Developing and prioritizing investment needs is not an easy task for most of the CISOs out there. Most of them face strong budgeting constraints and need to extensively justify every penny they request. Some will only get significant spending approved after their organization experienced a significant breach. This article aims to provide a noninclusive list of pragmatic approaches that can help to identify and prioritize the needed investments that will help to continuously improve the cybersecurity posture of an organization.
I start with the risk-based approach which I think when implemented properly is a must have in any security savvy organization. I continue with three other approaches to propose supplementing ideas that are often more readily available and can be used in a shorter term.
Risk based approach
Risk is a function of the likelihood of a threat actor exploiting a vulnerability in an asset and the impact an organization will face shall the risk materialize itself.
This one is a very well-known and widely described methodology. There are some variances in the approach to risk assessment and management but on a high level it deals with identifying cybersecurity risks in an organization, estimating their annual rate of occurrence together with the annualized loss (related to an asset value) organization may face after those risks materialize themselves. The risk that has the highest annualized loss expectancy is the one with the highest priority to be addressed. Once risks are identified and scored all the CISO needs to do is to identify the most effective security controls that will mitigate them while having a significantly lower annualized cost than the risk’s annualized loss expectancy.
Now that’s the theory in a nutshell. It sounds easy but in practice it is not. Good quantitive risk assessment is a difficult task that requires ongoing operational effort that will allow to continuously monitor:
- Assets in an organization and their value
- Vulnerabilities affecting those assets
- Threat actors having the opportunity and intent to attack an organization
As I stated in the intro to this article I find the risk management to be the best strategic approach to continuous improvement of organization’s cybersecurity posture. I think it should be the strategy of any CISO to implement a complete and continuous risk management process. However, having the opportunity to work on improvement of numerous areas of information security for many organizations I’ve learned that it is still not common to say the least.
I see the below approaches as complementary ones that can be more readily available and support decision making process to avoid guess based or rushed investments.
Compliance based approach
There are many different security standards, regulations and best practices that provide a ready to use set of controls that can form kind of a checklist to be used to identify missing measures. As an example, even if you’re not processing card payment information you may find PCI DSS requirements useful to define your own improvement plan. Just avoid the trap of deploying things solely in order to put a check in a checkbox. There are not many things in cybersecurity that you can just do once and then forget. Remember, it’s always a continuous process.
There’s plenty of free resources among which NIST is worth to mention as in their Special Publications you’ll find almost everything that is needed to build a strong and complete cybersecurity strategy, policies, processes and procedures.
“Experience” based approach
Each SOC, incident response or any other form of a security team who performs analysis of events and incidents gathers valuable insights about specifics of the security posture of protected organization. It’s important that for each security incident, even a minor one this team prepares and communicates the following conclusions from their analysis:
- List of lessons learned and recommendations what needs to be done to avoid similar incident in the future
- Identified infection/intrusion vector or root cause of the incident
- What allowed to detect the incident
The above outputs, especially when the same items repeat themselves in different cases, give a direct hint about where the shortcomings are and what should be addressed with a priority. For example, if during the last several months the most common infection vector was malicious Office document then it’s a clear indication that mail filtering and removing active content from externally originated emails with attachments are the areas to improve first. If on the other hand the security team seats idle in a large organization and they don’t provide the CISO with such inputs then it most likely means there is something seriously wrong with detection and response. So again, an area for improvement identified.
Prevent – Detect – Respond approach
This approach is about matching security controls to these 3 areas. It may be a bit simplified but on high level to handle intrusions there should be security controls deployed that would cover requirements in these 3 categories:
- Prevent intrusion attempts
- Detect what was not prevented
- Respond to what was detected
The idea is to create a table with these 3 as columns and coverage areas as rows. In many cases solutions will overlap and it’s desired to have multiple ways to cover the same area (defense in depth). The goal here is to avoid blind spots and if such are identified the next investment should likely be addressing those.
The example below shows a gap in Respond capabilities while keeping good balance between network and endpoint perimeter coverage.
I guess most of the organizations out there are using elements from all of the above approaches. And though they are different they do have an important element in common. This element is people. You must have staff or a service provider with the needed expertise who you can trust. If you do things just once for the sake of putting a mark in some checkbox and you leave them be then you’re going to end up giving your board a false feeling of safety not to mention wasting the money. It’s just that cybersecurity isn’t exactly a deploy and forget kind of a business.