Forbes reports that 70% of firms experienced at least one cybersecurity incident in 2017. In the past year alone, Yahoo’s $4.8B takeover by Verizon was nearly derailed by two major data breaches at Yahoo; even the US presidential election may have been impacted by hackers. And the risks are only growing – cars are computers on wheels and planes are computers on wings. Cybersecurity risk has evolved from just personnel information and financial data to control of physical things.
In 2015, the US government notified 3,000 companies that they were attacked. According to PWC’s 2016 annual cybersecurity survey, organizations detected a 38% rise in information security incidents. These dire statistics are getting attention and is increasing the expectations for risk and compliance managers to effectively manage cybersecurity risks.
What should an organization do?
According to Cisco’s 2017 Cybersecurity report, 69% of senior executives are taking action and re-engineering their approach to cybersecurity. Organizations are incorporating intrusion detection tools, actively monitoring and analyzing information security intelligence, using threat intelligence subscription services, and conducing penetration tests. But how does an organization know it’s working?
A few questions that information risk managers should ask themselves are:
- What are the leading indicators to monitor the overall information risk level in the organization?
- Does the organization have a clear and quantifiable definition for acceptable information security risk for each business process and system?
- Does the organization have comprehensive visibility into - All potential threat actors? All potential threat events? How threat actors and events impact various systems, vendors, and internal processes?
- How reliable are the internal risk assessment processes to identify and mitigate information risks?
These questions inevitably lead us to the importance of managing an ongoing and increasingly sophisticated threat and vulnerability assessments program. Such a program will provide a pulse on the effectiveness of tactical tools and processes put in place.
How does an organization design an information risk program?
In February 2013, the United States President issued an Executive Order (13636) to “Improve Critical Infrastructure Cybersecurity.” This order was translated into a policy – NIST’s Cybersecurity Framework. This Framework is intended to complement existing risk and compliance activities. However, it provides a starting point for organizations to manage cybersecurity risk.
The Framework’s Core is a set of cybersecurity activities, desired objectives, and applicable references. This can form a high-level structure around which companies can identify vulnerabilities, threats, mitigations, monitoring, and improvements specific to their industry, internal processes, and systems. Five continuous and concurrent functions make up the Framework Core.
Identify – Activities to improve the organization’s understanding of business context and resources that may drive cybersecurity risk to systems, assets, data, and capabilities
Protect – Activities to develop safeguards to limit the impact of threat events
Detect – Activities to develop monitoring and detection processes to identify potential threat actors and events
Respond – Activities to support containment of threat events if they occur
Recover – Activities to enables organizations to develop resilience to threats and restore capabilities impaired by a threat event
A critical component of executing on the NIST Cybersecurity Framework is a comprehensive set of mitigations and controls to operationally manage safeguards in place. Security risk managers in the organization define and manage these controls. NIST provides a strong starting point to begin development of these controls and mitigations through the NIST Special Publication 800-53 controls.
In summary, NIST offers risk managers comprehensive frameworks to design and directionally validate the exhaustiveness of their threat and vulnerability assessments programs. As intensity and impact of cyberattacks increase, organizations should focus on monitoring and preempting risk to internal operations and customers through a predictive and exhaustive assessment program.