Threat-informed strategy. Is it time to rethink the risk-centric cyber strategy?

"The supreme art of war is to subdue the enemy without fighting." Sun Tzu

Drawing inspiration from Sun Tzu's wisdom, we must reconsider traditional cybersecurity paradigms. For years, the concept of "risk" has been the cornerstone of cybersecurity dialogues, fortified by extensive risk assessments and models. However, as we confront an increasingly unpredictable digital landscape marked by evolving cyber threats, there's a compelling case to shift our focus. Isn't it time for organizations to transition from a risk-centered paradigm to a more proactive and effective threat-informed cybersecurity strategy?

The fallacy of risk assessments

Conventional risk assessment models are woefully inadequate for today's dynamic cybersecurity landscape. For starters, they center on the unrealistic quest for detailed quantification of threats that are, in essence, uncertain. This gives business leaders a false sense of security, implying that threats are known, manageable, and—most misleadingly—quantifiable. Such assessments become outdated almost immediately due to the rapidly evolving nature of cyber threats. Therefore, their effectiveness in aiding in cybersecurity decision-making is highly questionable.

Flawed assumptions and financial risk models

Traditional risk models borrow heavily from the financial sector, treating cyber threats as finite and calculable. This is far from the truth. Cybersecurity is not a static field; it's a rapidly evolving battleground. Using financial risk models assumes a finite set of outcomes, misleadingly encouraging investment in cybersecurity solutions that cannot adequately control or mitigate uncertainty.

The Need for a Shift in Perspective: From Risk to Threat Exposure Management

We must replace this outdated vocabulary and methodology. An effective cybersecurity organisation should manage threat exposure, not risks. In the age of AI-empowered cyber-attacks, the probability of a threat impacting an organisation is nearly 100%. For example, the chance that a ransomware message will appear in a corporate inbox is a certainty, not a probability. It's not about "if" anymore; it's about "when."

Prioritising threat intelligence and exposure management

At the heart of the new approach should be a robust threat intelligence framework and program. In contrast to focusing on yesterday's problems through outdated risk assessments, threat intelligence aims to provide real-time information. This informs immediate action, enabling an organisation to adapt to new threats dynamically. Enterprises should also invest in automated and behavioral capabilities to reduce their exposure to known threats while actively seeking to identify emerging ones.

Dealing with Uncertainty

While defined threats are manageable, there exists a vast cloud of unknown and undefined threats—often termed as 'uncertainty.' Traditional risk models fail miserably in capturing this aspect of cybersecurity. Instead of trying to predict the unpredictable, organisations should adopt foundational cybersecurity practices like "zero trust" and architectural principles relevant to 2023, of which are focused on minimising exposed vulnerabilities and improve resilience to unknown threats.

Tactical and Strategic Threat Intelligence

While tactical intelligence informs immediate decisions about current threats, strategic intelligence helps in long-term planning. Both forms of intelligence are crucial for effectively navigating the uncertainty that characterises the cyber landscape.

Exposure Management

Exposure management revolves around reducing the attack surface—i.e., the sum total of vulnerabilities in a system. By minimising these vulnerabilities, businesses can better manage their exposure to potential threats.

A New Approach to Cybersecurity Strategy

Adopting a threat-informed cybersecurity approach essentially acknowledges the inherently volatile nature of the cyber landscape, conceding that achieving complete security is an unrealistic aim. Rather than attempting to govern "risks," organisations should pivot towards minimising "threat exposure." This requires understanding both current and emergent threats, assessing the degree of vulnerability to these threats, and building the capacity for organisational resilience.

In contrast to traditional risk management that often leans heavily on theoretical constructs, a threat-informed cybersecurity strategy actively concentrates on the identification and management of both existing and potential threats. This avoids the limitations related to uncertainty and probability that characterise conventional risk-based models. Threat-informed methods are anchored in empirical data and translate directly into actionable steps, incorporating several crucial techniques.

Threat Hunting

This proactive approach involves searching for malicious activities that may have evaded traditional security mechanisms. Threat hunting doesn't just wait for alarms to go off; it actively seeks out anomalies that may indicate a security threat, thereby providing an additional layer of protection.

Detection Engineering

An advanced form of threat hunting, detection engineering involves the custom development of threat detection mechanisms. Tailored to the organisation's specific needs, these mechanisms offer far greater sensitivity and specificity in identifying threats.

Asset prioritisation and continuous monitoring

By continuously prioritising assets based on real-world threat data, the organisation could allocate resources more effectively. Continuous monitoring ensured that any anomalies were detected and dealt with in real-time.

Actionable steps for organisations

1. Replace traditional risk assessment models with continuous threat intelligence programs.
2. Invest in technologies that reduce threat exposure, such as automated detection and response mechanisms.
3. Maintain an ongoing dialogue about the realities of cybersecurity, highlighting the uncertainties and focusing on exposure management.
4. Adopt a 'default to deny' policy and integrate 'zero trust' architecture where feasible.
5. Make 'threat exposure management' the new lexicon for cybersecurity within the organisation.

Expected ROI

1. Reduced Incident Costs: By proactively identifying and neutralising threats, organisations can minimise the financial damage arising from data breaches or system outages.
2. Operational Efficiency: Automation in threat detection and remediation can reduce the manpower needed for monitoring, thereby reducing operating costs.
3. Legal & Regulatory Compliance: Advanced threat-informed measures can help in meeting industry regulations, potentially avoiding fines and legal consequences.
4. Customer Trust: Superior security measures can serve as a selling point, strengthening customer trust, and potentially driving sales.
5. Lower Insurance Premiums: Robust security protocols can sometimes result in reduced premiums for cyber insurance.
6. Resource Allocation: By focusing on real-world threats, organisations can better allocate their financial resources towards security mechanisms that provide the best ROI.

Business Outcomes

1. Enhanced Reputation: Adopting state-of-the-art cybersecurity measures can build an organisation's reputation as a secure and reliable partner or vendor.
2. Business Continuity: An effective threat-informed strategy is geared towards ensuring that the business remains operational, even in the face of emerging threats.
3. Strategic Advantage: Access to advanced threat intelligence can offer a strategic advantage over competitors who are less well-informed and prepared.
4. Customer Confidence: Customers are increasingly considering cybersecurity when choosing providers, so a strong security posture can be a differentiator.
5. Increased Market Share: A strong reputation for security can lead to increased customer acquisition and retention, ultimately boosting market share.
6. Innovation & Digital Transformation: A threat-informed strategy supports safer innovation and digital transformation efforts, empowering the business to stay ahead of competitors without undue risk.
7. Stakeholder Confidence: Investors, shareholders, and partners are more likely to engage with a business that can demonstrate a robust approach to cybersecurity, thereby facilitating fundraising or strategic alliances.
8. Scalability: A threat-informed cybersecurity framework is often more scalable, allowing the business to adapt as it grows or as the threat landscape evolves.
9. Competitive Differentiation: Being able to tout a superior, threat-informed cybersecurity strategy can set a business apart in RFPs, tenders, and partnerships.
10. Employee Satisfaction: Knowing that their work environment is secure can improve employee morale and productivity.

Conclusion

It's time to break away from traditional risk management models that no longer serve the cybersecurity community effectively. A shift to a threat-informed strategy is not just an upgrade; it's a necessity. By focusing on real threats, actively managing exposures, and making it a priority to build resilience capability, organisations can build more resilient systems. Understanding that we operate in a realm filled with uncertainty is the first step towards creating a cybersecurity strategy that is rooted in the reality of today's complex digital landscape.