One of the most important and difficult responsibilities a CISO has is how to best manage their enterprise risk and prioritize cybersecurity investments. The challenge here is determining “how much is good enough” and “where do I get the biggest bang for the buck.” In this post, I discuss some strategies for helping to build a defensible security strategy that tries to strike an appropriate balance between investment in security capabilities and risk to the enterprise.
To be defensible, I believe the security strategy needs to identify and capture the level of risk the organization is willing to accept (the organization’s risk tolerance), identify where the organization currently is in terms of its ability to protect and defend the enterprise at an acceptable level of risk (its level of cybersecurity maturity), and where the organization needs to be from a cybersecurity perspective (gaps that are preventing the organization from appropriately managing their risks).
When it comes to defining risk tolerance (or risk appetite as some organizations call it), many larger organizations and organizations in highly regulated industries have put in place dedicated staffs and a Risk Officer to manage corporate risks, to include cybersecurity risk. For smaller organizations, risk management often becomes “another duty as assigned” for CISOs.
The key to determining your organization’s risk tolerance is to identify and categorize the risks that impact your business operations – namely what are the risks the organization is willing to accept, what are the risks that would cause significant but recoverable harm to the business, and what are the risks that would cause unrecoverable harm to the business (i.e., “extinction events”). These risks could include reputational damage, loss of personal or sensitive information, failure to meet service level agreements (and the associated reputational damage and financial impacts), and financial impact for failing to meet regulatory or compliance requirements (e.g., fines, lost revenue, etc.) If you can calculate the financial impact to those risks (in terms of $s) to cleanup and recover your systems, lost revenue, fines, restitution, etc., that is even better.
It is important to discuss enterprise risks with your executive counterparts and collectively agree upon, categorize, manage, and monitor your enterprise risks. Some organizations have established a risk council consisting of the CISO, CIO, COO, CTO, general counsel, and/or CFO, who collectively manage and monitor the corporate risks. The outcome of this activity is to have a set of corporately agreed to risks, categorize your risks based on their business impacts, and assign an accountable executive for each risk. Having agreement at this level of your organization on your enterprise risks goes a long way toward building the support you need for your security program.
Once you understand the risk tolerance of the organization, and more importantly the cyber risks that you (as CISO) are accountable for, you are ready to update (or build) a defensible cybersecurity plan for the organization. There are lots of things that come into play when developing the strategy, but the key is to tie proposed investments back to the enterprise risks. This helps you with the challenge I identified above – determining “how much is good enough” and “where do I get the biggest bang for the buck.” Here are a couple of things to consider as you build your plan:
- Leverage a Framework. There are plenty of frameworks out there to help you assess and manage your risks [the NIST Cyber Security Framework (CSF), the Factor Analysis of Information Risk (FAIR), and the MITRE ATT&ACK or DoDCAR framework to name a few] and I would suggest adopting one of these that aligns with your industry and using it to assess your current level of cybersecurity maturity. With this as a baseline you can then determine what level of maturity makes sense to appropriately manage your enterprise risk and determine your high-level gaps related to people, process, policy, and technology.
- Know Your Terrain. At Fidelis we like to say know your environment as well as your attacker does. Knowing your terrain involves having a detailed inventory of your IT resources, including configuration and patch levels, the architecture, and potential exposure to external influences, such as the public internet or 3rd party organizations. This knowledge, combined with your gap analysis and risk tolerance, allow you to begin to prioritize investments in technology that lead to overall risk reduction of critical IT assets and resources, as well as potential vulnerabilities that could be present in your environment.
- Establish security metrics to track progress against your plan. These metrics will enable you to track areas of the program that have reduced risk to the enterprise as well as emphasize areas of focus that need further, prioritized investment. To be effective, the metrics should be automatically generated (i.e., a real-time assessment with minimal human effort to produce the metrics) and a summary of the metrics needs to be bubbled up and regularly shared and discussed at the c-level. This will enable you to highlight progress that has been made, identify where further effort is needed to stay below the risk tolerance level of the enterprise, and maintain support for your security program.
- Have a strong grasp of the current and evolving threat landscape. Your security programs and defenses need to stay up to date against evolving threats and that is where Threat intelligence comes into play. Timely and comprehensive threat intelligence that covers adversaries, their tactics, techniques and procedures, as well as the associated indicators of compromise and attack (IOC/As), will provide you and your team with information on the latest threats and threat trends within your industry vertical. By curating such threat intelligence, you will be able to plan strategically on investments needed to defend against these threats, as well as the capability to automate defenses to detect and respond to these evolving threats.
The U.S. Government essentially took this approach through Executive Order 13800 by requiring all Federal agencies to perform an assessment against the NIST Cyber Security Framework, document the risk mitigation and acceptance choices made by each agency, and develop an action plan to implement the Framework. If you are a Federal agency CISO, you may already have a plan in place for your organization, or at least one that you can use as a starting point for creating your defensible security strategy.
The challenge now becomes, how to maintain focus on your plan and this is where executive level visibility and buy-in and associated metrics becomes critical. Without continued visibility on the plan, you run the risk of your plan becoming shelfware.
I think we are all in a similar situation where our security stacks have grown over the years to address new threats with new capabilities being bolted on for specific threats. This security stack “bloat” has led to analyst overload and inefficiencies in our security operations because we’ve left it to the human analysts to piece together in their heads what is going on across multiple tools. The key to getting out of this trap is to improve the integration and automation of our tools.
Many of our customers are going down this path and performing internal assessments of their security stacks looking for ways to reduce the footprint of their stacks and better integrate the capabilities they have. Along these lines, Gartner has defined a new category of integrated detection and response solutions called eXtended Detection and Response (XDR) that I believe is worth a look. XDR combines integration with automation and advanced analytics to enable you to bring sensor data together from across your enterprise (endpoints, network, and cloud), correlate anomalies occurring throughout your enterprise, and produce high confidence and actionable alerts that allow you to focus your limited cybersecurity resources on the highest priority threats. And as a side benefit, if you have higher confidence in your alerts, you will feel more comfortable enabling automated responses. With the combination of high confidence and actionable alerts and automated playbooks to streamline repetitive activities, you can realize some significant efficiencies across your enterprise.
Bringing it all together, you need to have a clear commitment from your leadership team to cybersecurity. This commitment translates into the necessary investments and program changes needed to improve security and maintain a risk tolerance level acceptable by the business. The strategies we discussed above will provide you with the right information to bring to the leadership team to showcase the successes of the program (where risk has been reduced) and areas where further investment is needed. By involving leadership in the beginning, the CISO builds buy-in to what level of risk is acceptable for the organization and what level of investment is needed to appropriately manage the organization’s risks. Having a clear view into the IT environment; assets, vulnerability management, external risks via 3rd parties will showcase an understanding to leadership of the areas where cyber risks persist internally. Finished threat intelligence will allow the CISO to inform leadership where active threats have impacted peers across industry and the potential for the specific targeting of the organization. And finally, regular briefings on security program metrics showing successes or areas for continued improvement will resonate in validating the investments made and the areas where additional investment is needed.