Cybersecurity: Taking a Risk-Based ApproachCISO Sumeet Khokhani on Articulating Cyber Risk for Your Organization
Today, cyberattacks are increasing, with advanced attack techniques and an ever-changing threat landscape, and it is important for organizations to increase their pace in addressing these security risks.
See Also: Stopping BEC and EAC
Security should not be treated as a tick mark activity for compliance purposes.
In addition to investing in building security controls for timely detection, security leaders need to respond to security threats that pose bigger risks to the organization in a timely way. They need to determine what to prioritize.
Security should not be treated as a tick mark activity for compliance purposes. It should not be blindly benchmarked against maturity models or with any known standards.
Security requires understanding of the nature of the business and its associated processes. A risk-based and practical approach helps organization to prioritize and focus on what matters the most to protect their business operations.
The Limits of Benchmarking
There is no silver bullet to address security risk for any organization or, in other words, no "one size fits all."
Many organizations have started benchmarking their security practices with various industry standards and are taking a focused approach to applicable regulatory and legislation requirements, which vary depending on the industry sector.
While people, process and technology will have to continue working in tandem to improve overall security posture and protect the organization irrespective of their presence across geography, security leaders need to continue to transform the security road map from reactive to proactive and take a risk-based approach to sustain current business and the growth ahead.
The core business of each organization is different in regard to its primary business operation requirements and associated business processes. Instead of blindly adopting or benchmarking a standard for mapping and comparing with its maturity practices, ideally a detailed review needs to be performed for identified critical business process.
Articulating Cybersecurity Risk
This review will identify gaps from a security risk perspective, especially for the processes targeting the organization’s revenue-generation cycle.
After the review, the security leaders should try to understand what may potentially go wrong from a security risk perspective that could harm the business operations or result in potential financial loss or brand reputation damage in the case of a cyberattack.
After assessing the critical business processes and identifying the severity of the associated security risks, the security leaders should implement feasible controls effectively to reduce the potential cybersecurity risk.
Any risk or exposure that remains after the controls have been applied should be treated as residual risk. Security leaders can make informed decisions about performing continuous monitoring, which will help reduce risk elevation.
Don't Forget Quantification
During the entire cyber risk management cycle, quantification plays an important role. There are largely two types of cyber risk quantification: technical terms and financial terms.
Technical quantification of cyber risk only is not enough; it needs to be articulated in financial terms to help top management make informed decisions about how much to invest in security controls to safeguard and support the business and its growth.
Organizations may use a risk-based vulnerability management program to identify quantified cyber risk scores for technical articulation and leverage models such as Factor Analysis of Information Risk, or FAIR, to translate the potential impact of identified cyber risk into financial terms to make better, more cost-effective decisions for strengthening cybersecurity posture.
CyberEdBoard is ISMG’s premier members-only community of seniormost executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Sumeet Khokhani is a business-aligned CISO with over 18 years of professional experience in pharmaceuticals, government, financial institutions and e-commerce industries. With proficiency in security governance and leadership, security strategy, security risk management, security operations, and audit and compliance practices, he drives Intas' global cybersecurity road map and strategy, including internal and external cyber risk exposure management, security awareness campaigns, risk-based vulnerability management, IT/OT convergence, third-party risk management, skill development and security practices aligned with industry benchmarks ISO 27001, CIS controls, NIST CSF & CMMC standards and frameworks.