Alex - stock.adobe.com
Compliance with security standards such as ISO/IEC 27001, PCI DSS, CCPA and GDPR doesn't necessarily make an enterprise's security controls effective and economical. Simply following long checklists and implementing basic controls to meet a standard's requirements won't automatically create a coherent strategy that builds a resilient operating environment that can handle current and future threats.
A risk-based security approach, on the other hand, identifies the true risks to an organization's most valuable assets and prioritizes spending to mitigate those risks to an acceptable level. A security strategy shaped by risk-based decisions enables an organization to develop more practical and realistic security goals and spend its resources in a more effective way. It also delivers compliance, not as an end in itself, but as natural consequence of a strong and optimized security posture.
Although a risk-based security strategy requires careful planning and ongoing monitoring and assessment, it doesn't have to be an overly complex process. There are five key steps to implementing risk-based security and, though time-consuming, they will align security with the goals of the organization.
Step 1: Asset valuation
Determine what the organization's key information assets are, where they are and who owns them. Look beyond material terms to determine their value. Include any business impact and costs associated with the confidentiality, integrity or availability of a compromised asset in an evaluation, such as lost revenue from an order-entry system going down or the reputational damage caused by a website being hacked.
Evaluating assets this way ensures those that are most important to the day-to-day continuity of the organization are given the highest priority when it comes to security.
Step 2: Identify threats
Next, identify who may want to steal or damage the assets identified in step one, as well as why and how they may do it. This could include competitors, hostile nations, disgruntled employees or clients, terrorists and activists, as well as non-hostile threats, such as an untrained employee. Also consider the threat of natural disasters such as floods and fire.
Each identified threat needs to be assigned a threat level based on the likelihood of it occurring. The likelihood of a particular scenario occurring will require input from business managers to provide sector-specific knowledge to add to the security team's own threat intelligence assessments.
Step 3: Identify vulnerabilities
A vulnerability is a weakness that a threat can exploit to breach security and steal or damage key assets. During this step, penetration testing and automated vulnerability scanning tools can help identify software and network vulnerabilities.
Note that physical vulnerabilities also need to be taken into account. Are perimeters secure and patrolled? Are fire extinguishers regularly checked? Are backup generator systems tested?
Vulnerabilities associated with employees, contractors and suppliers also need to be considered -- such as these groups being susceptible to social engineering attacks.
Step 4: Risk profiling
Once an organization's assets, threats and vulnerabilities have been identified, the risk profiling can begin. Risk can be thought of as the likelihood that a threat will exploit a vulnerability, resulting in a business impact. The process of risk profiling evaluates existing controls and safeguards and measures risk for each asset-threat-vulnerability combination and then assigns it a risk score. These scores are based on the threat level and the impact on the organization should the risk actually occur.
This risk-based approach enables an organization to correctly prioritize the vulnerabilities it has identified and focus its efforts on the risks that are the most significant to its operations.
Step 5: Risk treatment
Risks range from those that are low enough that an organization can accept them without adverse impact to those so severe they must be avoided at all costs. Once each risk has been assessed, a decision must be made to treat, transfer, tolerate or terminate it. Each decision should be documented along with the reasons that led to the decision. Repeat the process for each threat scenario so resources can be applied to the risks that will likely have the most significant effect on the business. Once these decisions are implemented, carry out tests to simulate key threats to ensure the new security controls indeed mitigate the most dangerous risks.
Note that board-level support when creating a risk-based security strategy is paramount. Input from numerous stakeholders throughout the organization is essential, as risk mitigation decisions can have a serious effect on operations, which security teams may not fully appreciate if they make these decisions in isolation.
While undertaking a risk-based security assessment seems like a daunting task, plenty of online tools exist to help with evaluating assets, threat levels and risk scores. Factor Analysis of Information Risk and NIST's Risk Management Framework are two examples of frameworks that can be used to quantify operational risk. They help ensure an enterprise understands the true risks to the key assets behind its day-to-day operations and how best to mitigate them.
Achieving total security in an organization is impossible, but by deploying resources and expertise in an intelligent and cost-effective manner, IT professionals can make the most out of their hard-won budgets.