How Can Leaders Reduce Cyber Risk On A Tight Budget?

In this exclusive interview, Mike Davis, CISO for alliantgroup, offers practical ways to assess, mitigate and manage cybersecurity risks in your organization — even with a small team and less resources.

How can organizations protect critical information resources? What processes and procedures work best? What are the challenges to reducing risk?

To answer these questions and much more, I turned to a cybersecurity industry thought leader from Texas: Mike Davis.

Mr. Davis is the CISO in alliantgroup’s Houston national office, where he operationalizes data security, privacy and risk management while advising leadership on protecting critical information resources and managing an enterprise cybersecurity portfolio. Mike and his team’s mission includes executing a risk-based security strategy that supports enabling the company’s success objectives by securing and protecting both sensitive company and client information and resources.

Before joining alliantgroup, Mike was the CISO of a large global maritime classification company. He is an experienced cybersecurity professional with 20-plus years in several environments (commercial, military and government) and diverse leadership positions: CISO, senior cyber technical authority, cybersecurity/risk management consultant, cyber program manager and chief systems engineer, among others. Mike is also a retired U.S. Navy Engineering Duty Officer and federal government employee (GS-15).

Mike supports several professional associations: the FBI InfraGard, IEEE (Life Member) and ISSA/ISC2, among others. His certifications are: CISSP, CISO and Systems Engineering, along with senior qualifications in Program Management and Risk Management, and he holds a master's in electrical engineering and in management.

I have known Mike for several years, and he always brings insightful, thought-provoking content and insights to complex cyber discussions.

Dan Lohrmann (DL): What are the biggest cybersecurity risks most enterprises face?

Mike Davis (MD): To start our risk journey, we need to all have an overall risk assessment baseline — assess our vulnerability baseline and the top threats applicability to our environment. We use a periodic sampling approach from the many threat reporting sources (as part of our “CTI” program), then distill those results into the following current risk areas that we sense apply to most organizations:

• Phishing: Over 90 percent of all security incidents start here (where someone will always "click"!)
• Ransomware, including morphing malware/crypto-mining: It’s easy and profitable, and now comes with a data breach extortion threat too.
• Poor cyberhygiene: known vulnerabilities not patched (98 percent of exploits use these)
• Ineffective access controls: Identity is the new perimeter and core (ZTA) (e.g., we need multifactor authentication everywhere)
• Hostile intruders: hackers, insider threats, careless users, any malicious user
• Crime as a service: as now anyone can be a hacker, just pay the criminals
• Internet of Things security: the many atypical computing devices connected to your network
• Third-party/vendor access and risks: this is a major threat all by itself and accounts for half of all breaches
• Regulation/compliance (e.g., GDPR, SOX, PCI DSS, etc.): Fines, loss of integrity/brand and competitiveness.

Overall, start with a risk assessment to set your baseline tailoring threats and associated mitigations to your organization, develop a clear risk-value-based risk reduction plan, with OPS/IT concurrence (as they will need to support many). Then get understanding from your IT/risk steering committee (ITSC), to then do the same with senior leadership. This in an older two-page article that goes into the question overall: "Cyber risk, what really matters?" 

By the way, if you are interested in which mitigations to focus on first, skim this article on the hierarchy of cybersecurity needs from Microsoft; it follow’s the Maslow hierarchy of needs triangle, with a cyber perspective. The foundation is access control, and each layer is well described.

DL: How do you think about attacking the problem of reducing risk?

MD: Short answer: use an enterprise, holistic, Risk-Based Security Strategy (RBSS). Risk is a combination of threat, vulnerability, likelihood and impact/consequences, along with asset values. Within the risk strategy we need to provide the rationale and "cyber story" that goes with that RBSS assertion. Cybersecurity is a wide capability area with complex technical and business interactions, and must work in conjunction with a variety of other security measures: physical security, personnel security, contingency planning and disaster recovery, operational security, and privacy. Typically, one of the highest impacts from inadequate cybersecurity is a data breach, whereas most realize those damages can be extensive and expensive both in reputation and actual costs incurred.

A well-known framework for improving cybersecurity is the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) for Improving Cybersecurity, which has five phases: identify, protect, detect, respond and recover. NIST also has a small/medium business (SMB) version of this framework and processes therein called NIST-IR 7621 Rev1. This publication is a highly recommended authoritative source to use as your SMB implementation guide. We recommend folks start their risk management journey with the CIS CSC top 20 controls as their foundation, then complement that with NIST CSF. It’s also a solid basis for what "reasonable security" entails, as discussed here: "Cyber Security Risk, what does a “reasonable” posture entail, and who says so?"

Overall, as mentioned, using some form of RBSS, which includes using a risk framework that the company can align to with an approved risk appetite set of thresholds, and provide a clear risk-value-based risk reduction plan (this is a common theme!). Take vulnerability management, for example cyberhygiene; a risk-based approach is effective to minimize the greatest actual risk to the company focused on more than just critical CVEs, where you work on the top 20 or so risks each week and make measurable progress. In addition, some assets will stand out based on their individual risk scores and you can focus on those as well.

DL: Are most of the top risks known to leadership or are many unknown?

MD: I think most of the top risks are "known" to leadership at this point (phishing, ransomware, data breaches, etc.), yet what is their full comprehension, especially for the negative business impacts? I like the saying "security always costs too much, until it is not enough" as it sums up the leadership awareness gap. This means we security folks are not communicating the tops risks well enough using the vernacular they understand. We don’t focus on their key concerns, like productivity, revenue, long-term stakeholder value, resiliency and innovation, as well as overall corporate risk management. We need to tell the risk story in their lingo.

In addition, risk management reporting needs to be periodic, not once a year (or adhoc). Engage a few key business stakeholders to see what their information needs are and the style they most relate to. No death by PowerPoint — consider a one-page, or at most two-page, risk report, as executives are used to getting those. Minimize the technical jargon and use an analogy that resonates (like protecting one’s house and valuables). Ideally, your organization has documented business success factors that you can relate the top risks to. If not, then start with the generally accepted key concerns listed earlier, and the typical business success factors: market share, customer trust and relationships, new business/markets, global presence, P&L and regulatory compliance, for a few. Run your report by OPS/IT first, then a business lead that understands the risk environment, to get feedback on the content, context and usability; then share with your ITSC next. 

Overall, once you put your risk story into motion, get specific feedback on improvement, do it regularly and stay aligned with OPS/IT and a business champion. Ideally you have an ERM effort where the major business leads participate, as they will get the utility and process and support the cyberview.

DL: How do you recommend addressing known risks?

MD: Once you have a clear risk-value-based risk reduction plan, the known high-value risks need to be highlighted. By the way, the unknown risk elements need to be accounted for as well, and that entails having a Cyber Threat Intel (CTI) effort that monitors threat and vulnerability sources for new risks, TTPs and early vulnerability warnings of the systems you have (Solarwinds, Acelleron, etc.). Frequently, it’s the known risks that may not get fully addressed, like cyberhygiene, Secure SDLC, cloud security, etc., because of other operational priorities (building out new capabilities that directly support business productivity, revenue, etc.) and the full impact of the risks are not well understood by most. This risk-versus-operational-needs balance is frequently the source of why known risks are not well accounted for (e.g., patching versus building out requested revenue-enhancing capabilities).

That’s why any risk mitigation prioritization plan must start with OPS/IT — besides fully understanding the business impacts, do they have the resources to do their part? Using your risk-value-based risk reduction plan, ensure that has clear OPS/IT required support captured for all their parts, with an estimated level of effort. Then rank their efforts in terms of risk value and personnel availability, especially as that may entail the support of just a few folks who undoubtedly have other business-related tasks. This is where an integrated OPS/IT and security project plan comes in for personnel resource allocation. In addition, there are likely IT/network changes planned that might minimize the risk source or offer enhanced functions to use later on [e.g., upgrading to Microsoft E5 license which brings a lot of data and access capabilities (using “ATP” features)]. Thus the risk can be delayed to fit in with planned upgrades.

Overall, competition for resources will always be an issue for many risks, and that needs to be addressed up front. If organic support cannot be used, then external support can be proposed or management can formally accept the risk, documenting it in your risk register. Risk management is a companywide endeavor that requires a common understanding of the risk value and resource allocation. While obvious, your RBSS must factor this in from the start, yet doing so takes time and effort from all parties, which gets back to resources.

DL: Explain your approach to addressing these risks with the minimum possible cost.

MD: First assess your current security capabilities environment — are you one of those entities that has 20 to 30 security tools? Have you quantified your enterprise security risk requirements and then parsed those out to the major security capabilities, starting with taking advantage of your OEM products (Microsoft, Cisco, etc.), which have significantly advanced their features set and integrated operations in recent years. Once you do the capabilities to product mapping, the major functional overlaps will be clearer and you can proceed to rationalize what capabilities can be dropped. It’s not only the product cost that is removed, but the personnel resources to maintain and monitor them. You then have a defendable security capabilities road map, including any gaps and required new functionality.

Then comes minimizing the operational resource level of effort. As mentioned earlier, all proposed risk tasks need to have the resources to implement and maintain, the latter being frequently overlooked. Part of the capabilities to product mapping needs to include the effort to monitor, maintain and support each function. These will be rough estimates initially, but good enough to assess the sustainment effort each needs, being iterated as they are used — keeping metrics. This information can be used to justify added personnel or even outsource the risk support needed. Effective use of resources is a major part of minimizing the costs, as is using "lean" practices on resource-intensive processes.

Then, as part of the risk mitigation prioritization effort, collaborate with key stakeholders to ensure the risks are effectively quantified and understood by all. Assess all mitigations for both effectiveness and a potential phased approach, doing the more effective sub-tasks with fewer resources first. In addition, collectively explore alternative mitigations and compensating controls that could be used; that could offer effective risk reduction at reduced cost. Also as mentioned earlier, revisit the planned future state and new technologies that will minimize the risk, as innovation therein could be more cost effective.

Overall, start with the highest risk value mitigations, then factor in available resources (whereas the limitation is typically OPS/IT resources, as security is generally focused on the requirements, though their time is also limited). Rebalance your risk mitigation efforts and timeline as required and document all risks that are accepted or need additional external resources. Periodically brief any revised risk posture and required resources to leadership.

For the rest of this interview, please visit the original post at: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/reducing-cybersecurity-risk-with-minimal-resources.html