In our first article on risk-based IT security, we briefly discussed why this security strategy is very effective in the current cyber threat landscape.
Now we outline a 5-step process to develop this security strategy, so your enterprise can:
- Identify, prioritize and contextualize IT risks
- Strengthen security controls
- Build a resilient IT infrastructure
Step 1: Identify IT Assets
Before identifying the risks to your IT infrastructure, and which security controls to implement, first consider issues like:
a) What are the business-critical assets you must protect?
- Customer data (e.g. PII)
- Financial data
- Intellectual property
- Systems, networks, devices, software
- Business plans, blueprints and other sensitive information
b) Where are they?
c) Who has access to them?
Evaluating assets at the outset will help set the right priorities in your risk-based security strategy. Here, “value” is not just material but also indicative of the possible costs of asset compromise or theft:
d) How could it affect your organization’s compliance posture?
e) Could it impact your reputation? Cause costly downtime? Lead to lost customers?
f) What is the potential for lost revenue?
Step 2: Identify Threats
Perform a threat assessment to identify the possible threat actors who may try to steal or compromise these assets like competitors, disgruntled current or ex-employees or vendors, terrorists, rogue nations, hacktivists, etc.
Some threat actors may not be hostile or malicious. These include untrained – or careless –employees, partners or vendors who may be the target of phishing attacks, social engineering or malware. Vendors who have access to your organization’s data are also a risk since malicious actors can exploit them to launch supply chain attacks (think SolarWinds).
Also, consider other threats like natural disasters (floods, earthquakes, pandemics, etc.) or man-made events (riots, terror attacks, etc.) in your security strategy.
For each of these threats, assign a threat level based on the likelihood of it happening. For this, you can leverage threat modelling.
Step 3: Identify Vulnerabilities
A vulnerability is a weakness or gap in an asset that a threat can take advantage of.
To protect your assets from the threats identified earlier, it’s important to first identify your vulnerabilities like:
- Gaps in your network
- Insecure software code
- Physical vulnerabilities like insecure perimeters, missing backup generators, etc.
Penetration testing is a very effective security strategy to find vulnerabilities in your IT infrastructure. During a pen test, experts like Packetlabs simulate cyberattacks against an enterprise network to find exploitable vulnerabilities. The insights generated by a comprehensive pen test will help you patch detected vulnerabilities, fine-tune your security policies, and strengthen your security strategy.
Application security testing finds security gaps in software applications and measures the effectiveness of your current controls.
Step 4: Create Risk Profiles
Now you can start taking action to address your IT risks. Risk relates to the likelihood that a threat will exploit a vulnerability to make an impact.
Risk = Threat x Vulnerability x Cost
Start with risk profiling:
a) Prioritize the identified threats and vulnerabilities based on potential impact, likelihood, threat level, and persistence
b) Quantify each risk by assigning point values for each based on the above measures
c) Add the points to get a risk score
d) Prioritize the greatest risks
Step 5: Address Risks and Evaluate Them Consistently
Now you can start implementing measures to address risks in your security strategy, such as:
a) Vulnerability management program to identify and patch vulnerabilities
b) Threat intelligence program to proactively identify and remediate threats
c) Training program to close knowledge gaps among high-risk users, e.g. employees who deal with sensitive information systems, or vendors with access to sensitive data
You should also define the incident response process in your security strategy:
d) How will you respond to a security event (e.g. a data breach)?
e) Who will be involved?
f) How will you keep stakeholders informed?
Also, develop a security improvement roadmap in your security strategy that specifies aspects like:
g) Security team resources and responsibilities
h) Security strategy with policies and protocols, and if they are aligned with industry standards
i) Protection for sensitive data
j) Technical controls for data encryption, network segregation, and application security
k) Security integrated into enterprise-wide governance
Finally, remember that not all risks need to be treated or terminated. Some can be tolerated with minimal business impact, while others can be transferred by purchasing cyber insurance.
To sum up, risk-based security analysis and decision-making will empower your organization to develop realistic cybersecurity goals, utilize resources more effectively, and strengthen its defence posture. Unlike the maturity-based approach, this security strategy is more targeted, and therefore more likely to yield better results.