Cybersecurity starts with the ability to recognize your cyber risk. We will explore several topics related to taking a practical approach to managing risk and achieving cyber resilience. This is a blog series with collective thoughts from Bindu Sundaresan, Director AT&T Cybersecurity, and Nick Simmons, AVP, Cybersecurity.
Cybercrime has become increasingly frequent, complex, and costly, posing a risk to all businesses regardless of size. How do you plan to respond when falling victim to a breach? Would you know who to call, how to react, or what to tell your employees, customers, and media? Could your organization absorb the potential financial and reputational impact of a lawsuit?
The answer cannot be, "we store everything in the cloud, so we are good." Who owns the risk? Could your brand's image survive? What is acceptable, and how do you know your current plan will suffice? What more could your company do to understand better and manage the risk? These questions are all top of mind and need to be addressed from an overall business perspective. This blog summarizes the fundamental steps and offers suggestions to understand, manage, and respond to risk.
Beyond technology, focus on risk and resilience
It can be easy to deploy security technology and think you've mitigated risk to your business. Unfortunately, technology investment is no guarantee of protection against the latest threats. It is critical to take a risk-based approach to security, meaning leaders must identify and focus on specific elements of cyber risk to decrease enterprise risk.
Specifically, the many components of cyber risk must be understood and prioritized for enterprise cybersecurity efforts. Organizations are increasingly aiming to shift from cybersecurity to cyber resilience, and the following recommendations can help forge this path:
- Understand the threats
- Measure the potential financial impact of cyber exposures compared to the company's risk appetite level; and
- Proactively manage cyber risks with clear action plans based on their capabilities and capacities to protect against cybercrime
Cyber resiliency requires a risk-based approach, accomplishing two critical things at once. First, it designates risk reduction as the primary goal, enabling the organization to prioritize investment, including implementation-related problem solving based squarely on a cyber program's effectiveness at reducing risk. Second, the program distills top management's risk-reduction targets into pragmatic implementation programs with precise alignment from senior executives to the front line.
Following the risk-based approach, a company will no longer "build the control everywhere"; rather, the focus will be on building the appropriate controls for the worst vulnerabilities to defeat the most significant threats that target the business' most critical areas. The risk-based approach to cybersecurity is thus ultimately interactive and a dynamic tool to support strategic decision-making.
Focused on business value, utilizing a common language among the interested parties, and directly linking enterprise risks to controls, the approach helps translate executive decisions about risk reduction into control implementation. The power of the risk-based approach to optimize risk reduction at any level of investment is enhanced by its flexibility, adjusting to an evolving risk-appetite strategy as needed.
A risk-based approach recognizes that there are no perfect security solutions. Still, those that strategically balance security, scalability, access, usability, and cost can ultimately provide the best long-term protection against an evolving adversary.
Fundamentally, risk transformation changes security strategy from an outside-in perspective, where external threats and regulations drive strategy, to an inside-out perspective, where organization-specific business risk dictates security strategy and spending.
Identify your top five risks based on priority
- Can you describe the actual loss impact in business terms for each of your top five risks?
- How are these cyber risk impacts aligned to your risk appetite?
- Are you reporting on cyber risks, or is it compliance-driven with reporting on control effectiveness?
- Have you considered how you plan to deal with the current and emerging risks and treat these risks on an ongoing basis?
A common business edict is: "if we can measure it, we can manage it." GRC (Governance, Risk, and Compliance) is expected in security, but a compliance focus has driven most organizations, and spending has been primarily compliance driven. Along the way, too many risk assessments have been conducted with a checklist approach. As you plan for the 2023 cybersecurity budget, it is critical to follow a strategic approach by understanding cyber risk management frameworks.
To borrow a phrase, “If not us, then who? If not now, then when? by John Lewis.
Balance risk versus reward
The key is to balance risks against rewards by making informed risk management decisions aligned with your organization’s objectives — including your business objectives. This process requires you to:
- Assign risk management responsibilities
- Establish your organization’s risk appetite and tolerance
- Adopt a standard methodology for assessing risk and responding to risk levels; and
- Monitor risk on an ongoing basis
Understanding cyber risk management frameworks
Cyber risk management frameworks present a standardized and well-documented methodology for:
- Conducting risk assessments that evaluate business priorities and identify gaps in cybersecurity controls
- Performing risk analysis on existing control gaps
- Prioritizing future cybersecurity investment based on risk analysis
- Executing on those strategies by implementing a range of security controls and best practices
- Measuring and scoring cybersecurity program maturity along the way
What is a Risk Assessment?
Cyber risk assessments are defined by NIST as risk assessments used to identify, estimate, and prioritize risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. The primary purpose of a cyber risk assessment is to keep stakeholders informed and support proper responses to identified risks. They also provide an executive summary to help executives and directors make informed decisions about security.
Despite their apparent importance, many organizations choose not to conduct cyber risk assessments due to the perceived complexity and minimal value. Instead, many will implement standard security controls in response to the risks they read or hear about. This typically leaves businesses exposed to an unbalanced security program focused on the wrong priorities.
Although the voluminous cyber risk assessment standards and frameworks can be dizzying, they're beneficial as guidelines to form a simple starting point. Organizations can create a feasible approach, basing the approach on their structure, culture, and risk profile. For example, NIST 800-30 includes simple risk assessment templates in the appendices. Four general steps are consistent throughout any risk assessment, irrespective of the framework adopted: preparation, assessment, communication, and maintenance.
The following tactical activities are recommended as a focus for risk management and resilience:
First, we must understand what we are protecting. Unless you know your IT assets and how important each is to your organization, making strategic decisions about IT security and incident response is almost impossible. You can't protect what you don't know you have. Perhaps that seems obvious, but if you do not have an asset inventory or your asset inventory is not managed and updated, you risk not knowing what is connected to your network.
The ability to track and audit your inventory is a baseline requirement for most security standards, including the CIS Top 20, HIPAA, and PCI. All these standards have an element of risk assessment required of organizations. And if you perform a documented risk assessment, you'll need to understand your threats, vulnerabilities, and assets.
Information security policy
It is okay to start by writing down what you have implemented in your IT environment. Take the implemented policies, and then write them into a document. If, when compared against a target standard, the practice does not meet the standard, it can be modified in both the written and the implemented policy.
To be effective, an information security policy should:
- Focus on the business goals and strategy
- Cover end-to-end security processes across the organization
- Include continuous updates and monitoring; and
- Promote accountability and enforcement
Prioritize vulnerability remediation
Companies won't be able to fix all vulnerabilities for various reasons. For example, having limited resources and patching is not always possible. Therefore, discerning critical vulnerabilities from non-critical ones becomes imperative. Information security teams must be able to delimit and make pragmatic decisions to make vulnerability management more manageable. In this regard, companies must use internal and external intelligence sources to prioritize vulnerabilities. These should be correlated with internal sources, such as business importance, security posture, risk registers, change management systems, CMDBs, and Pentest data.
The risk associated with the Patch Management discipline has significantly increased over the last three years. The number of critical vulnerabilities in our operating systems, applications, and network appliances in the previous twelve months has shown that patch management will continue to haunt organizations due to the sheer scale of systems and the number of patches required every month. Automated patch management solutions can reduce the effort needed and need to be managed to ensure no interruption of critical services.
Incident response plan
An incident response plan must identify those individuals responsible for invoking the plan and leading the response to any data security incident. It should identify one person (or a cohort of people, such as a security incident response team) who is accountable for leading the response and clearly defined roles and responsibilities for all other response team members. Once a plan is crafted, tabletop exercises can crystalize team members' respective roles, hone the necessary skills to navigate an incident, and facilitate teamwork in the wake of an incident.
Be sure to create rigorous backup and disaster recovery plans that are tested and refreshed regularly; this will be key for survival, given the heightened threat of ransomware attacks.
The goal of incident management is to identify and respond to any unanticipated, disruptive event and limit its impact on your business. These events can be technical — network attacks such as denial of service (DoS), malware, or system intrusion, for example — or they may result from an accident, a mistake, or a system or process failure. Today, a robust Incident Response Plan is more important than ever. The difference between a mere inconvenience and a total catastrophe for your organization may come from your ability to detect and assess the event, identify its source and causes, and have readily available solutions.
Transferring a portion of the risk is critical to any cybersecurity risk strategy. As the threat landscape evolves, obtaining new insurance and renewing existing policies has become increasingly difficult. The rise in ransomware attacks and cybersecurity claim payouts are vital contributors. Organizations must prove due diligence in today's environment by implementing proper controls, plans, and measurements of security controls commensurate with risk.
Key controls include the following:
- Endpoint detection & response
- Email filtering & web security
- Secured, encrypted & tested backups
- Vulnerability & patch management
- Privileged access management & access control
- Infrastructure & Segmentation
- Continuous monitoring
- Penetration testing
- Incident response planning & testing
- Employee awareness training, phishing, & social engineering
Cyber insurance has become popular as a cyber-risk mitigation measure. Although insurance is a lucrative option to cover cyber risks, businesses must understand that insurance premiums are directly proportional to their cyber security preparedness. Organizations need to review their policy to confirm specific coverage for ransomware, as many providers have separated this from the standard language.
Take the necessary steps to prevent, detect, and respond, with insurance being the final step to reduce overall risk to an acceptable level. Cyber insurance can complement an organization’s active security measures by providing insurance coverage. However, cyber insurance cannot offer you coverage for a reputation risk to your brand.
Cyber risks are impossible to eliminate, resources are finite, risk profiles are ever-changing, and getting close to secure is elusive. The current level of security and privacy controls that effectively reduce cyber risk to an acceptable level today will inevitably become inadequate in the future – even sooner than many may realize.
It is a truism that different types of risk require different defensive strategies. The more specific idea is that defensive measures should be proportionate in cost to the potential harm that may be suffered through a data breach and the likelihood of that breach occurring. The key is to balance risk and reward.
Risk management is at a fascinating point in its evolution. It is recognized as fundamental to an organization's financial stability and regulatory compliance and an essential part of the cybersecurity strategy. Defining the best security measures can be difficult because each organization has different goals, requirements, and risk tolerance. All organizations need to assess what they have in place today, review where they want to be in the future, and build a roadmap to help them reduce risk as their business expands.