The Ponemon Institute declared 2014 the “year of the mega breach,” defined as at least 10 million stolen records.
In 2015, SC Magazine asked if we should just “get used to” mega breaches.
In 2016, USA Today told the public that “mega breaches could literally kill” them.
Our current state of security crisis is not news to any CIO. But sometimes the best defensive strategies get lost in the hype of both the risks and the solutions. There is no shortage of “latest and greatest” security tools. Some of them will become foundational components of some companies. Some will quickly fade away.
"Directors should be asking themselves what they can, and should, be doing to effectively oversee cyber-risk management"
But in today’s frenzy to prevent the next mega breach, companies often overlook the foundation of a secure information environment—a comprehensive risk assessment. This step is the only way for each company to understand its own unique exposures to cyber threats and create appropriate defenses against them. The right risk assessment will uncover critical information in the creation of a secure defense strategy, including a company’s unique information assets, threat sources, threat actions, vulnerabilities, and current controls environment. With this information, companies can then make the right strategic investments in building their walls of defense.
C-Suite and Boards Join Security Conversation
What is new is that information risk management is not only on the radar screens of today’s CIOs, but also the entire C-suite and Boards of Directors. In the Sixth Board of Director’s Survey conducted by EisnerAmper, 72 percent of respondents on public company boards recognize cybersecurity as a key specific risk. About 22 percent ranked cybersecurity as the top concern for their boards, and 50 percent ranked it as one of the top concerns.
Directors should be asking themselves what they can, and should, be doing to effectively oversee cyber-risk management
While C-suite and board members have historically steered clear of cybersecurity issues, a perfect storm of events has elevated the challenge to the C-suite and boardrooms. Events include the increasing cost of data breaches ($217 average per lost or stolen record), C-suite job losses after breaches (such as CEO Gregg Steinhafeland CIO Beth Jacob at Target), and a significant hit to companies’ reputations and stock prices following data breaches.
What’s more, advice on managing cyber risk is emerging from numerous organizations, including the National Association of Corporate Directors and the New York Stock Exchange. U.S. Securities and Exchange Commission’s Luis Aguilar urged Corporate America to do more to fight cyber attackers. “Directors should be asking themselves what they can, and should, be doing to effectively oversee cyber-risk management,” Aguilar said. He warned that the SEC could hold corporate boards and senior management responsible for future security breaches.
What’s more, the subject is on the Congressional agenda as well with Senate Bill 754 and a goal to: “Improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.”
In response to the “call to arms” from both within and outside their organizations, senior leaders are exposing the chinks in our current state of failing defense— including siloed security operations, tactical errors, technical spot-welding, and firefighting.
Organization-wide Risk Assessment Informs Ideal Security Strategy
To overcome the hype, meet the internal and external demands for greater security, and avoid over- or under-spending on information security systems, companies must embrace a more strategic, business-oriented, and architectural Information Risk Management (IRM) approach. A well-designed and executed IRM program will assist executive teams in making higher-quality decisions about their security investments.
Organizations serious about IRM will proactively drive three priority initiatives to completion:
1. Strategic. They will make IRM a C-suite and board agenda item to facilitate meaningful dialog and decisions about cyber and other information risks within their organizations.
2. Tactical. They will establish, implement, and mature an IRM process to ensure ongoing improvement in the management of these growing risks.
3. Operational. They will become experts at conducting bona fide, comprehensive risk assessments that serve as a foundational step in a well-executed IRM program.
The National Institute of Security Technology (NIST) has developed one of the most holistic and potent frameworks — NIST Cybersecurity Framework. It supplies a comprehensive structure that supports the tactical initiative cited above to establish, implement and mature an IRM process. The NIST Cybersecurity Framework is just that—a framework. While it gives companies a standards-based, globally-proven security framework, it must be supported by an underlying process. The NIST IRM process is detailed in NIST’s Managing Information Security Risk: Organization, Mission, and Information System View (Special Publication 800-39).By combining the power of the NIST Cybersecurity Framework with the NIST IRM process, along with a continuous process improvement mindset, any organization can establish, implement, and mature its IRM programs and protect its information from today’s growing number of unrelenting threats.
Four Major Phases of NIST IRM Process
The NIST IRM process includes four major phases: frame risk, assess risk, respond to risk, and monitor risk. The phases are highly interdependent and inform one another. Here is a brief introduction to each phase:
1. Frame Risk — Create Your Strategy
Phase one begins with strategic-level decisions on how risks to operations and information assets, individuals, and other organizations should be managed by senior leaders. Organizations must identify and document the following:
• Risk assumptions. These are hypotheses about the information assets, threats, vulnerabilities, impacts, and likelihood of occurrences that affect how risk will be assessed, responded to, and monitored over time.
• Risk constraints. These are limitations on the organization’s risk assessment, response and monitoring alternatives under consideration due to, for example, limited resources, legacy technologies, and higher business priorities.
• Risk tolerance. This is the level of risk that organizations are willing to accept in pursuit of their strategic goals and objectives.
• Priorities and trade-offs. These are the relative importance of missions and business functions, trade-offs among different types of risk that organizations face, timeframes in which organizations must address risk and any factors of uncertainty that organizations consider in risk responses.
2. Assess Risk — Understand Your Exposures
Phase two addresses how organizations assess specific risks within the context of the organizational risk frame, including threats, vulnerabilities, likelihood, impact and risk. This phase requires identifying, prioritizing, and estimating all risks— that is, enumerating all of the ways in which a compromise of the confidentiality, availability, or integrity of sensitive information may occur and an assessment of the loss or harm to the organization and its stakeholders that may result from the compromise.
3. Respond to Risk — Implement Appropriate Treatment
Phase three addresses how organizations respond to the identified risks to create a consistent, organization-wide response to risk, including evaluating alternative courses of action and implementing risk responses based on selected courses of action.
4. Monitor Risk — Assess Your Controls
Phase four addresses how organizations monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in organization’s risk-related activities. The goals are to verify that planned measures are implemented, determine the ongoing effectiveness of risk response, and identifying risk-impacting change to the organization.
As security pros and their C-suites and boards wage an ongoing war on cyber threats, a well-executed, organization-wide approach to IRM supported by a rigorous risk assessment provides the most powerful tool to win the war—a roadmap of the organization’s unique information assets, threat sources, threat actions, vulnerabilities, and current controls environment. With this insight, every organization can better protect the sensitive information it has been entrusted to safeguard from all adversarial, environmental, and accidental threats.