A logical objective for most security teams is to mature the organization’s security posture. More maturity means improved awareness, more precision, and therefore more security. But how do you get there in an efficient manner? How should you prioritize?
NIST provides a roadmap with its implementation tiers. As described by NIST, implementation tiers are intended to characterize the rigor of an organization’s risk governance and risk management practices. The goal of the tiers is to assist organizations in not only knowing what to do, but how to do it to be effective.
However, implementing many of the ideas and tactics articulated among the tiers has been difficult and cumbersome for most, hindering adoption. At Pellonium we believe that, with some refinement and clarification, the risk-based approach promoted through implementation tiers is not only feasible for most organizations, but an imperative given how digital infrastructure has become foundational for both growth and day-to-day operations.
What follows is an unpacking of the NIST definition for the highest tier of rigor, Tier 4: Adaptive. We use this definition as a backdrop to better define a maturing security program – one that can be operationalized given existing capabilities and resources. This refinement led us to build our unified security posture management platform – what we believe to be the missing piece that bounds the security program together to enable an adaptive approach.
From the NIST definition of Tier 4: Adaptive:
There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
An organization-wide approach requires seamless, efficient communication on what risks exist, and what is being done about them. However, there is light between how security thinks about risk and how the rest of the organization defines it. Basing risk on threats, vulnerabilities, and assets is foundational for how security gets done. However, such terms are not as core to how non-security audiences think about risk. As we discussed recently, the meaning of risk requires clarification, especially when working to engage and inform decisions around policies, processes and procedures that affect the overall business. Security must continue to evolve and align to the business given how digital infrastructure is foundational for most every aspect of execution and growth these days. It is no longer tenable for this light to persist.
The relationship between cybersecurity risks and organizational objectives is clearly understood and considered when making decisions.
Relationship in this context is ambiguous. We go a step further to define “the relationship between cybersecurity risks and organizational objectives” as “alignment between cyber risk tolerance and business objectives”. The security industry has long relied on controls as the tactic by which risk tolerance is established and managed. However, controls have the power to both reduce risk and hinder productivity. Finding the proper balance between the two requires input by both security and business owners to ensure alignment. Both points of view must be understood and considered when making decisions.
Educating the organization on why and what vulnerabilities, threats, and assets matter, and what each can to do to effectively mitigate risk is foundational to any security program. This effort goes a long way towards operationalizing awareness and understanding for how cybersecurity risks affect organizational objectives. However, we see other opportunities to better operationalize understanding between “cybersecurity risks and organizational objectives.”
Executives monitor cybersecurity risks in the same context as financial and other organizational risks.
Translating cyber risk as financial risk is necessary to equip executives to engage. This translation provides several opportunities to engage and inform:
- Measuring and managing cyber risk requires a heavier nod to financial impact than currently occurs for most organizations. Trade-off decisions cannot be made only by those that understand the intricacies of threats, vulnerabilities, and assets. Via enterprise risk management (ERM), the financial lens is how the organization already compares and contrasts its options for reducing exposure and improving profitability relative to other enterprise risks. When security provides an evaluation of financial exposure as part of its presentation, it allows for more efficient and effective trade-off discussions with the broader leadership team to inform resource allocations and other program-level decisions. Cyber risk can effectively be managed alongside any other enterprise risk.
- In finance numerous methodologies exist as best practice to measure and manage risk. We see opportunity in applying several of these same methodologies to the security context, leading to more defensible and understandable evaluations of risk. Random forest models are fun, as are heatmaps explaining your NIST or MITRE ATT&CK posture. However, such methods and visualizations are difficult to explain let alone defend, as they are new to non-security audiences. Better structured, tested approaches exist from finance to define what your risk is today, and to value the benefits of future investments.Lever
Leveraging financial methods allow for better communication. You no longer have to teach the organization what compliance means relative to risk, or what control efficacy entails. Financial concepts are more familiar to your audience, as they lay out the cost / benefits of decisions that lay ahead. Leveraging them results in more engagement in discussions and better, more informed decisions.
The organizational budget is based on an understanding of the current and predicted risk environment and risk tolerance. Business units implement executive vision and analyze system-level risks in the context of the organizational risk tolerances.
NIST brings it home. Once the organization is enabled to tactically translate cyber risk as financial risk, challenges such as budget management, investment asks / business case development, and other strategic decisions become much more efficient, as it is much easier to engage the organization in the decision-making process. The expected outcomes are already described in language the organization understands.
Applying this same logic can be used at the operational level as well. Prioritizing based on the scale of threat, size of vulnerability, or importance of an asset is feasible in isolation but difficult in aggregate. Good security leaders are able to analyze and synthesize to make effective prioritization decisions; great security leaders are able to translate their analyses in language the rest of the organization understands. However, continuous availability of financial impact at the configuration / policy level can equip everyone to be risk-informed when making prioritization decisions (not just leadership), enabling more efficient and effective operationalization of an adaptive approach.
Cybersecurity risk management is part of the organizational culture. It evolves from an awareness of previous activities and continuous awareness of activities on organizational systems and networks.
For cybersecurity risk management to be part of the organizational culture, security professionals have to do more to make it easier for non-security professionals to engage in the discussion. A persistent translation of cyber risk into financial risk will go a long way in bridging that gap.
The scope and scale of the data to analyze and understand is beyond human capability. A data-driven solution is required to deliver “continuous awareness of activities on organizational systems and networks.” Moreover, it is no longer sustainable for this data to be segregated across the security stack and beyond, siloed in various systems. A comprehensive, unified view of the security posture is needed to provide continuous visibility.
The organization can quickly and efficiently account for changes to business/mission objectives in how risk is approached and communicated. The organization adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators.
To “quickly and efficiently account for changes to the business / mission objectives,” we believe this awareness of risk requires real-time visibility of the entire cyber risk environment. Decisions are made every day that affect the cyber environment, from new tools introduced to changes to existing infrastructure. The threat environment is just as dynamic if not more, constantly moving the target of control effectiveness and what it truly means to be secure given your business objectives.
Through a process of continuous improvement that incorporates advanced cybersecurity technologies and practices, the organization actively adapts to a changing technological landscape and responds in a timely and effective manner to evolving, sophisticated threats. The organization uses real-time or near real-time information to understand and consistently act upon the cybersecurity risks associated with its suppliers and the products and services it acquires and uses. Cybersecurity information is constantly shared throughout the organization and with authorized third parties.
Continuous improvement requires continuous visibility, efficient communication, and informed decision making. Periodic assessments no longer meet the needs of effectively responding to a changing technological landscape. And responsiveness to insights and observations also needs to be quickened by putting this visibility into the hands of the practitioner as well as leadership.
Pellonium Risk Intelligence provides continuous, comprehensive visibility to cyber risk and prioritized, operational recommendations for how to reduce exposure. Insights are delivered in a manner consumable by both technical and non-technical audiences to inform decisions at all levels of the organization. Pellonium enables an adaptive risk management program that allows you to mature faster and more effectively given resources available and the organization’s risk tolerance.
Learn more at https://www.pellonium.com.