Compliance with cybersecurity standards, such as ISO/IEC 27001, PCI DSS, CCPA and GDPR, doesn't necessarily make an enterprise's security controls effective and economical. Simply following long checklists and implementing basic controls to meet a standard's requirements don't automatically create a coherent strategy that builds a resilient operating environment that can handle current and future threats.
This is why organizations need to use risk-based security.
What is risk-based security?
A risk-based security strategy identifies the true cyber-risks to an organization's most valuable assets and prioritizes spending to mitigate those risks to an acceptable level. A security approach shaped by risk-based decisions enables an organization to develop more practical and realistic security goals and spend its resources in a more effective way. Risk-based security helps organizations prevent cyber attacks and data breaches. It also delivers compliance, not as an end in itself, but as natural consequence of a strong and optimized security posture.
Although a risk-based security program requires careful planning and ongoing monitoring and assessment, it doesn't have to be an overly complex process. There are five key steps to implementing risk-based security, and though time-consuming, they align security with the goals of the organization.
Step 1. Asset valuation
Determine what the organization's key information assets are, where they are and who owns them. Look beyond material terms to determine their value. Include any business impact and costs associated with the confidentiality, integrity or availability of a compromised asset in an evaluation, such as lost revenue from an order-entry system going down or the reputational damage caused by a hacked website.
Evaluating assets this way ensures those most important to the day-to-day continuity of the organization get the highest priority when it comes to security.
Step 2. Identify threats
Identify who might want to steal or damage the assets identified in step one, as well as why and how they might do it. This could include competitors, hostile nations, disgruntled employees or clients, terrorists and activists, as well as nonhostile threats, such as untrained employees. Also, consider the threat of natural disasters, such as floods and fires.
Assign each identified threat a threat level based on the likelihood of it occurring. The likelihood of a particular scenario occurring requires input from business managers to provide sector-specific knowledge to add to the security team's own threat intelligence assessments.
Step 3. Identify vulnerabilities
A vulnerability is a weakness that a threat can exploit to breach security and steal or damage key assets. During this step, penetration testing and automated vulnerability scanning tools can help identify software and network vulnerabilities.
Take physical vulnerabilities into account. Are perimeters secure and patrolled? Are fire extinguishers regularly checked? Are backup generator systems tested?
Also, consider vulnerabilities associated with employees, contractors and suppliers, including their susceptibility to social engineering attacks.
Step 4. Risk profiling
After identifying the organization's assets, threats and vulnerabilities, begin risk profiling. Think of risk as the likelihood that a threat exploits a vulnerability, resulting in a business impact. The process of risk profiling evaluates existing controls and safeguards and measures risk for each asset-threat-vulnerability combination and then assigns it a risk score. Base scores on the threat level and the impact on the organization should the risk occur.
This risk-based approach enables an organization to correctly prioritize the vulnerabilities it has identified and focus its efforts on the risks that are the most significant to its operations.
Read more on network security risk ratings.
Step 5. Risk treatment and remediation
Risks range from those low enough that an organization can accept them without adverse impact to those so severe they must be avoided at all costs.
After assessing each risk, decide how to treat, transfer, tolerate or terminate it. Document each decision along with the reasons that led to the decision. Repeat the process for each threat scenario so resources are appropriately applied to risks likely to have the most significant effect on the business. Once implemented, carry out tests to simulate key threats to ensure the new security controls indeed mitigate the most dangerous risks.
More on risk-based security
Get tips on creating a better vulnerability management program.
Getting board-level support when creating a risk-based security strategy is paramount. Input from numerous stakeholders throughout the organization is essential, as risk mitigation decisions can have a serious effect on operations, which security teams might not fully appreciate if they make these decisions in isolation.
While undertaking a risk-based security assessment seems like a daunting task, plenty of online tools exist to help with evaluating assets, threat levels and risk scores. Factor Analysis of Information Risk and NIST's Risk Management Framework are two examples of frameworks that quantify operational risk. They help ensure an enterprise understands the true risks to the key assets behind its day-to-day operations and how best to mitigate them.
Achieving total security in an organization is impossible, but by deploying resources and expertise in an intelligent and cost-effective manner, IT professionals can make the most out of their hard-won budgets.