Chris Kubic is the Chief Information Security Officer (CISO) at Fidelis Cybersecurity. Kubic brings with him more than 30 years of experience driving Information Assurance and Cybersecurity initiatives... Read More
One of the most important and difficult responsibilities a CISO has is how to best manage their enterprise risk and prioritize cybersecurity investments. The challenge here is determining “how much is good enough” and “where do I get the biggest bang for the buck.” In this post, I discuss some strategies for helping to build a defensible security strategy that tries to strike an appropriate balance between investment in security capabilities and risk to the enterprise.
To be defensible, I believe the security strategy needs to identify and capture the level of risk the organization is willing to accept (the organization’s risk tolerance), identify where the organization currently is in terms of its ability to protect and defend the enterprise at an acceptable level of risk (its level of cybersecurity maturity), and where the organization needs to be from a cybersecurity perspective (gaps that are preventing the organization from appropriately managing their risks).
When it comes to defining risk tolerance (or risk appetite as some organizations call it), many larger organizations and organizations in highly regulated industries have put in place dedicated staffs and a Risk Officer to manage corporate risks, to include cybersecurity risk. For smaller organizations, risk management often becomes “another duty as assigned” for CISOs.
The key to determining your organization’s risk tolerance is to identify and categorize the risks that impact your business operations – namely what are the risks the organization is willing to accept, what are the risks that would cause significant but recoverable harm to the business, and what are the risks that would cause unrecoverable harm to the business (i.e., “extinction events”). These risks could include reputational damage, loss of personal or sensitive information, failure to meet service level agreements (and the associated reputational damage and financial impacts), and financial impact for failing to meet regulatory or compliance requirements (e.g., fines, lost revenue, etc.) If you can calculate the financial impact to those risks (in terms of $s) to cleanup and recover your systems, lost revenue, fines, restitution, etc., that is even better.
It is important to discuss enterprise risks with your executive counterparts and collectively agree upon, categorize, manage, and monitor your enterprise risks. Some organizations have established a risk council consisting of the CISO, CIO, COO, CTO, general counsel, and/or CFO, who collectively manage and monitor the corporate risks. The outcome of this activity is to have a set of corporately agreed to risks, categorize your risks based on their business impacts, and assign an accountable executive for each risk. Having agreement at this level of your organization on your enterprise risks goes a long way toward building the support you need for your security program.
Once you understand the risk tolerance of the organization, and more importantly the cyber risks that you (as CISO) are accountable for, you are ready to update (or build) a defensible cybersecurity plan for the organization. There are lots of things that come into play when developing the strategy, but the key is to tie proposed investments back to the enterprise risks. This helps you with the challenge I identified above – determining “how much is good enough” and “where do I get the biggest bang for the buck.” Here are a couple of things to consider as you build your plan:
The U.S. Government essentially took this approach through Executive Order 13800 by requiring all Federal agencies to perform an assessment against the NIST Cyber Security Framework, document the risk mitigation and acceptance choices made by each agency, and develop an action plan to implement the Framework. If you are a Federal agency CISO, you may already have a plan in place for your organization, or at least one that you can use as a starting point for creating your defensible security strategy.
The challenge now becomes, how to maintain focus on your plan and this is where executive level visibility and buy-in and associated metrics becomes critical. Without continued visibility on the plan, you run the risk of your plan becoming shelfware.
I think we are all in a similar situation where our security stacks have grown over the years to address new threats with new capabilities being bolted on for specific threats. This security stack “bloat” has led to analyst overload and inefficiencies in our security operations because we’ve left it to the human analysts to piece together in their heads what is going on across multiple tools. The key to getting out of this trap is to improve the integration and automation of our tools.
Many of our customers are going down this path and performing internal assessments of their security stacks looking for ways to reduce the footprint of their stacks and better integrate the capabilities they have. Along these lines, Gartner has defined a new category of integrated detection and response solutions called eXtended Detection and Response (XDR) that I believe is worth a look. XDR combines integration with automation and advanced analytics to enable you to bring sensor data together from across your enterprise (endpoints, network, and cloud), correlate anomalies occurring throughout your enterprise, and produce high confidence and actionable alerts that allow you to focus your limited cybersecurity resources on the highest priority threats. And as a side benefit, if you have higher confidence in your alerts, you will feel more comfortable enabling automated responses. With the combination of high confidence and actionable alerts and automated playbooks to streamline repetitive activities, you can realize some significant efficiencies across your enterprise.
Bringing it all together, you need to have a clear commitment from your leadership team to cybersecurity. This commitment translates into the necessary investments and program changes needed to improve security and maintain a risk tolerance level acceptable by the business. The strategies we discussed above will provide you with the right information to bring to the leadership team to showcase the successes of the program (where risk has been reduced) and areas where further investment is needed. By involving leadership in the beginning, the CISO builds buy-in to what level of risk is acceptable for the organization and what level of investment is needed to appropriately manage the organization’s risks. Having a clear view into the IT environment; assets, vulnerability management, external risks via 3rd parties will showcase an understanding to leadership of the areas where cyber risks persist internally. Finished threat intelligence will allow the CISO to inform leadership where active threats have impacted peers across industry and the potential for the specific targeting of the organization. And finally, regular briefings on security program metrics showing successes or areas for continued improvement will resonate in validating the investments made and the areas where additional investment is needed.