A Risk-Focused Approach to Security Control Prioritization

I am yet to meet a CISO who has been given unlimited resources to secure the organization, and in almost all cases, there is more work that can be done to improve security. So given infinite time and resources, how to prioritize the next strategic initiative or project?

‍

The increasing maturity of security control frameworks such as those developed by NIST and CIS provide a good structure for maturing a cybersecurity program, mapped to preventing common tactics, techniques and procedures [Mitre]. They both provide a self-assessment framework for working out where you are in terms of maturity compared to industry expectations, and provide a list of next actions to increase maturity.

‍

‍

The next step is often to start work to improve the overall maturity of the security controls, but the challenge is to decide quickly about prioritization, budget and cost.

‍

How do you allocate a security budget to reduce the probability of a cyber event causing material loss to the business?

‍

Cyber risk quantification is a key piece of the risk management toolkit. By combining the following:

‍

- A map of the digital structure of your company

- Your own assessment of the current security posture

- A model mapping out the latest threat intelligence

‍

You can test the impact of each potential security project, and the expected improvement in terms of risk. For example:

‍

Maturing the CIS control “10. Data Recovery Capabilities” has been measured as the security improvement most likely to have a material impact to the business. In this case, it is not a control which will prevent a breach, but it will limit the damage, disruption and cost to the business when one occurs.

‍

The probability weighted average cost of cyber incidents is expected to substantially reduce by $225k per year, which would pay back the implementation cost of $300k in a little over 18 months.

‍

‍

This helps the CISO prioritize the next areas of improvement and makes a clear case to others in  senior management and the board what the expected return on investment is likely to be, in terms which can be compared to other business risks.

‍

‍

Capturing the Financial Impact of Security Controls

‍

Quantifying the impact of controls on a company requires three steps.

‍

Firstly, to build a ‘virtual’ representation for the digital structure of the company. Kovrr does this automatically by harvesting data about the organization from asset management platforms such as Microsoft Defender and Tanium. If an integration with an asset management platform is not available, a ‘company sphere’ can be created manually. This includes the structure and interconnections between different digital assets within the company, including the software and hardware profiles.

‍

The second step is to test this structure against potential cyber events which the company may be subject to. This tests the reaction of the company, what assets may be at risk, and the likelihood of different vulnerabilities being exploited.

‍

Finally, we overlay the structure of security controls, and each control’s maturity. The security controls often map the impact of each of the controls against specific tactics and techniques used by adversaries (often to the MITRE Att&ck framework). To quantify the impact of these controls, we look a level higher and group them based on the intended behavior of groups of controls

‍

- Perimeter Defense: Controls which reduce the chance of an attacker gaining initial access to the network. e.g. asset inventory management, software patching and management.

‍

- Attack Propagation: Controls which increase the chance of detecting an attack early, and preventing an attacker's ability to navigate through the network. e.g. network monitoring, account controls, etc.

‍

- Damage Limitation: Controls which reduce the impact and cost of a cyber event when it occurs, e.g. backups, incident response planning

‍

‍

This approach captures the core behavior of each of the controls while maximizing our ability to quantify the impact of different features of an attack. Perimeter defense reduces the probability of an attack starting, damage control reduces the breadth of the attack, and recovery control captures the company’s ability to limit the impact to business and reduce the financial cost of the attack.

‍

This way allows us to capture the realistic behavior and response of a company to different cyber threat models, and indicate the current value offered by the security controls already in place, and calculate the potential impact of upgrades and improvements.

‍

We have found that this approach helps communicate how security projects improve resilience and reduce risk in financial terms, and supports budget discussions for CISOs.

‍