Understand cyber security risk to mitigate it – ITWeb




As the world starts preparing for the festive season, many will have moved on from paying lip service to cyber security month in October. However, no one can afford to take their eyes off the ball because securing IT systems is a year-long endeavour.
This undertaking, as important as it is, can be a difficult ask for those tasked with presenting solutions to business leaders who demand clear and cogent answers as to why more budget is required.
A company’s cyber security strategy requires a well-designed risk evaluation framework, whether qualitative or quantitative. This model should be carefully chosen, as it is the blueprint against which a business will plan its response to cyber threats. There needs to be complete commitment within the business to the model that is chosen.
Let’s start at the top. That budget must be made available for cyber security is not in question. What is in question (and sometimes in dispute), though, is the level of protection required and the budget allocated.
When challenged on the need for yet more protection, a CISO, CIO or IT expert will inevitably be asked: “Surely, there can’t just be layer upon layer of protection added?”
The risk analysis, whether it is qualitative or quantitative, or in some instances both, becomes the blueprint from which to plan the security strategy.
They are not wrong − there simply must come a point where the budget is limited, but it’s only possible to get to this point when the security strategy is layered with overlapping controls providing deep protection.
While the average business spends between 1% and 13% on IT security, managing the ever-increasing and evolving security threats with a finite budget can feel like juggling while on a tightrope.
CIOs, CISOs and IT specialists often focus on qualitative risk analysis through security gap reviews based on security standards such as ISO27001. These gaps constitute risks that can be categorised based on "likelihood" and "impact" and then mitigation steps can be prioritised accordingly.
Security specialist companies can assist with risk analyses, some even offering free risk surveys that identify the risks inherent in an organisation. The risk rating can be benchmarked and tracked as mitigation initiatives are implemented.
While this analysis is critical, what happens in practice is that the challenge then lies in convincing business leaders and finance teams that the risks are significant enough to attract the appropriate budget. Beyond this, if there are multiple risks ranked equally − which is entirely possible − how do you prioritise how those risks are tackled?
This is where quantitative analysis comes into play. Finance will ask the CISO, CIO or IT specialist to reflect the security risks in monetary terms, and this is obviously a complicated endeavour.
A well-respected approach is the Factor Analysis of Information Risk Framework. This approach models risk in four high-level categories:
As mentioned, the risk analysis, whether it is qualitative or quantitative, or in some instances both, becomes the blueprint from which to plan the security strategy. But that is not enough.
It is equally important to educate business leaders on the key concepts and scope of the risk identified, as well as the measures that need to be taken to mitigate the risks. Key, then, is plotting the control categories to map security priorities.
Protecting and reducing the organisation’s attack surface
The attack surface is the extent to which a business is exposed to cyber threats. Every hardware device and employee in a business is part of the attack surface and constitutes a risk to the business. The bigger the business, the bigger the risk.
Understanding relevant attack vectors and implementing appropriate controls
An attack vector is a method of attack that exploits a specific vulnerability in the attack surface. There are countless attack vectors and new vulnerabilities are being exposed all the time. Business leaders need to understand that this is an ongoing battle that needs constant attention, and often the insights of specialist security experts.
Identifying threat actors
A threat actor is a person or group that conducts actions designed to cause harm within a system’s environment.
Identify control considerations for which budget needs to be made available
Controls need to be implemented to mitigate against the threats with the highest priority. Specifically, the following needs to be considered:
Mapping out the security posture across these control categories, and weighting them, provides useful insight into where priorities need to lie.
When read against tight budgets and a C-suite or finance team that wants something that more clearly demonstrates ROI, this exercise is vital.
Business leaders should also understand that their IT leadership and team will not be experts in every area of security and should encourage security vendor consultation and support initiatives.
Executive head, information systems and technology, Vox.

Tim Wood is executive head of information systems and technology at Vox.

He is responsible for delivering and deploying information technology services within the Vox business, and the integration and development of information systems supporting internal operations. 

The role involves integrating requirements, systems and processes into the broader ecosystem and deploying solutions that are effective and efficient, from supporting the sales and operational teams, to the provisioning of services into upstream platforms. 

Wood is also responsible for the Vox IT team that provides the foundation over which systems are provisioned within the organisation − essentially, the internal technology deployment. 
Tim Wood is executive head of information systems and technology at Vox.

He is responsible for delivering and deploying information technology services within the Vox business, and the integration and development of information systems supporting internal operations. 

The role involves integrating requirements, systems and processes into the broader ecosystem and deploying solutions that are effective and efficient, from supporting the sales and operational teams, to the provisioning of services into upstream platforms. 

source


CyberTelugu

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page