Businesses today face an ever growing array of threats to the security of their critical data and IT assets. From sophisticated cyber attacks to unintentional data exposure to environmental threats, the list of potential causes of harm is endless. Understanding which threats pose the greatest likelihood of doing damage to the business can be challenging. A threat assessment team can assist business leaders in sifting through this information and prioritizing security initiatives that will help ensure the business does not become the next security breach headline.
A threat assessment team is a multi-faceted group that’s capable of not only identifying where an organization’s infrastructure is vulnerable, but also providing valuable context about the links between those vulnerabilities and various threat types. Assessing threats requires an understanding of the business landscape, ability to identify vulnerabilities, knowledge of current threats, and creativity to predict new threats. Establishing such a team requires careful planning and a methodical approach.
The first step in building a threat assessment team is to define the roles of the team itself. For example, consider the scope of the team’s responsibilities. Evaluate whether the team will need to perform vulnerability assessments – or can other areas of the organization be leveraged that may already be responsible for this function? Determine the level of reporting and recommendations you expect from the team. Decide whether the team should be responsible for tracking the organization’s progress toward those recommendations, or if you want another existing group to manage this function. A clear charter that defines these roles and responsibilities is the foundation that will ensure the team’s effectiveness.
Understanding the roles and responsibilities of the threat assessment team will then allow business leaders to determine the proper placement of the team within the organizational structure of the business. Planners should consider how the reporting structure of the team will impact its ability to effect change within the business. Organizations should avoid a management reporting structure that could lead to conflicts of interest (such as reporting through the IT group). The general rule of thumb is that leaders of the threat assessment team should report to a high enough level of management to ensure proper accountability for implementing recommendations across the organization.
Leaders should also consider how the threat assessment team should interact with other areas of the business. For instance, if the team will leverage an existing Risk Management or Audit team, then closer organizational alignment could help make those interactions more efficient. The ability to gather information from other business units within the company should also be taken into account. Since it’s essential that the threat assessment team has a solid understanding of the business as a whole, its interaction with asset owners and operational areas will be important to its success. Therefore, it is important that the team’s placement within the organizational structure maximizes its ability to work with those areas. Ultimately, the team will achieve greater breadth of interaction across key business areas the higher it is elevated within the organizational structure.
Assembling the Team
After the roles, responsibilities and reporting structure for the threat assessment team have been defined, attention can be turned to identifying the individuals who will comprise the team. And choosing the right person to lead this new initiative is going to be one of the most influential decisions made that impacts the team’s success.
A background in security is absolutely essential for the team leader. Since this leader will be responsible for defining and deploying a program that’s not a part of the current business model, previous experience implementing information security programs should be prioritized. Because the position will likely have a great deal of interaction with C-Level executives, someone with a high level of management experience and proven ability to work and perform successfully in such a role should be targeted. In particular, internal candidates may prove to be more valuable for this role since they typically have an existing understanding of the business and relationships with leaders across the organization. This particular advantage should be weighed heavily if comparing internal and external candidates.
When considering skilled team members for the threat assessment team, there is no one blueprint or set of credentials that can be followed. In fact, having one static set of criteria for candidates on such a team should be avoided. Ideally, a threat assessment team should be staffed with individuals who have a broad range of backgrounds and specialties. Experienced programmers, network engineers, penetration testers, security professionals and business analysts should all be considered as possible contributors. The goal here is to build a team with wide-ranging expertise. Both technical skills and business knowledge should be represented throughout the team. Individuals within the team should be able to draw upon the expertise of their peers and integrate that with their own experiences and knowledge.
As well, the best potential candidates should demonstrate a great deal of creativity. Threat assessment is not a task that can be performed simply by following a check list. Rather, the analyst needs to be capable of seeing relationships between many pieces of information at a highly abstract level. An inquisitive nature can also be a great asset in a potential candidate. Look for the “tinkerers,” the types of people who like to take things apart to understand how they work. This curious nature is valuable when it comes to developing a deeper understanding of potential vulnerabilities and identifying how they may be exploited by potential threats.
It is also important to ensure that members of the team have solid communications skills, both oral and written. Members of the team will be making recommendations on how the business should address key threats. These recommendations need to be presented in a persuasive and professional manner. Depending on the overall size of the team, it may be possible to consolidate communication into a discrete role within the team. The important thing here is that the team’s expert opinions are presented to management and other areas of the organization in the most effective and comprehensive manner possible.
As the team begins to take shape, work should begin to develop the methodology that will drive the team’s activities. There are many aspects of the threat assessment process that will need to be defined. Begin by looking at the internal aspects of the team. Look at ways the team can stay up-to-date with emerging threats and attack vectors. Identify key sources of information – these could include news feeds, security alert subscriptions, publications and blogs. Develop processes by which this information is reviewed and distributed to all members of the team.
Keeping the team current with changes occurring within the business is also imperative. Analyze ways the team can be notified of new deployments, changes or updates to existing infrastructure, etc. If the organization has a formal change management process, for instance, consider how the team can be integrated with those procedures. Focus on ways the team can be notified in a proactive fashion, rather than relying on discovery through assessment activities.
Outline how the team will handle communication of emerging threats that impact the business – and to whom this information should be distributed. Factors to be addressed include:
• Determine whether updates should be provided on a regular basis or as new threats are discovered.
• Define a format that will be used for communicating new or updated threats.
• Describe a formal procedure for ranking various threats.
• Implement a process by which highly critical new threats can be communicated in an immediate manner.
• Consider who should receive regular threat updates and critical threat alerts. Too large a list can become unmanageable and cause confusion, while too small a list can result in ineffective communication and slow response.
Finally, as the methodology becomes well defined, develop the necessary standards and policies within the organization that will support the implementation of the team’s methodology. Ensure that existing policies and standards are reviewed and updated as needed to integrate the threat management team into current processes. Communicate the new and updated standards and policies to ensure they are adopted across the organization.
While it requires careful planning and a methodical approach, building a threat assessment team is a valuable program for any business. The primary goal of a threat assessment team is to provide management with a clear view of how various threats could impact the organization. This allows the business leaders to properly prioritize security strategy to address the most critical threats. As a result, the company will be better able to respond effectively to the growing variety of threats to business assets and data.