Analyze Risk or Rely on Critical Controls?

edited September 2018 in TPRM General Discussion

There are few a ways of looking at Cybersecurity risk, and just as many schools of thought of how to decide which security controls are the most important to implement!

The CyberGRX platform allows for exploring a couple of different methods.

In the first we dive deep into analytics, pulling in threat feeds, kill chains by industry, and lots of math to analyze which sub controls are critical to controlling risk in particular industries.

In the second, you can see whether any sub control is implemented or not and match it up to the controls you think are critical. Whether you want to compare a 3rd party to the OWASP top 10, the SAN's top 20, or any other set of controls you can find matches in the descriptions in our control framework, create tags or filter by sub control scores across your portfolio to see how your vendor's benchmark across each other or the industry they reside in.

So.... math or strategy? Or both? What appeals the most to you?

Comments

  • Some controls are mandatory (general regulations, contract clauses, etc. when not tied to specific situations)

    Some controls are required, but situational (Software development, Payment Card processing systems, etc.)

    Some controls are internally mandated, but could be changed based upon the desires of the organization (policies, standards, etc. not directly tied to the items above)

    Some controls are not required but certainly good ideas in specific circumstances

    Analysis can help with identification, classification (required / optional), justification, prioritization, etc. The further down the list above you go, the greater value analysis plays in decision making.

    People need a solution that recognizes and enables them to address the realities of both.

  • Tales from the field: Lack of resources is the challenge we hear most when speaking with customers and prospects. Given this common denominator, I agree with you both that understanding the controls that matter most (given your relationship with the vendor), is key to applying limited resources to areas with the most yield. Unless your organization is a "NIST shop" or "ISO shop", the standard these controls are compared against is less important than the method of comparison.

    @RavenA: There's certainly a lot of math involved. But without a strategy that demonstrates lowered risk from the efforts taken, the program will not continue to receive support and investment. Demonstrated achievement drives program momentum.

    @cgorsuch: To your point, the trick is understanding the controls in the vendor's environment that matter most to your specific relationship. We consistently see companies make the mistake of over-focusing on the question set and under-focusing on the responses that matter most.

  • We're currently focused mainly on controls (the strategy portion that Raven covered), and I think it speaks to Scott's point about limited resources. Although we would like our vendors to implement controls that reduce their overall risk given exposures and trends that CyberGRX is analysing, it becomes difficult to manage. Additionally, our vendors have limited resources, so will likely only fix those that we deem key to maintaining our relationship, and put the "nice to haves" on the back burner. I know there are some vendors that are out there leading the way in terms of trying to implement the best security practices, but many still view it as a compliance / tick the box exercise. It's the overall mindset that needs to change, and I think most security professional get it, but we don't always have the budget to support it. 
  • I am a firm proponent of both.  I like hybrid risk management strategies that correlate compliance issues such as vulnerabilities and assessment findings with active threat intel, single loss expectancy, and remediation cost to give actionable data to leadership.  If you know the value of your assets, you can factor it by the severity of an event from threat intel and market info to get a fairly reasonable single loss expectancy in dollars. Estimate the rate at which that threat may occur to get an annual cost of the risk. Obviously these calculations won't be perfect, but they do give a focused view of your risks, indicate the effectiveness of risk buy-downs, and force you to prioritize risks.  It can help you answer the questions like "should I focus on this medium risk in the network, or the medium risk in my endpoints first?"  

    Also, remember the language of leadership is $$$.  Having risk information in dollars makes things real for leadership, and helps justify and direct security budget. 


Sign In or Register to comment.