Almost every week, new headlines come out related to executive orders, frameworks and regulations surrounding cybersecurity impacting both the private and public sectors.
For example, the New York State Department of Financial Services (DFS) cybersecurity regulation went into effect on March 1st. It requires New York banks, insurance companies and other financial services institutions regulated by the DFS to implement risk assessments, encryption, cybersecurity policies, cyber governance and more.
The National Institute of Standards and Technology (NIST) is accepting comments regarding an updated version of the NIST cybersecurity framework. The guidelines, which are being voluntarily adopted by those in both the private and public sectors, focuses on cyber risk measurement, management and reduction.
The Trump administration’s draft cybersecurity Executive Order requires federal agencies to adopt the NIST framework. It also includes requirements to better secure critical infrastructure which will apply to the public and private sectors.
While the regulations, orders and frameworks have their differences, there is one common theme among all three – a shift towards approaching cybersecurity from a risk based point of view. Cybersecurity as a risk management problem is quickly becoming commonplace among the private sector, with boards of directors holding security executives’ hands to the fire to present a risk-centric view that is traceable and understandable.
According to a recent Osterman Research survey, 59 percent of board members say security executives will lose their job as a result of failing to provide useful, actionable information. Board members speak the language of risk which means security executives must translate technospeak to risk when reporting to those top decision makers.
In the public sector, the concept of security as a cyber risk challenge comes naturally to those on the defense side of the house, but like in the private sector, it can be somewhat novel to civilian agencies. As regulation has evolved, more agency leaders are embracing the approach. This shift was articulated by Retired Brig. Gen. Gregory Touhill, who provided a set of cybersecurity recommendations prior to leaving his post as the nation’s first Federal Chief Information Security Officer.
Touhill’s top recommendation was “doubling down” on Continuous Diagnostics and Mitigation (CDM), which focuses on identifying cybersecurity risks on an ongoing basis, prioritizing risks based upon potential impacts, and enabling cybersecurity personnel to mitigate the most significant problems first.
Adoption of CDM type programs by both the public and private sectors would collectively increase the industry’s ability to minimize impact of the most important missions. CDM programs enable organizations to adopt a risk based approach to cybersecurity and continuously comply with the majority of cyber regulations, frameworks and orders on the horizon. Most importantly, CDM programs enable organizations to protect the applications, systems and information that matters most.
Building a CDM program begins with understanding the definition of risk. Risk is the intersection of a threat and vulnerability with an asset of value. If either one of those three components are missing, there is no risk.
For example, if an employee who typically would not access an application that contains classified information, logs in and sends that information to an unknown outsider, the event should be labeled as a high risk alert and moved to the top of the responder pile for immediate action. However, if the application only contained public press releases, the event can be put on the bottom of the stack since it’s low risk.
If the employee was given explicit permission by his manager to access the application and sent the classified information to an approved outsider, the event carries a lower risk and can be moved down the pile. It’s all about connecting the dots between actual threats, vulnerabilities and impact to the mission.
To get started, organizations must identify their most valued assets and determine where they live. This includes evaluating the impact – financial and mission impact – that would result from losing the confidentiality, integrity or availability of those assets.This is no easy task. Most large enterprises and agencies struggle with keeping track of their information assets, such as knowing which endpoints are part of what applications, and who in the organization is responsible for cybersecurity at each level.
However, by knowing their most important assets and contextual information surrounding them, security leaders can take a mission driven approach to protecting those assets vs. operating based on incident severity without visibility into what is actually being protected.
With their asset information under control, the next task is to identify and prioritize events and exposures that could lead to a compromise of those valued assets. This requires a different approach than that taken by many large enterprises — stacking up threats and vulnerabilities each in their own silo, and trying to remediate them from the highest severity down.
To be most effective at protecting the mission or the business requires an integrated view of the world that prioritizes the alignment of threats, vulnerabilities and assets of value. This includes all types of threats and vulnerabilities, including privileged access.
Finally, underlying any great security and cyber risk program is the ability to measure. Quantification of cyber risk, dimensioned by both assets and organization, drives prioritization and accountability for all stakeholders. CISOs are leading the battle, but they need to be able to distribute priorities and targeted information to those tasked with taking action, and then hold them accountable to accomplish their mission. The CISO can then also measure performance, ROI and work with leadership to acquire and apply the resources required to fill critical gaps.
For some organizations, attempts to implement risk based CDM type programs have fallen short. Approaches to quantify cyber risk, which is the key driver to prioritizing remediation, have largely been statistical based exercises that do not reflect actual conditions on the ground on any given day, and cannot easily be drilled down to an actionable level on the front lines. It requires experts to work with the cyber and business teams to try to guesstimate probabilities of particular events and their ability to compromise each application’s confidentiality, integrity and availability. While the statistical approach has value, it is too limited to stand by itself.
Assuming you have enough historical data to calculate cyber risk accurately, it is really only useful for risk mitigation if you can line those historical templates up with actual telemetry data in the environment.
A more effective and actionable approach involves aligning estimated application loss impacts together with actual telemetry data from events occurring on the devices and data supporting the applications within the organization and external threat intelligence data reflecting what is occurring in the wild.
The benefit to this approach is that is based on actual conditions “on the ground” and can be aggregated/decomposed to drive prioritization decisions from the front-line responders all the way up to the board of directors.
As Frederick the Great once said, “He who defends everything, defends nothing.”
That message should ring loud and clear across the public and private sectors. Organizations cannot protect everything in their environment with the same level of defense across the board.
All assets should not be treated equally.
CDM programs enable organizations to protect the assets that carry the greatest mission impact first and foremost. CDM brings a targeted approach to cyber risk management so that organizations’ resources are dedicated to the risks that matter most.
Touhill couldn’t be more right with his recommendation. Now it’s time for organizations across all sectors to follow it.
Steven Grossman is VP of Strategy and Enablement at Bay Dynamics as a cross functional software executive with more than 20 years of management consulting, software and industry experience working in startup to big 4 environments serving clients in the financial services, media, health care and data processing industries. With an ability to plug into new technologies and their business impact, he has significant subject matter expertise in cybersecurity and risk management, business intelligence/big data analytics, data privacy/security, program management office implementation, corporate legal operations, cloud architecture and business continuity planning.