. Public scrutiny of business leaders is at an all-time high, in part due to massive hacks and data breaches. It’s become increasingly clear that in the event of a breach, the hacked organization will be blamed and held accountable. That means everyone in the C-suite is potentially on the chopping block.

There’s nothing like the threat of public humiliation to make executives’ pay more attention to the security measures protecting their organization’s assets, data, employees, and customers, right?

Awareness and engagement are finally expanding to meet the threats, but building a solid line of defense requires ongoing, strategic collaboration. When boards and CISOs engage and collaborate successfully, organizations are more likely to realize the benefits of their strategic initiatives. Effective engagement enables organizations to take advantage of the opportunities presented by cyberspace and today’s information technology while addressing the associated risks.

Managing Information Risk

Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Cyber resilience requires recognition that organizations must prepare now to deal with severe impacts from cyber threats that are impossible to predict. Organizations must extend risk management to include risk resilience, in order to manage, respond and mitigate any negative impacts of cyberspace activity.

Cyber resilience also requires that organizations have the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents. This means assembling multidisciplinary teams from businesses and functions across the organization, and beyond, to develop and test plans for when breaches and attacks occur. This team should be able to respond quickly to an incident by communicating with all parts of the organization, individuals who might have been compromised, shareholders, regulators and other stakeholders who might be affected.

Safeguarding Your Data

It goes without saying that business leaders recognize the enormous benefits of cyberspace and how the Internet, and today’s growing usage of connected devices, greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, many have difficulty assessing the risks versus the rewards.

One thing that organizations must do in this day and age is ensure they have standard security measures in place. One example of guidelines would be the Information Security Forum (ISF) Standard of Good Practice (The Standard). The Standard is used by many global organizations as the primary reference for information security. It addresses the rapid pace at which threats and risks evolve and an organization’s need to respond to escalating security threats from activities such as cybercrime, ‘hacktivism’, BYOD, the Cloud, insiders and espionage. As a result, The Standard helps the ISF and our members maintain their position at the leading edge of good practice in information security.

Information Risk Assessment

To manage risk effectively, organizations, their boards, business units and information security functions all need to balance risk and reward. Impact assessment is a crucial part of assessing risk. Incomplete or inaccurate impact assessment undermines the organizations’ ability to understand the risk it faces. Without understanding potential impact, organizations are likely to accept unnecessary risk or waste money on unnecessary mitigation. A clear view of impacts can be used to set the priorities and sequence for risk mitigation activity, such as controls, staffing levels and awareness programs.

The ISF recently introduced Information Risk Assessment Methodology version 2 (IRAM2). IRAM2 has many similarities to other popular risk assessment methodologies. However, whereas many other methodologies end at risk evaluation, IRAM2 covers a broader scope of the overall risk management lifecycle by providing pragmatic guidance on risk treatment. The IRAM2 risk assessment methodology can help businesses of all sizes with each of its six phases detailing the steps and key activities required to achieve the phase objectives while also identifying the key information risk factors and outputs.

As information risks and cyber security threats increase, organizations need to move away from reacting to incidents and toward predicting and preventing them. Developing a robust mechanism to assess and treat information risk throughout the organization is a business essential. IRAM2 provides businesses of all sizes with a simple and practical, yet rigorous risk assessment methodology that helps businesses identify, analyze and treat information risk throughout the organization.

Using the ISF Threat Radar to Prioritize

Another supplementary material that is a favorite of mine is the ISF Threat Radar. The Threat Radar plots the ability to manage a threat against its potential level of impact, thus helping to determine its relative importance for an individual organization. It can also demonstrate any likely change that may happen over the period in discussion using arrows.

It is important to remember that it is neither possible, nor feasible, to defend against all threats. An organization therefore needs to look closely at its resilience: that is, what plans and arrangements are in place to minimize impact, speed recovery and learn from incidents, in order to further minimize impact in the future.

Further detail on cyber resilience is available in our report Cyber Security Strategies: Achieving Cyber Resilience.

The Need for a Cyber Resilience Team

Cyber resilience requires recognition that organizations must prepare now to deal with severe impacts from future cyber threats that cannot be predicted or prevented. Traditional risk management is insufficient to deal with the potential impacts from unforeseen activities in cyberspace. That’s why enterprise risk management must be extended to include organizational risk and cyber resilience.

To achieve this goal, I recommended that organizations establish a crisis management plan which includes the implementation of a formal Cyber Resilience Team. This team, made up of experienced security professionals including employees, investors, customers and others, will become the driving force behind your cyber security initiatives. The Cyber Resilience Team will be charged with ensuring that necessary communication takes place between all relevant players, and making sure all facts are determined for each incident in order to put a comprehensive and collaborative recovery plan in place.

Today’s most successful, and cyber-resilient organizations, are appointing a coordinator, such as a Director of Cyber Security or a Chief Digital Officer (CDO), to oversee all activities in cyberspace and to apprise the board of its responsibilities for operating in cyberspace. This coordinator also highlights the board’s obligations to establish cyber resilience programs that protect the organization’s assets and preserve shareholder value. Such efforts are especially important due to all of the legal facets of doing business in cyberspace.

Place an Emphasis on Cyber Resilience

Businesses operate in an increasingly cyber-enabled world and traditional risk management just isn’t agile enough to deal with the risks from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparedness, that assesses the threat vectors from a position of business acceptability and risk profiling.

In preparation for making your organization more able to manage the security minefield, here are a few steps that businesses should implement to better prepare themselves:

  • Re-assess the Risks to Your Organization and its Information from the Inside Out
  • Change your Thinking About Threats
    • Adopt a Risk vs. Reward Mindset
  • Revise Cyber Security Arrangements
    • Embed security in Business Unit Plans
    • Define an Approach for Managing Data Accessed on Mobile Devices and in the Cloud
  • Focus on the Basics
    • People and technology
  • Prepare for the Future
    • Be ready to provide proactive support to business initiatives in order to
    • Think Resilience Not Security
    • Help Your Organization Understand How to Respond to Regulators and Data Subjects

Organizations have varying degrees of control over today’s ever-evolving security threats. With the speed and intricacy of the threat landscape changing on a daily basis, far too often we’re seeing businesses being left behind, sometimes in the wake of both reputational and financial damage. Organizations of all sizes need to take stock today to ensure they are fully prepared and engaged to deal with these ever-emerging security challenges.

Comments are closed.