As the world starts preparing for the festive season, many will have moved on from paying lip service to cyber security month in October. However, no one can afford to take their eyes off the ball because securing IT systems is a year-long endeavour.
This undertaking, as important as it is, can be a difficult ask for those tasked with presenting solutions to business leaders who demand clear and cogent answers as to why more budget is required.
A company’s cyber security strategy requires a well-designed risk evaluation framework, whether qualitative or quantitative. This model should be carefully chosen, as it is the blueprint against which a business will plan its response to cyber threats. There needs to be complete commitment within the business to the model that is chosen.
Let’s start at the top. That budget must be made available for cyber security is not in question. What is in question (and sometimes in dispute), though, is the level of protection required and the budget allocated.
When challenged on the need for yet more protection, a CISO, CIO or IT expert will inevitably be asked: “Surely, there can’t just be layer upon layer of protection added?”
The risk analysis, whether it is qualitative or quantitative, or in some instances both, becomes the blueprint from which to plan the security strategy.
They are not wrong − there simply must come a point where the budget is limited, but it’s only possible to get to this point when the security strategy is layered with overlapping controls providing deep protection.
While the average business spends between 1% and 13% on IT security, managing the ever-increasing and evolving security threats with a finite budget can feel like juggling while on a tightrope.
Qualitative vs quantitative risk analysis
CIOs, CISOs and IT specialists often focus on qualitative risk analysis through security gap reviews based on security standards such as ISO27001. These gaps constitute risks that can be categorised based on "likelihood" and "impact" and then mitigation steps can be prioritised accordingly.
Security specialist companies can assist with risk analyses, some even offering free risk surveys that identify the risks inherent in an organisation. The risk rating can be benchmarked and tracked as mitigation initiatives are implemented.
While this analysis is critical, what happens in practice is that the challenge then lies in convincing business leaders and finance teams that the risks are significant enough to attract the appropriate budget. Beyond this, if there are multiple risks ranked equally − which is entirely possible − how do you prioritise how those risks are tackled?
This is where quantitative analysis comes into play. Finance will ask the CISO, CIO or IT specialist to reflect the security risks in monetary terms, and this is obviously a complicated endeavour.
A well-respected approach is the Factor Analysis of Information Risk Framework. This approach models risk in four high-level categories:
- Identify scenario components.
- Evaluate loss event frequency.
- Evaluate probable loss magnitude.
- Derive and articulate the risks.
As mentioned, the risk analysis, whether it is qualitative or quantitative, or in some instances both, becomes the blueprint from which to plan the security strategy. But that is not enough.
It is equally important to educate business leaders on the key concepts and scope of the risk identified, as well as the measures that need to be taken to mitigate the risks. Key, then, is plotting the control categories to map security priorities.
Identifying, plotting and mapping
Protecting and reducing the organisation's attack surface
The attack surface is the extent to which a business is exposed to cyber threats. Every hardware device and employee in a business is part of the attack surface and constitutes a risk to the business. The bigger the business, the bigger the risk.
Understanding relevant attack vectors and implementing appropriate controls
An attack vector is a method of attack that exploits a specific vulnerability in the attack surface. There are countless attack vectors and new vulnerabilities are being exposed all the time. Business leaders need to understand that this is an ongoing battle that needs constant attention, and often the insights of specialist security experts.
Identifying threat actors
A threat actor is a person or group that conducts actions designed to cause harm within a system's environment.
Identify control considerations for which budget needs to be made available
Controls need to be implemented to mitigate against the threats with the highest priority. Specifically, the following needs to be considered:
- Preventing the compromise (firewall policies, O/S patching, IT policies, user awareness training, mail filtering software, etc).
- Preventing malware installation (anti-malware/virus software, local user admin rights restrictions).
- Preventing lateral movement across the network/inside the organisation (secure transport layer, zero trust networks, network segregation, behavioural analysis software).
- Detection and response mechanisms (incident response policies, security information and event management, security orchestration authorisation and response).
- Preventing the exploit (specific strategies targeting the prevention of data exposure, fraudulent activity, ransomware, etc).
- Ability to recover from an attack (offsite backups, disaster recovery and continuity planning).
Mapping out the security posture across these control categories, and weighting them, provides useful insight into where priorities need to lie.
When read against tight budgets and a C-suite or finance team that wants something that more clearly demonstrates ROI, this exercise is vital.
Business leaders should also understand that their IT leadership and team will not be experts in every area of security and should encourage security vendor consultation and support initiatives.
Share