How To Integrate Compliance Guidelines and Cybersecurity Risk

Cybersecurity is all about risk management. You are trying to best manage the various risks so that your protected organization does not get significantly compromised by hackers or malware. My favorite book, A Data-Driven Defense (https://www.amazon.com/Data-Driven-Computer-Defense-Way-Improve/dp/1092500847) is all about risk management.

Cybersecurity frameworks and compliance requirements are trying to push this idea home. Just a half decade ago, most of them did not mention the words ‘risk management’. I have been doing cybersecurity for 35 years and I spent a large part of my career trying to get defenders to tie compliance frameworks to real risk reduction because it does not happen automatically. ?You have to work at it. And it is harder when the cybersecurity framework or compliance document you are following does not tie risk management to compliance efforts. That was usually the case for decades. But it is not the case anymore. Today, risk management is a big part of what most compliance documents discuss…sometimes to ad nauseum. ?

Let’s take the latest draft of the NIST Cybersecurity Framework (https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd). The word ‘risk’ is mentioned 346 times in the NIST Cybersecurity Framework 2.0 document. It is first mentioned in the second sentence. The document summarizes itself as, “The NIST Cybersecurity Framework 2.0 provides guidance to industry, government agencies, 3 and other organizations to reduce cybersecurity RISKS [emphasis added].” Sections three and four, 12 pages long, are largely dedicated to integrating compliance efforts with risk management.

NIST even has an entire document, IR 8286, (https://csrc.nist.gov/pubs/ir/8286/final), discussing how to integrate cybersecurity and risk management. The main document is 74 pages long and contains four other related documents (Part A, 61 pages long, Part B, 45 pages long, Part C, 43 pages long, and Part D, 25 pages long). And all of their risk management advice is gold! Gold, I tell you!

Note: The ISO standard for risk management is ISO 31000:2018 (https://www.iso.org/standard/65694.html).

The PCI-DSS v.4.0 (https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf) mentions risk 270 times. In Section eight, Approaches for Implementing and Validating PCI DSS, it discusses a “Customized Approach…intended for “risk-mature entities…who take an organization-wide risk management approach.”

The Center for Internet Security CIS Controls (https://www.cisecurity.org/controls) focuses a ton on risk management, more so than perhaps any other cybersecurity guide. And they are the best at tying actual, popular cyber risks to the best controls to fight them in what they call their CIS Community Defense Model (https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0). Using the CIS CDM, users can tie the most popular types of attacks (as attested to by the Verizon Data Breach Investigations Report) to the attack methods used (as defined by MITRE’s ATT&CK framework) and tie them to CIS’s recommended controls. It is genius, and allows a follower to calculate exactly how much risk their implemented controls reduces a particular threat (as exampled in the figure below):

No risk management solution is perfect, but CIS’s CDM is one of the best I have seen. If you have not checked out CIS, its controls, and its CDM, you should.

All of this is to say that nearly every cybersecurity compliance guide now encourages followers to best implement a risk management framework around their compliance efforts. It is the way it should have always been done and if you are not doing compliance with a risk management integration, you are doing it wrong.

How To Integrate Compliance Guidelines and Cybersecurity Risk

So, how do you integrate compliance and cybersecurity risk management? Here are the summary steps:

1.??????Identify all the possible cyber threats your organization faces.

2.??????Rank the cybersecurity threats according to their likelihood and possible damage impacts on your organization.

3.??????Pick a cybersecurity framework or compliance guide your organization will follow.

4.??????Map the recommended controls to how well they mitigate the biggest threats you have identified against your organization.

5.??????Identify weaknesses and gaps in existing organizational controls against mitigating the biggest threats, and rectify them.

Then, you can build a prioritized action plan for what new controls you are putting in place and what existing weak controls you are improving. Contrast this to picking a controls document, and trying to implement the hundreds of controls each one contains, all at once, without any consideration of risk and prioritization. The latter is a fool’s errand doomed to failure. The former is a data-driven defense that prioritizes the most important threats and controls.

One more point before I finish on this topic. You should recognize that your biggest threats are how something breaks into your devices and environments, not necessarily the outcomes of those break-ins. What I mean is that a cybersecurity threat, like ransomware, is not your biggest threat. You are not going to have a control that say something like, “Stop ransomware!”. While that is nice, that is not an actionable control. Your controls should prevent cybersecurity threats. Your controls are going to be things that mitigate social engineering, force better patch rates, prevent weak and reused passwords, etc. If you do your controls correctly, they will help mitigate all potential threats and not just a single class of threat.

If you do not already do risk management integration with your security compliance frameworks, you should.