The Cyber Risk Journey, Part One: Where Do We Go From Here?
Cyber risk can be a big blindspot for organizations. Fortunately, Boards and senior leaders are more engaged than ever before and working to develop a better understanding of how cyber risk is being managed within their organizations. More dialogue with executive management around cyber risk and the impacts proactive and reactive measures have on an organization’s risk profile is a great trend to see.
Cyber security teams—often in the background—take on the overwhelming tasks of supporting day-to-day operations while constantly being prepared for attackers in their environment. Balancing the criticality of in-flight projects and operational responsibilities with response preparedness is a difficult trade-off. Often we find teams tangled in activities focused solely on raising their maturity score, which doesn’t necessarily speak to where the weaker or soft spots truly reside. A 3 or 3.5 maturity score in a policy and governance domain looks great in a Board report, but what does that really mean to those looking to steer and guide the overall direction of the organization?
To start, it is important to understand that cyber risk is not dissimilar to other business risk. It is an aggregation of the threats and vulnerabilities present across an organization, any of which—if exploited—could lead to financial loss, reputation damage and regulatory matters. The term risk and the term threat are not the same and should not be used interchangeably. At Mandiant, we often find ourselves having to reposition dialogues with clients to separate and better address the two as distinct but related elements of a bigger conversation.
When looking specifically at threats and vulnerabilities, the focus should be more around what technologies or processes organizations have created or consumed that are potentially vulnerable, and that create ‘opportunities’ for abuse. Threats we can then overlay as the potential vectors or methods for how those vulnerabilities or opportunities could be exploited.
When it comes to communicating impact, we suggest simplicity when looking to both gain the ear and appreciation of Boards around how cyber risk is being managed. This minimizes complexity and focuses upward reporting around the impacts that matter. A common issue we find is that organizations often get paralyzed around how to reduce cyber risk and what controls are being relied upon, and over time how the fidelity of those controls is truly validated and Return on Investments (ROI) around security investments maximized.
This is frequently brought on when there is no clear agreement across the organization on what constitutes the “Crown Jewels”—or what matters most to the business. Without alignment across all teams, we tend to see increased questions surrounding security investments, and critical questions about organizational risk going unanswered. Ultimately, security teams need to consider and fully understand ROI; those that don’t tend to be unable to defend their investment decisions to more business-focused executives.
How to Map Your Cyber Risk Journey
Cyber risk is a broad and deep subject, and there is no single process or technology or solution that will drive it down. Maturity-based programs are a key contributor to a security program’s overall direction, but they should not be the only driver of the program. A properly designed program is instead a coordination of capabilities that requires both defining and aligning to the organization’s direction and tolerances, and connecting it to the evolving threat landscape. Here are some key takeaways to remember when developing your program:
- Understand What Matters Most: Take time to develop an understanding of the critical business assets with the highest potential for adverse impact to your organization and prevent you from staying a going concern if compromised.
- Define and Align Cyber Risk Tolerances Across the Organization: Develop a top-down view of the organization’s cyber risk, clarify executive reporting requirements, establish, and target an organizational risk tolerance.
- Identify and Model Security Architectural Risks for Critical Systems: Decompose mission-critical systems into their components and connections and identify threats and vulnerabilities, assign risks to each threat and align to organization tolerances around impact.
- Identify Cyber Risks and Key Partners and Portfolios: Identify those partners and organizations that you are heavily reliant on and perform due diligence to assess integration and supply chain risks that would expose your organization, but also drive your risk profile to levels of unacceptable risk.
- Identify Operational Vulnerabilities and Align to Organizational Risk Tolerances: Link vulnerabilities and degrees of exploitability to the potential for compromise to mission critical systems, and validate those against defined cyber risk tolerances.
- Validate if Your Security Capabilities Are Moving in the Right Direction: Map the existing security program initiatives against best-practices and validate deviations from standard practices for your industry and region of operation.
Developing maturity around cyber risk does not happen overnight; rather, it is a continuous process that builds upon itself. At Mandiant, our approach—derived from numerous program transformations—helps organizations build a better approach to identifying, mapping and driving down risks in a meaningful and methodical way.
To successfully manage cyber risk, organizations need to rethink and better identify threats to those things that matter most to the organization, and have that information integrate and inform the organizational operational risk profile from a cyber vantage point. It’s a simple thought, but it’s often missing from most programs we interact with. The goal with proper cyber risk management is helping to surface the threats and vulnerabilities the organization should care most about, and that have the ability to cause significant impact and true risk.