A Programmatic, Risk-Based Approach
May 26, 2020 by Loren Lachapelle
Cybersecurity, as we know it today, is defined as the “the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information,” according to the Cybersecurity & Infrastructure Security Agency. In the 1990s, organizations across the globe started to practice information security to keep data safe. A few years later – as cybercriminals continued to get more sophisticated and organizations had to face the devastating consequences – the idea of cybersecurity over information security evolved.
Organizations are now taking it a step further and realizing they must take a programmatic, risk-based approach when developing their cybersecurity program. By doing so, they will be better prepared to mitigate risk, withstand cyberthreats, and increase their resiliency. But what exactly does a “programmatic, risk-based approach” to cybersecurity look like? We’ll break it down.
Today’s Technology Problem
Taking a programmatic approach to the cybersecurity challenge means organizations are working to have their people, processes, and technology in place. After all, the likelihood of being impacted by a security event is high. There is no silver bullet in cybersecurity, and, unfortunately, prevention will not win the day.
Many organizations today believe cybersecurity is solely a technology problem. They invest in an array of different tools (such as IDS/IPS, firewalls, antivirus software, SIEMs, threat detection tools, multi-factor authentication, etc.) in hopes this technology will defend and protect them when a security event happens. While these technical controls are always needed and encouraged, having a strong cybersecurity program requires more than just set-it-and-forget-it technical controls.
A strong, programmatic, risk-based approach to cybersecurity requires looking at it holistically while measuring and accounting for risk along the way. Controls need to be established in multiple functional disciplines throughout the organization, rather than leaning on only the technology to get you through. Furthermore, risk does not simply lie in infrastructure and technology. Risk, and its many layers, is bound to reside within the people and process elements as well, so organizations must account for it when building their cybersecurity program.
How You Can Be Prepared to Face Adverse Events
As we have learned, cybersecurity events can never be 100% prevented. Risk is always there even if you have technical controls in place. Taking this approach to cybersecurity requires organizational backing. Communication structures, education, authority, and support from the top of the organization, will allow organizations and individual employees to respond proactively and empower them to confidently and correctly deal with an incident.
At some point, someone within the organization will inevitably fall victim to phishing, for example. They will click on a link they shouldn’t have or send an email they shouldn’t have that may contain sensitive information. When an incident like that happens, how equipped are you to handle the ramifications? That is the question every organization should be striving and pivoting to answer every day.
To begin implementing a programmatic, risk-based approached, first take a step back and evaluate what kind of insight you currently have regarding the different risk categories that need to be accounted for: people, process, and technology. Then, evaluate your risk tolerance and appetite. Every organization will have its blind spots that are most likely not being accounted for. To figure out how much risk you’re willing to take on, you can ask yourself, “is there transparency and accountability within these risk categories?” and “are there people, processes, and controls in place that can help mitigate risk when an adverse event happens?”
Staying Resilient for the Long Term
Looking at cybersecurity from the perspective of resiliency is important when implementing this programmatic, risk-based methodology into your organization. Feeling comfortable you will be able to handle the ramifications of a security event is the key to having a strong cybersecurity program that can withstand adverse situations.
Taking a programmatic approach is about shifting and changing your organization’s culture. This does not happen overnight – it is a collective effort amongst key stakeholders from within. Without the help of people, process, and technology working in unison to support it, it is hard to achieve that culture.
Furthermore, your organization’s cybersecurity program should always align with the business mission and support its goals. When building a program, it’s also important to keep looking ahead at future changes that may be on the horizon. Where is the organization headed from a growth perspective? Will new vendor relationships be established? Will we be onboarding new employees? These are just a few considerations that can change the risk dynamic specific to your organization and cybersecurity. For these reasons, a strong and resilient cybersecurity program will always go together with the business mission and organizational culture.
Finally, a resilient organization should always test and measure the moving parts of their cybersecurity program on a regular basis. Practice within all aspects of the program will prepare you for when something does eventually happen. Educate – and then test – employees on their cybersecurity knowledge. Make sure that perimeter controls and internal network controls are working how they should be with the changing threat environment. Testing and measuring people, process, and technology will allow you to identify areas of improvement and allow you to adapt when needed – without incurring too much risk.