Some organizations feel that relying on last year’s approaches to cybersecurity risk assessment would provide insufficient preparation for this year’s advanced cyberattacks. I respectfully disagree.
Cyber risk assessment is something that many organizations still do not do at all: doing an assessment on at least an annual basis can prepare you for what is to come. Good assessments are based on your organization's assets, they're not based on everything that can happen to the company -- just what can happen to your assets. If you take those steps, you will be better protected.
A formal risk assessment must take into account that some of these threats are stealthier and more difficult to discover and mitigate than others. It must include a questionnaire outlining controls that can detect malicious activity that hides and disguises itself as ordinary behavior.
Improving risk assessments
In order to improve cybersecurity risk assessments to uncover and include all these new risks, companies need to actually measure the controls that exist inside their organization. You would then need to measure what you have against what you need.
Do you have a tool that can analyze the traffic and distinguish between normal user behavior and abnormal malicious activity? You need to measure the quality and quantity of your controls against the possible effects, and make sure you have the proper controls to handle today’s threats, which are much more sophisticated than the signature-based versions of previous years.
There are three key challenges to measuring these risks. The first is understanding the risk - knowing the assets, their location, quantity, etc. The second is understanding the assets and measuring their susceptibility to threats. The third is measuring the proper counter-measures to protect them.
“Risk” is a word that basically means: "I have a specific asset. That asset can be compromised. If it's compromised, it's going to cost me a certain amount of money”. The risk is the likelihood of compromise multiplied by the worth of the asset. When an organization finds it hard to put a price on the asset, it sometimes just assigns it a number (e.g. 1-5) based on its importance.
The point is that nobody will give you a budget for protecting the entire organization – only for protecting the crown jewels. In order to reduce the residual risk as much as possible, it’s crucial to identify the mitigations that will be most effective against today’s stealthy, unknown threats.
Meeting the challenges
How do we meet those challenges? To identify the assets and the crown jewels, there is only one solution – mapping them and placing a price tag on them.
When you have all your assets prioritized by value and inherent risk, the next step is to measure the strength of your controls against the threats that each asset faces. So, for example, placing a proxy and hoping it will recognize all malware is not sufficient.
The next challenge is to select the mitigation that will provide the assets with measurable protection against the sophisticated, stealthy threats.
Last but not least, you have to budget the measures you want to place. However, if the previous challenges have been handled properly, it shouldn’t be difficult to convince management to approve a budget for the specific residual risk you have measured.
The ever-changing risk appetite
To ensure that new approaches to cybersecurity risk assessments result in mitigations that are in balance with our risk appetite, an organization must first measure its risk appetite, updating it from time to time based on the threats that it faces.
The level of risk that an organization is prepared to accept before action is deemed necessary to reduce the risk is no longer a constant. With today’s constantly changing threat landscape, organizations must keep an eye on the risk and be cognizant of the fact that a once-calculated appetite may quickly become untenable, requiring swift action to mitigate it.
Today’s organizations must understand that the threat landscape is not as clear as before. Malicious players may already be inside the organization, rendering the traditional “risk appetite” formula obsolete. If the potential risk has already occurred, it requires a new set of tools to discover and mitigate, and only then can the risk appetite return to its previous level.