The current crisis caused by the coronavirus has unfortunately taken a toll on the state of the economy, and information security professionals must be prepared. In many cases, information security program (infosec) budgets will be reduced. Security leaders must plan for the possibility of cuts and proactively strategize on how they can continue to lead an effective and successful infosec program. This is especially critical considering U.S. security agencies have warned that the frequency and severity of COVID-19-related cyberattacks are expected to continue to increase over the coming weeks and months.
Today's challenging reality presents an opportunity for CISO’s to reevaluate the economics and efficiencies of their current infosec program. To do so, CISO’s must narrow their focus on maximizing their return on investments and shift to a risk-based prioritization strategy.
No matter the situation, CISO’s are always expected to meet goals and drive results. Even though security professionals cannot reduce risk to zero, they can reduce risk significantly by first eliminating the most impactful risks facing their organization.
Below, I discuss the four critical steps of leading an economical and efficient information security program while following a risk-based approach.
- Asset inventory
Gaining knowledge over everything that exists across a network is a daunting, yet crucial task for infosec teams. The attack surface is more complex today than ever before. For example, a mid-sized enterprise with 1,000 employees has approximately over 10 million time-varying signals that must be constantly analyzed to accurately predict breach risk. For larger enterprises, this number grows to 100 billion or more.
The first step to understanding one’s IT environment, is to develop an accurate, up-to-date inventory and categorization of all the hardware and software assets connected across the network. However, with the dynamic nature of today's organizations, having the ability to see everything is simultaneously more difficult, and more important than ever before.
Fortunately, CISOs no longer need to rely on inaccurate Configuration Management Databases (CMDB) or even worse, manual spreadsheets to keep up with inventory. Advanced tools are now available that can continuously build and automatically update inventory on an ongoing basis.
- Business criticality
After accurately categorizing inventory security leaders must then identify business criticality. Having a comprehensive view of how critical an asset is to a business’ operation is crucial.
When calculating business criticality, CISO’s should ask themselves a simple question, “How disastrous would the impact on the business be if said asset were to get breached.” As an example, if financial business information from a CFOs laptop was leaked, the impact of the breach would be much more detrimental to a company than if the front desk receptionists’ laptop was compromised.
After both the likelihood and impact of a breach are identified, security leaders can assess their organization’s cyber risk.
- Calculating likelihood
After accurately categorizing inventory and business criticality, security leaders must then calculate the likelihood of a breach for every asset and possible attack vector. Likelihood considers the severity of vulnerabilities, exposure due to usage, threat levels, and the risk-negating effect of compensating controls. It is pivotal that each of these variables are accounted for when calculating likelihood.
Security professionals must also note that vulnerabilities go far beyond just Common Vulnerabilities and Exposures (CVEs), a catalog of known security threats. Every asset on an organization’s network is potentially susceptible to hundreds of attack vectors. These range from weak passwords, to more complex vectors such as phishing, unpatched software, encryption and configuration issues. Known vulnerabilities, or CVEs, are just a small subset of most enterprises’ overall breach risk and the severity of all vulnerabilities must be considered for accurate likelihood.
Having knowledge around the probability that an asset will be breached is a critical step in assessing overall cyber risk. This is most efficiently done through automation, as the scope of this task extends far beyond the human capacity of nearly every infosec team.
- Prioritize efforts
The last step is prioritization. Effective security leaders know that in order to empower their team to be productive, they must provide clear, prioritized lists of the key vulnerabilities that need to be remediated first.
Prioritized lists of vulnerabilities should include insights into the likelihood of a breach for each asset, the issues affecting assets and the business impact a breach on that asset would have on your organization. Furthermore, by identifying prescriptive fixes for each vulnerability, a CISO’s team can have real-time visibility into top risk insights for improved incident response and remediation.
Taking a risk-based approach
After the above risk analysis is complete, security leaders will gain full visibility into what is driving the most risk to their organization. This allows CISO’s to easily prioritize efforts on the biggest risk drivers across the team and ensure that their infosec program has the maximum possible risk reduction despite a reduction team size and/or budget.
Taking a risk-based approach to an infosec program is the only way that security leaders will be able to continue to meet or exceed goals during our current, new economic reality.