Risk-based approach to cybersecurity makes sense for everyone

The floodgates are open or soon should be. The administration has released its 2019 budget for the federal government. Which cybersecurity initiatives will receive the nod? We will soon find out.

My hunch is that those cyber projects focused on risk will be high on the priority list of most agencies. “Risk” seems to be the talk of the town lately.

Whereas in the past, agencies focused on a technology-based approach, layering on cyber tools to prevent bad actors from breaking in, today, due to the complexity of threats, abundance of data, and limited resources, they are focusing on a risk management approach. That means identifying data assets that are the most important to the mission, those that if compromised would impact the mission the most and mitigating threats and the vulnerabilities that put those assets at risk.

The risk-based approach seems like common sense, especially considering the cyber skills shortage plaguing all industries including government. According to a 2018 survey by analyst firm Enterprise Strategy Group, 51 percent of IT and security professionals claimed their organization had a problematic shortage of cybersecurity skills. The Center for Cyber Safety and Education recently estimated a global shortage of 1.8 million cybersecurity professionals by 2022.

Advertisement

A risk-based approach enables agencies to focus their limited resources on the assets that matter most. Instead of getting buried in an avalanche of threat alerts, analysts focus their efforts on only those that would cause the most damage to the mission.

However, as logical as this approach may seem, a divide still exists between analysts who are in security operations centers tasked with mitigating critical threats and vulnerabilities, and federal cyber C-leaders such as CISOs, CSOs, CIOs, etc.

Since most cyber analysts have lived and breathed technology for their entire careers, they are accustomed to thinking and speaking in that technology-focused language. They prioritize which vulnerabilities to remediate first based on the criticality scores their cyber scanning tools deliver. C-leaders, on the other hand, are embracing the risk-based approach. They want vulnerability remediation to be prioritized based on which vulnerabilities, if exploited by a threat, would impact the mission the most.

When determining criticality scores, cyber tools don’t consider mission impact. For example, an unlocked window is a security vulnerability. But, if that window is on the 50th floor of a high rise, it is unlikely that a burglar would scale the building to break in, and therefore it does not present much of a risk.

However, based on a criticality ranking system, the unlocked window would receive the same critical score as if the window were on the first floor, or if the window were on the first floor and the Hope Diamond was inside the room. Clearly, if the Hope Diamond was inside a room on the first floor with an unlocked window, that vulnerability should be prioritized and remediated first.

Yet, the criticality scores would rank all three scenarios the same, causing responders to waste time locking the window on the 50th floor first, while the one on the first floor could potentially remain unlocked, exposing the Hope Diamond.

A risk-based approach in this scenario would prioritize the first-floor unlocked window with the Hope Diamond inside.

Using a risk-based approach enables agency analysts to understand exactly what they need to do each day to reduce risk the most. It prevents analysts from chasing fires that don’t exist, and makes their workload manageable, avoiding burnout, turnover and missed alerts due to stress and exhaustion.

So how can SOC analysts get on the same page as their C-leaders?

It starts with defining risk. Risk is the potential of loss caused by some event. It is a consequence of the alignment of threats and vulnerabilities against an asset of value. A threat without a vulnerability is not a risk. A threat to an asset that, if compromised, causes minimal mission impact, is not a risk, at least not a significant one.

Cyber leaders should define which assets are the most important to the mission and share that information with their teams so that everyone understands which assets need protection first. They should also use a combination of security policies focused on protecting those assets, and technologies, such as behavior analytics platforms, that prioritize threats based on mission impact.

For many analysts, thinking and speaking risk is like learning a foreign language; however once they embrace the approach, they will find their lives to be much easier. Their workload will be manageable, stress will be reduced, and most importantly, their agency’s most valuable assets will be prioritized and protected.

Thomas Jones is a federal systems engineer for Bay Dynamics.