John Bruggeman, Consulting CISO at OnX connects with virtual CISO Tom Siu of Inversion6 in this episode of Inside the CISO’S Office. We tackled how CISOs can support cyber risk management initiatives within their organizations and the adjustments required to stay ahead of ever-evolving cyber threats. We also covered rubrics for recognizing and ranking cyber risks and the importance of involving a broad set of stakeholders in IT security, particularly regarding disaster recovery and business continuity planning.
Finding clarity in a swarm of threats
As businesses become digitalized and dependent on technology, their cyberattack vulnerabilities increase. New attack surfaces, evolving cyber threats, and multiplying security platforms can cause indecision and notification fatigue and require CISOs to navigate what we cybersecurity professionals have begun to call the “fog of more.”
In light of these hurdles, Tom highlighted the value of a pre-established set of principles for identifying cyber risks. “I’m an abstract type of person,” said Tom. “You could go through a checklist, but that checklist may have aged in five minutes from the different types of threat spaces.” Instead, Tom emphasized, a threat modeling strategy can help you determine your risks and priorities before an emergency occurs.
First established in 1999 by Carnegie Mellon’s Software Engineering Institute, the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) threat modeling methodology is Tom’s preferred way to prioritize and manage cyber risk. CISOs can leverage this framework to guide discussions with company leadership around cybersecurity priorities: high-value assets, urgent remediations, and incident response planning, among others.
Find the threat modeling and vulnerability assessment tools that suit your organization best:
- The STRIDE model (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege): Categorizes threats and their associated strengths.
- Process for Attack Simulation and Threat Analysis (PASTA): Incorporates cross-functional expertise and business context.
- Common Vulnerability Scoring System (CVSS): NIST’s tool for assessing the severity of vulnerabilities.
- LINDDUN (Linking, Identifying, Non-repudiation, Detecting, Data disclosure, Unawareness, Non-compliance): A framework focused on identifying risks to user privacy.
- Rapid Risk Assessment (RRA): Provides a swift preliminary analysis of a service’s value and vulnerabilities in a business context.
Cyber risk management principles may appear intimidating for stakeholders in non-technical roles, but threat modeling offers an accessible context for these critical conversations. Cross-functional, transparent discussions allow non-IT functions to contribute their expertise to cybersecurity strategy, which fosters alignment and investment.
Threat modeling’s simplicity means it doesn’t require technologists or in-depth study. Regarding threat trees in a modeling framework, Tom states that they fit in to help your end users see the program you’re trying to lay out.
Learn more: Penetration testing vs vulnerability assessments: Exploring differences and use cases
The overlap between physical risk and cyber risk management
It is no longer possible to draw a bright line between physical security and cybersecurity—a reality particularly clear in cases like the cyberattack on Colonial Pipeline, which disrupted the real-world operation of equipment and movement of assets. Incidents like these highlight the necessity of cross-functional collaboration for successful cyber risk management and provide a compelling narrative for organizational leadership.
According to Tom, cybersecurity events should prompt self-reflection and inspire new perspectives.
News stories showcase the varied—and potentially dangerous—impacts that a cyberattack can have. While some threats present relatively minor inconveniences, others can freeze a business for months while the IT team isolates and remediates the affected machines.
Some incidents can even cause extensive property damage. In the early 2000s, the Stuxnet worm caused centrifuges in nuclear research laboratories to unbalance and destroy themselves. However, cross-functional preparation enables companies to craft incident response plans that account for more of these possibilities.
Risk management starts with disaster recovery
Most businesses have embraced the reality of the modern cyber risk landscape and recognized that security incidents are a question of when, not if. Given this inevitability, many cybersecurity strategies begin with incident response planning and build outward.
Incident response is crucial to effective cyber risk management, but Tom pointed out an under-recognized pillar of security strategy that he believes should take more of a central role: recovery.
Business continuity and disaster recovery are often not part of a security team’s purview; instead, they reside with IT Operations or another technology group. CISOs must account for recovery. Robust recovery planning offers a safety net for your business, giving you greater flexibility in your incident response, but it relies on buy-in across your organization.
Without protocols, incident response can become unmanageable, lengthening your downtime.
Information security is as critical as physical security in today’s risk landscape, but not every organization’s hierarchy has caught up to the realities of cyber risk management. Therefore, CISOs must cultivate consensus among organizational leadership to advance their security goals. Disaster recovery planning offers a valuable tool to illustrate the risks and bring the most critical stakeholders into alignment.
OnX is your guide in a changing threat landscape
Digital vulnerabilities for modern businesses continue to multiply, and the rate of cyberattacks is ticking rapidly upward. As cyber risk evolves, your organization needs expert guidance to protect your most critical assets and operations.
OnX is your trusted partner in securing your business against the rising tide of cyber threats. Whether you are just starting with a vulnerability assessment or seeking fully managed, expert monitoring, OnX offers the services to support you at every stage of your cybersecurity journey. The tools and industry knowledge available with OnX will help you build the defenses you need in today’s risk landscape.
Contact OnX today and take your next step toward best-in-class cybersecurity.