Analyze Risk or Rely on Critical Controls?
RavenA
admin
There are few a ways of looking at Cybersecurity risk, and just as many schools of thought of how to decide which security controls are the most important to implement!
The CyberGRX platform allows for exploring a couple of different methods.
In the first we dive deep into analytics, pulling in threat feeds, kill chains by industry, and lots of math to analyze which sub controls are critical to controlling risk in particular industries.
In the second, you can see whether any sub control is implemented or not and match it up to the controls you think are critical. Whether you want to compare a 3rd party to the OWASP top 10, the SAN's top 20, or any other set of controls you can find matches in the descriptions in our control framework, create tags or filter by sub control scores across your portfolio to see how your vendor's benchmark across each other or the industry they reside in.
So.... math or strategy? Or both? What appeals the most to you?
Comments
Some controls are mandatory (general regulations, contract clauses, etc. when not tied to specific situations)
Some controls are required, but situational (Software development, Payment Card processing systems, etc.)
Some controls are internally mandated, but could be changed based upon the desires of the organization (policies, standards, etc. not directly tied to the items above)
Some controls are not required but certainly good ideas in specific circumstances
Analysis can help with identification, classification (required / optional), justification, prioritization, etc. The further down the list above you go, the greater value analysis plays in decision making.
People need a solution that recognizes and enables them to address the realities of both.
Tales from the field: Lack of resources is the challenge we hear most when speaking with customers and prospects. Given this common denominator, I agree with you both that understanding the controls that matter most (given your relationship with the vendor), is key to applying limited resources to areas with the most yield. Unless your organization is a "NIST shop" or "ISO shop", the standard these controls are compared against is less important than the method of comparison.
@RavenA: There's certainly a lot of math involved. But without a strategy that demonstrates lowered risk from the efforts taken, the program will not continue to receive support and investment. Demonstrated achievement drives program momentum.
@cgorsuch: To your point, the trick is understanding the controls in the vendor's environment that matter most to your specific relationship. We consistently see companies make the mistake of over-focusing on the question set and under-focusing on the responses that matter most.
The cloud brings a host of new issues within the VRM space. One aspect is the need to change the framework for assessing SaaS vendors as the standard industry control areas might be not applicable in many cases and instead the focus needs to be on the proper configuration of these solutions as well as 4th party management.
Another aspect that complicates things is access management for these types of vendors. Remote access for your vendors whether for a true contractor engagement or support / trouble shooting work is a challenge on its own. To further complicate things you have to also create a process for access management for SaaS solutions where admins of the product can provision access completely independent of your standard IAM process. This access poses a great amount of risk even if the access is not to your internal network or systems. File upload to these hosted solutions becomes the highlighted risk and having both visibility and control over this becomes crucial.
I am a firm proponent of both. I like hybrid risk management strategies that correlate compliance issues such as vulnerabilities and assessment findings with active threat intel, single loss expectancy, and remediation cost to give actionable data to leadership. If you know the value of your assets, you can factor it by the severity of an event from threat intel and market info to get a fairly reasonable single loss expectancy in dollars. Estimate the rate at which that threat may occur to get an annual cost of the risk. Obviously these calculations won't be perfect, but they do give a focused view of your risks, indicate the effectiveness of risk buy-downs, and force you to prioritize risks. It can help you answer the questions like "should I focus on this medium risk in the network, or the medium risk in my endpoints first?"
Also, remember the language of leadership is $$$. Having risk information in dollars makes things real for leadership, and helps justify and direct security budget.