Risk Management
  • Home
  • Features
  • Columns
    • ForeFront
    • Last Word
    • Findings
    • Q&A
    • Time Line
    • Risk Atlas
    • Fine Print
  • Topics
    • Insurance
    • Enterprise Risk Management
    • Strategic Risk Management
    • Natural Catastrophes
    • Cyber Risk
    • Pandemics
    • Emerging Risks
    • International
  • Blog
  • Digital Issue
  • Subscribe
  • RIMS.org
  • Home
  • 2017
  • May
  • 1
  • Risk-Based Approaches to Cybersecurity

Risk-Based Approaches to Cybersecurity

Marc Woolward
May 1, 2017April 14, 2017 No Comments
cyber risk assessment Cyberrisk Assessment

cyber risk assessment

There has been tremendous progress in the cybersecurity discipline in terms of defining strategy by outcomes rather than the methods used. This is especially apparent in the financial services industry, where frameworks such as CBEST and FFIEC encourage practitioners to not only think about risk-based approaches, but also to understand levels of maturity and capabilities relative to industry benchmarks.

When it comes to cybersecurity, the reality is that we no longer talk about technology first—we talk about the risks, and then discuss the processes and technical capabilities required to address them.

When using risk-based approaches for proactive technology reviews and business planning, you first identify the risks (commonly known as a threat model when dealing with cybersecurity), prioritize them, and then go about building a set of controls or mitigations in order to address these risks. This approach is increasingly applied by financial services regulators around the world, incorporating advanced techniques such as penetration testing and maturity models that provide evidence and compare current performance to historical baselines.

The Check-The-Box Compliance Mindset

Several years ago, the typical information security professional was burdened by a check-the-box compliance mindset where budgets and priorities were predominantly directed toward passing audits. This gave the illusion of achieving higher levels of security and meeting best practice standards, but it was just that—an illusion. As breaches became more widespread and impactful (both in terms of immediate business cost and reputation damage), the industry saw a movement toward incident response. With this approach, the lessons from incidents were better understood and measures were put in place to reduce the likelihood of recurrence.

While responding to such incidents made the strategy more relevant to real-world threats, these early incident responses were still based on historical events. As incidents became more frequent and the scope of larger issues better documented, the industry has experienced another shift, toward proactive, risk-based security and a better definition of maturity models based on understanding industry baselines and best practices.

The Risk-Based Approach

Taking a risk- and evidence-based approach to the testing of cyber readiness, CBEST moves as far away from the theoretical check-the-box compliance approach as one can get. Created by the Bank of England, CBEST is designed to measure the likely impact of real-world threats against systemically critical institutions within the U.K., including banks and critical intermediaries like financial service providers, by emulating the actions of attackers on those environments. The process includes creating a threat model against an organization, examining the attacker’s motivations and capabilities, and executing a set of tests to measure the institution’s defense posture. This is essentially a combination of theoretical analysis and practical execution of penetration tests to help measure an organization’s cyber defense capabilities.

One common exercise in the CBEST threat model is to understand the controls separating critical data repositories and systems from general purpose user infrastructure. The analysis and subsequent penetration test would determine whether an organization is able to detect and prevent unauthorized access between the general-purpose user and critical systems within the organization. Out of these risk-based analyses, the lack of internal segmentation is consistently identified as a significant challenge.

Using Maturity Models

The Federal Financial Institutions Examination Council (FFIEC) is a U.S. government interagency body that includes the Federal Reserve and has regulatory responsibility for the “prescription of uniform principles and standards” to systemically critical financial institutions and their service providers within the United States.

The FFIEC Cybersecurity Assessment Tool takes another risk-based approach to assessing and mitigating an organization’s underlying risk and its ability to mitigate that risk using controls and processes. The results of the assessment provide an organization’s leadership with a better understanding of their relative maturity against the rest of the industry across several domains including technology, organization and process.

The FFIEC Cybersecurity Assessment Tool provides a mechanism for organizations to assess their cyber readiness and maturity against industry baselines, effectively comparing themselves (anonymously) with their peers. In a world where highly publicized cyber breaches can cause huge reputation and client impact, no board of directors wants to be lagging in cyber best practices, and this level of “anonymized” competition is being used to drive improvements throughout the system.

Looking specifically at some of the FFIEC requirements, it is even more apparent that reactive, perimeter-facing controls are no longer sufficient. For example, according to Domain 3, Cybersecurity Controls-Infrastructure (intermediate level requirement): “The enterprise network is segmented in multiple, separate trust/security zones with defense-in-depth strategies (e.g., logical network segmentation, hard backups, air-gapping) to mitigate attacks.” In addition, Domain 3, Cybersecurity Controls-Access and Data Management (baseline level requirement) reads: “Production and nonproduction environments are segregated to prevent unauthorized access or changes to information assets.”

Consistent with CBEST, FFIEC cites requirements for internal environment segmentation for organizations displaying relatively basic capability levels. Internal segmentation requirements are being drawn along multiple dimensions (trust/security zones and production function), which renders simple network-based solutions (where systems can only be instantiated within a single endpoint group, as opposed to being represented in a more flexible policy model) ineffective. The FFIEC Cybersecurity Assessment Tool, consistent with the National Institute of Standards and Technology (NIST) cybersecurity framework used by regulators across industries, also stresses requirements for the visibility of threats and events within an institution’s environment.

Addressing Modern Cyberrisks

Regardless of industry sector, if you are looking to take a proactive approach to assessing cyberrisk and identifying areas for overall security improvement, both the CBEST and the FFIEC Cybersecurity Assessment Tool are worth understanding. The frameworks provide a method for an organization to measure its cyber maturity across technology, operational processes and organizational readiness. As a result, the opportunity to decide and implement maturity and risk requirements in common language creates a method for reporting against strategic business goals.

Post navigation

Trends in Contractor’s Liability Coverage
The Danger of Marijuana Grow Operations

Related Articles

Strategic Risk Management

Recognizing Strategic Risks and the Role of the CRO

Donna Galer and Al Decker
March 8, 2021March 2, 2021 No Comments
Feat-Brexit Brexit

Brexit Becomes Reality

Neil Hodge
March 1, 2021February 22, 2021 No Comments
FF-Mask Workplace Violence

Facing Customers Who Refuse to Wear Masks

Adam Jacobson
March 1, 2021February 26, 2021 1 Comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

seventeen − 10 =

Current Issue

Don’t Miss Out

With many continuing to work remotely, keep in mind that you can always update your mailing address by clicking here to ensure future issues of Risk Management are sent directly to you.

RSS Risk Management Monitor blog

  • Texas Cold Crisis: Insurance Options for Severe Weather Disruption March 3, 2021
  • Preparing for the Next Stage of the COVID-19 Pandemic at RIMS Content Roundtable March 1, 2021
  • Human Trafficking and Supply Chains: Q&A with Tim Nelson of the Slave-Free Alliance February 12, 2021
  • How to Prepare Now for Your Next Crisis Post-COVID February 3, 2021
  • Strengthening Diversity, Equity and Inclusion Efforts February 1, 2021
Copyright 2020. All rights reserved | Theme: OMag by LilyTurf Themes
  • About
  • Subscribe
  • Advertise
  • Contribute
  • Editorial Calendar
  • Contact
  • Privacy