By Cheryl McGrath
Vice President and General Manager – Canada
Optiv Security
Last month, I kicked off the new year with a column about cybersecurity and business risk. More specifically, how enterprise security teams need to move from a threat-centric approach to security (where they try to fight off every threat with technology), to a risk-centric approach (where security strategy and spend is built around the goal of reducing organization-specific risk, rather than in response to external threats).
I largely focused on the “why” in that column — explaining how building security programs around organization-specific risk is a superior approach to the failed threat-centric approach. There wasn’t enough space to address the “how” which is actually where most enterprises fall down. So, this time around, I’m going to answer the question “how” relative to risk transformation.
First, a quick review: why have many cybersecurity efforts to date failed to reduce enterprise risk? Because cybersecurity, as a discipline, has evolved in a reactive way. Where for every new threat, there was a new threat-fighting technology to deploy. Meanwhile, IT infrastructure expanded from a centralized, on-premises model, to a wildly distributed one where components like cloud, mobile and internet-of-things have greatly expanded enterprise attack surfaces. Concurrently with these trends, attacks like ransomware crossed the Rubicon from “annoying but survivable” to “existential threat,” and suddenly cybersecurity has become a major part of the enterprise risk discussion, alongside traditional topics like supply chain resilience, litigation exposure, insurance, regulatory compliance, etc.
However, because cybersecurity has evolved with a “one technology for every threat” approach, it is based on a paradigm of technology first, followed by people and (in a distant third place) process, rather than the traditional (and proper) people, process and technology. This is why we see security staffs stretched ridiculously thin by the management requirements of complex — their lives are dictated by the management needs of technology. And as for process, we’ve seen the rise of automation and orchestration to help streamline this management burden. However, in many cases, organizations are simply automating processes around the fundamentally flawed threat-centric security approach. In other words, they’re automating failure.
Building security around a risk-centric strategy is the antidote to this problem. Many security organizations today are trying to do this. They’ll conduct assessments of their programs and systems to understand where they have security and compliance gaps. However, when the assessments are over, they often slide back into “keeping the lights on” mode with managing infrastructure and putting out fires, so they never take the steps required to close the gaps. Nor do they conduct ongoing penetration testing and other assessments to understand where new gaps are opening. Often many organizations have no understanding if their investments and activities actually mitigate business risk, or if they’re simply fighting threats that aren’t really business risks.
The bottom line is — most security organizations simply do not have enough personnel to do everything they want to do, even when they know something should be a priority (like a compliance gap identified in an assessment). The root cause of this problem is the threat-centric approach to security — trying to boil the proverbial ocean by throwing technology at every threat. Taking a risk-centric approach reorganizes security strategy so that the program’s emphasis is on protecting the organization’s most critical assets — the assets that if breached, or otherwise compromised, would cause significant damage to the organization’s bottom line. Leading-edge security programs are moving to this model, and they’re doing it through a systematic approach:
- Building an enterprise risk model, so they can understand which assets and processes are most important to the business, and which are most likely to be attacked. This is a critical first step to getting out of the “protect against every threat” model, because it enables security organizations to prioritize operations and technology investment — and, obviously, a hotel chain will have different risks and priorities than an automobile manufacturer. So, their respective security programs should be optimized around their respective risk models.
- Implementing a program of ongoing assessments, so they always have a current view of their risk posture. Too many organizations believe “once a year” penetration testing is sufficient. However, in today’s dynamic of machine-generated attacks, nation state-backed industrial espionage and ever-changing IT environments (on premise, cloud, mobile, etc.), organizations must move from “annual checkups” to a system of continuous assessments.
- Rationalizing infrastructure so it maps to the risk model. Most organizations simply have too many tools in their arsenal, some of which may be redundant or delivering little value in the context of protecting against genuine risks to the enterprise. Rationalizing infrastructure in accordance with the enterprise risk model invariably results in simplified and easier-to-manage infrastructure, which then enables …
- Optimizing operations, so employees are focused on risk-centric activities, rather than simply “keeping the lights on” with the infrastructure. Operational strategy may include outsourcing routine functions to managed security service providers (MSSPs) or other partners, to further free up staff members to focus on more strategic activities.
- Building meaningful key performance indicators (KPIs), not only to make sure the security program is operating correctly, but also to make it easy for business leaders to understand the value of cybersecurity. At a time when cybersecurity has become a board-level issue, it is incumbent on security leaders to be able to report on their programs in a way that is easy to understand, and is focused on business risk mitigation, which is a topic that board members understand.
If there’s one thing that’s clear in cybersecurity, the threat-centric model simply doesn’t work. You need look no further than the data breaches gracing newspaper headlines to understand this as truth. Moving to a risk-centric model does work — and now that we’ve addressed the “why?” and the “how?”, only one question remains: what are people waiting for?