Why a risk based approach is the key to better overall Cyber Security.
While Compliancy is a very important step from a legal and regulatory requirement, assuming that checking off compliancy check boxes automatically delivers a secure environment, is poor judgement.
I do believe that compliancy spurred organizations to act in securing their environments in the early days, which was a very important step for many organizations to better secure their business and consumer information.
Although a great first step, it must be realized that it doesn’t cover all the risk associated to an organization. So having a risked based approach allows an organization to better prepare for its overall Cyber Security needs.
There are many risk based approaches that can help guide an organization through this process. Some of them are ISO 27000, NIST, Zachman Framework, to a fairly new SANS Top 20 Critical Security Controls to name a few . Then there are organizations such as, ISC2, ISACA, SANS, that offer both information and certifications for individuals which focus and teach a risk based approach to Cyber Security.
If we take the new SANS Top 20 Critical Security Controls for instance, we see that it is broken down in a way to make it easier for organizations to digest this tremendously difficult task of understanding risk and determining where one’s Security Posture is, at that time.
Even our Governments are tackling this issue CSEC, CISI, NSA, CIA, RCMP, FBI, Public Safety Canada, Federal Communication Commission, Canadian Government, US Government. They understand the economic impact that Cyber Crime has on its country, businesses and people and have also stepped up their focus on protecting themselves.
However business are still left to their own for the most part and need to understand the very difficult details of what kind of impact a breach could have on an organization.
While I speak about a risk based approach I want to touch on incident management. While it may seem separate at first glance, it is vital to a successful overall Cyber Security Posture. The quicker and more effectively you can deal with an incident the better the position you will be in not only for data/dollars loss but with the public/consumers.
- Compliance should be treated as a domain of risk within a formal risk management program and should not be allowed to dominate decision making
- Security is not a direct profit center for a business
- SANS Top 20 Critical Security Controls will help businesses get there
- Incident Management is a key part in a risk based approach
- Organizations become rule followers, rather than risk leaders
- Need a security champion at the executive level
In summary I’ve seen the Cyber Security Industry mature over the last 15 years. Are we there yet?No, and maybe it will be a long road, however there are organizations that can help make it much less painful to understand and get you closer to an overall Cyber Security Posture.
Other sites and links that speak about compliancy and the movement to a risk based approach: