Linkedin
Facebook
Email
more
The first half of 2021 has seen a noticeable increase in cyber breaches of some very notable brands. What seems to be of surprise to most is the fact that large companies who we would expect to have robust cyber security strategies in place are falling victim to simple cyber-attacks.
This raises the question around what is missing and what needs to change to stop this tide of cyber breaches.
Unfortunately, looking at the industry for the past two decades, there seems to be a common theme amongst most organisations – poor and/or non-strategic investment in cyber security. A direct result of this is a defensively weak environment that is easy prey for our adversaries.
Having discussed the problem at a high level, let’s focus our attention on what needs to be done to bolster our defences and take the fight back to our adversaries.
AGREE ON YOUR RISK TOLERANCE
The starting point of any cyber security strategy has to be an agreement on your risk tolerance.
Cyber security is simply a risk management process specific to your cyber assets.
This is no difference in concept to how you would protect your financial assets and must follow the same processes and discipline from determining risk tolerance to application of relevant controls.
Risk tolerance levels are generally described in the following three broad categories:
|
High |
An organisation that has a high degree of risk tolerance and would subsequently apply a minimum control set |
|
Medium |
An organisation that has a medium degree of risk tolerance and would subsequently apply a moderate control set ensuring a strategic approach to cyber protection ensuring implementation of a robust cyber security architecture |
|
Low |
An organisation that has a low degree of risk tolerance and would subsequently apply a stringent set of controls focusing not only on a cyber-protective environment, but a cyber-resilient environment with robust threat hunting, breach detection and response processes in place |
Please note that the above control sets would cumulative. That is, organisations with medium risk tolerance will apply the control set for low as well as medium risk tolerance. Other things to note are:
- You will have to annually reassess control sets against your threat landscape and reapply additional controls as the threat landscape changes
- The scope of controls are applicable to ALL information assets covering IT, OT, IoT and physical.
STARTING THE JOURNEY AND TIMELINES
Month 1
The process starts with a discussion, led by the security head, Chief Security Officer (CSO) or equivalent, with the Board and Executives and agreeing on a risk tolerance level.
Month 2
Following the agreement and documentation above, the CSO should identify, and in conjunction with the asset owners, classify information assets. This is essential as the control sets will be applied to the identified assets.
Months 3-5
Once the above step is complete, we need to audit the current controls against the control sets for each risk category. Any control gaps will then need to be addressed.
It is critical at this stage for the CSO to work with the Chief Risk Officer (CRO) or equivalent to ensure the control gaps are documented within the enterprise risk framework and addressed as part of the organisation’s risk management processes.
A partnership between the CRO and CSO is critical to ensure that cyber risk is adequately managed within the risk tolerance levels determined by the organisation.
Months 5-18
Once control gaps have been determined against risk tolerance levels, address these gaps by implementing the controls discussed above. What gets implemented will be driven by the criticality of the information asset and the agreed risk tolerance level.
Annually thereafter
Once the controls are in line with the organisational risk tolerance levels, assessment of the environment needs to occur semi annually or annually to determine new threats, assess control sets against these threats and implement any new controls determined necessary – threat modelling. It is also important to reassess the organisational risk tolerance at this stage and to realign controls implemented to the new tolerance level.
Cyber security can take a compliance, cyber-protective or a cyber-resilient stance. What determines the approach for an organisation is its risk tolerance levels and adequate alignment of its cyber strategy to this. Without a methodical approach such as one outlined above, cyber risk management will remain a hit and miss exercise giving our adversaries the upper hand.
READ THE REST OF THIS ARTICLE…
Click on the button below to download the whitepaper for more information on control sets by risk category and how you start and implement risk controls for your organisation.