Reshape your Cyber Security Journey in the Covid-19 era

Michael Chue, Vice President and General Manager, Mandiant North Asia

Michael Chue, Vice President and General Manager, Mandiant North Asia

Cyber risk can be a big blindspot for organizations. And now, more senior leaders are more engaged than ever before and working to develop a better understanding of how cyber risk is being managed within their organizations. More dialogue with executive management around cyber risk and the impacts proactive and reactive measures have on an organization’s risk profile is a great trend to see.

Especially in these few years under pandemic, many Chief Information Security Officers or IT seniors have to take on the overwhelming tasks of supporting day-to-day operations while constantly being prepared for attackers in their environment. According to the report of Cybersecurity Ventures, global cybercrime costs to grow by 15 percent % per year over the next five years, reaching USD10.5 trillion annually by 2025, up from USD3 trillion in 2015. Balancing the criticality of in-flight projects and operational responsibilities with response preparedness is a difficult trade-off. How could an organization steer and guide the overall direction of the cyber security of organization?

To start, it is important to understand that cyber risk is not dissimilar to other business risk. It is an aggregation of the threats and vulnerabilities present across an organization, any of which—if exploited—could lead to financial loss, reputation damage and regulatory matters. When looking specifically at threats and vulnerabilities, the focus should be more around what technologies or processes organizations have created or consumed that are potentially vulnerable, and that create ‘opportunities’ for abuse. Threats we can then overlay as the potential vectors or methods for how those vulnerabilities or opportunities could be exploited.

When it comes to communicating impact, organizations often get paralyzed around how to reduce cyber risk and what controls are being relied upon, and over time how the fidelity of those controls is truly validated and Return on Investments (ROI) around security investments maximized. Simplicity is the key when looking to both gain the ear and appreciation of Boards around how cyber risk is being managed. This minimizes complexity and focuses upward reporting around the impacts that matter.

This is frequently brought on when there is no clear agreement across the organization on what constitutes the “Crown Jewels”—or what matters most to the business.

Developing maturity around cyber risk does not happen overnight; rather, it is a continuous process that builds upon itself

Without alignment across all teams, there is no solution for security investments, and critical questions about organizational risk going unanswered. Ultimately, security teams need to consider and fully understand ROI; those that don’t tend to be unable to defend their investment decisions to more business-focused executives.

How to Map Your Cyber Risk Journey

Cyber risk is a broad and deep subject, and there is no single process or technology or solution that will drive it down. Maturity-based programs are a key contributor to a security program’s overall direction, but they should not be the only driver of the program. A properly designed program is instead a coordination of capabilities that requires both defining and aligning to the organization’s direction and tolerances and connecting it to the evolving threat landscape.

Here are some key takeaways to remember when developing your program:

• Understand What Matters Most: Take time to develop an understanding of the critical business assets with the highest potential for adverse impact to your organization and prevent you from staying a going concern if compromised.

• Define and Align Cyber Risk Tolerances Across the Organization: Develop a top-down view of the organization’s cyber risk, clarify executive reporting requirements, establish, and target an organizational risk tolerance.

• Identify and Model Security Architectural Risks for Critical Systems: Decompose mission critical systems into their components and connections and identify threats and vulnerabilities, assign risks to each threat, and align to organization tolerances around impact.

• Identify Cyber Risks and Key Partners and Portfolios: Identify those partners and organizations that you are heavily reliant on and perform due diligence to assess integration and supply chain risks that would expose your organization, but also drive your risk profile to levels of unacceptable risk.

Developing maturity around cyber risk does not happen overnight; rather, it is a continuous process that builds upon itself

• Identify Operational Vulnerabilities and Align to Organizational Risk Tolerances: Link vulnerabilities and degrees of exploitability to the potential for compromise to mission critical systems and validate those against defined cyber risk tolerances.

• Validate if Your Security Capabilities Are Moving in the Right Direction: Map the existing security program initiatives against best-practices and validate deviations from standard practices for your industry and region of operation.

Developing maturity around cyber risk does not happen overnight; rather, it is a continuous process that builds upon itself. To successfully manage cyber risk, organizations need to rethink and better identify threats to those things that matter most to the organization and have that information integrate and inform the organizational operational risk profile from a cyber vantage point. It’s a simple thought, but it’s often missing from most programs we interact with. The goal with proper cyber risk management is to help to surface the threats and vulnerabilities the organization should care most about, and that have the ability to cause significant impact and true risk.