If the company already has a mature risk culture: The implementation of a cybersecurity management project becomes more flexible. Since my goal is to share the mechanics to achieve success in a cybersecurity program, I emphasize below some components of this ‘recipe’ to consider:
- Understand the dynamics and scope of the business, mapping stakeholders, processes and critical systems of the organization, categorizing applications and classifying data to determine the appropriate set of controls (guardrails).Understand the choice and application of a framework such as NIST CSF 2.0, linked with ISO 27001, COBIT, CMM, NIST 800-53, SABSA, TOGAF, MITRE ATT&CK, OWASP, among others.Start with defining vision, goals, strategies and objectives, considering what the “Govern” section of the NIST CSF defines as GRC strategy. Example: “Expand a threat-driven approach across the organization and a cybersecurity GRC program aligned with business and market compliance standards.” For each goal, objectives must be defined, such as “Improve cyber risk management capabilities, update the structure to NIST CSF and also adopt the use of FAIR.”Within the program for measuring continuous maturity, it is necessary to define indicators by combining KPIs and KRIs. For example, a critical control: “Patch application: average number of days to remediate a critical/high vulnerability in Internet-facing and critical systems.” This way, the program persuades stakeholders and application owners to resolve security issues, raising program maturity and providing transparency for executives.At this stage, it is recommended to conduct an assessment of the threats and common attack methods to which the organization is exposed and vulnerable. In this context, all information should be aggregated to make the process robust, such as defining a list of threats, risks, preventive and detective controls, and business risks (e.g., exposure, reputation, financial loss). Controls can be defined based on the organization’s scenario, with frameworks like PCI-DSS, COBIT, NIST 800-53, CIS, NIST CSF, CRI, CMM and ISO 27001 serving as references.This is the critical part of the program: understanding the business-critical assets. Map applications, obtain a big picture with results from gap analyses, risk assessments, pen tests and even the latest audit results to support this phase. As stated earlier, mapping applications and supporting with business impact analysis (BIA) to align with business requirements is essential. Here, governance also plays a role, defining policies, standards and procedures for the cyber management program.At this point, it is necessary to incorporate a framework model. Personally, I favor a combination of ISO 27001, NIST CSF, NIST 800-30, 39 and RMF. In the US financial sector, the Cyber Risk Institute (CRI) also provides excellent material to effectively implement a program. Moreover, as many companies are already in the cloud, CIS Controls and the Cloud Security Alliance (CSA) CMM are other strong contributors. This phase can be defined as the heart of the project, given its delicacy. It is where the organization’s risk appetite and tolerance are defined, aligned with business objectives. Therefore, stakeholder engagement is critical at this stage to foster a risk culture that will determine project success. The CISO’s organizational structure in relation to cybersecurity domains”, which is essential to the program”, must also be present, considering the Identify, Protect, Detect, Respond and Recover steps of the NIST CSF. I also highlight that the first phase, Govern, was addressed earlier, where I pointed out other crucial aspects of the program.Another important factor to be developed in parallel with raising risk culture is the continuous Information security awareness process. This action should include all employees, especially those involved in Incident Management and cyber Resilience. For this group, I recommend tabletop exercises simulating disaster scenarios such as Ransomware, Phishing, AI attacks, sensitive data leakage, etc. This helps prepare the organization to be more resilient in times of crisis. I also highlight the importance of training software developers in secure development best practices, since today everything is defined in code (APIs, containers, serverless, etc.), requiring attention to processes such as SAST, DAST, SCA, RASP, Threat Modeling, Pen Testing, among others.From a technical standpoint, it is important to select and implement appropriate controls from the NIST CSF stages: Identify, Protect, Detect, Respond and Recover. However, the selection of each control for building guardrails will depend on the overall cybersecurity big picture and market best practices. For each identified issue, the corresponding control must be determined, each monitored by the three lines of defense (IT and cybersecurity, risk Management and Audit).
I can’t detail the full list of appropriate controls for each scenario in this article, but I suggest consulting frameworks such as NIST CSF, AI RMF, CIS Controls, CCM, CRI, PCI-DSS, OWASP and ISO 27001/27002, which specify each type of control. Example: “Threat Intelligence to identify and evaluate new cyber threat scenarios that can help the organization mitigate impacts.”Finally, the cyber management program must also consider legal, regulatory and regional requirements, including privacy and cybersecurity laws. This covers LGPD, CCPA, GDPR, FFEIC, Central Bank regulations, etc., to understand the consequences of non-compliance, which can pose serious issues for the organization.Phew”¦ I hope I have managed to provide a brief overview of architecture and how to build a cyber risk management program aligned with business requirements in a simplified way.Remember that this is a suggested path I have used and proposed to leaders of organizations I’ve worked with. In general, the relevance of a well-designed and implemented architecture underpins the entire program, being essential to its success. I reiterate that the alignment between architecture, GRC and the CISO’s role has the potential to determine how much the organization can elevate its capacity against threats and improve its cybersecurity posture.As a well-known proverb says: “I was with him as your architect; day after day I was his delight, rejoicing always in his presence.” May this knowledge contribute to the success of your cybersecurity program. Retain what is good!Note on sources: I wrote this column based on my experience in my job. In other words, real life inside the organization. Last year I finished my short course about cyber risk management at Harvard, and I had to develop a cyber risk plan. This article was based on this project as well as my experience in cyber risk working for various organizations. Sources used include NIST CSF, CRI and the Cloud Security Alliance. For mentions of ISC2, I’m an instructor for CCSP and CGRC certifications, and ISC2 provides some materials for the GRC perspective.This article is published as part of the Foundry Expert Contributor Network.Want to join?
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4069616/your-cyber-risk-problem-isnt-tech-its-architecture.html
