Cybersecurity is an important business issue that in theory, every executive wants to prioritize. A great deal of the practical challenges come because so many organizations take an outdated approach to cybersecurity protocols.
Currently, the lion’s share of organizations operates under a maturity-based cybersecurity approach that seeks to monitor everything constantly. A maturity-based model applies the same degree of monitoring and control over every asset an organization has. As a result, costs grow prohibitive as business assets grow.
As the amount of data companies gather continues to increase, this means cybersecurity protocols become bloated and bog down application development teams.
A risk-based approach is the solution to this problem. By adopting a risk-based stance, organizations can classify which of their assets represent the highest risk if compromised, and prioritize resources accordingly. It's a more flexible and smart strategy in an era where attackers are becoming increasingly nimble and sophisticated.
McKinsey & Company reports that most risk managers at large organizations are flying blind when it comes to evaluating their cyber resilience due to bloated reporting processes and overly complicated reporting tools. Here's how organizations can implement a risk-based approach to their cybersecurity controls.
Fully embed cybersecurity in the risk management framework
A common mistake organizations make is to inadvertently separate their cyber risk framework from general business risk management. Such a situation occurs due to cyber risk being classified as an IT project or as something that belongs to the technology department.
With data being shared across organizations evenly, technology and cybersecurity cannot be treated as a standalone feature. Cybersecurity and cyber risk assessment have to be embedded in the DNA of the organization.
Many organizations have programs that aim to do this. They conduct security training for their employees and look to build awareness of cyber risks amongst them, but in many cases, such programs don't have lasting effects.
As long as the focus is on increasing awareness, your company's culture will never orient itself towards accepting cybersecurity as a part of everyday operations. Instead of focusing on increasing awareness, focus on changing employee behavior instead. Conduct collaborative workshops and fire drills that emphasize the risks that your organization faces.
Such an approach demystifies cybersecurity and embeds it into everyday risk management protocols.
Connect high-value processes to risk assessment
Every business has certain processes that are more valuable than others. For example, in the case of a financial services firm, loan origination is a source of huge value. However, it also poses a significant risk if data is compromised. Data leakages originating from this process could cripple the entire organization.
Your cybersecurity team should regularly talk to business executives to figure out which processes are of the highest value and how vulnerable your organization is to an attack on them. Create an enterprise risk map of the highest value processes and the risk levels they pose. Some high-value processes might not pose much risk, while others might pose an enterprise-level risk.
Work through all of the processes within your business units in this way to figure out which assets pose a high risk and have a high value. Those assets or processes must be prioritized when it comes to threat detection and mitigation. It's also important to map the dependencies of those processes.
For example, which teams are connected to the process? Do these processes depend on third-party input?
Explore the vulnerabilities of those constituent parts since your highest-value assets depend on them. Create a risk priority list to help you understand which threats deserve the highest and swiftest response.
Map vulnerabilities and threats
Once the asset priority list has been created in the previous step, it's time to take a deep look at the vulnerabilities each asset has. Explore the known vulnerabilities of every system involved in the process. For example, you might be storing data related to a process on a legacy database and transferring that data to another process.
The legacy DB will have a known set of vulnerabilities that you'll need to guard against. Often, a modern application will draw important data from a legacy system. The legacy system won't show up on your list of priority assets, but a vulnerability scan will reveal the dependency your valuable asset has.
By combining your risk-based asset list with the vulnerability map, you'll be able to design effective security controls and processes. Remember to include business input when detective vulnerabilities. Certain processes might not rank high on a list of technical vulnerabilities, but the business process behind it might expose you to threats. Such an exercise also brings everyone in your organization to the same page.
Security deserves to be communicated in an easily understood, accessible language.
Adopt a philosophy of continuously monitoring your threat landscape instead of relying on one-off tests alone. You should combine both approaches to form a robust security framework that reduces your risk of attack.
Monitor and track the right metrics
Many organizations track KPIs that measure the degree of completeness in a project. Instead, you need to measure the degree to which your risk has decreased. Stop relying solely on KPIs and instead start thinking of linking them to key risk indicators or KRIs.
For example, you could implement a data loss prevention program as part of your cyber risk reduction initiatives. A KPI could measure the degree to which the initiative has been implemented across your organization. A KRI could measure the number of most-critical assets that are covered by the program.
Assuming the requirement is 100% and the KRI is 90%, this indicates that your organization is still at risk, even if the KPI indicates a high value.
Brainstorm metrics that measure risk, instead of completeness or coverage, and you'll be thinking in terms of enterprise risk.
Reduce risk and build resilience
Given the pace with which malicious activity is increasing, every organization must prepare itself for an eventual attack. Classifying your cybersecurity processes based on risk is the best way to prioritize your response and react quickly when you're under attack.
You'll reduce enterprise bloat and will protect what is most important to your organization.