Risk-Based Roadmaps Set Foundation for Cybersecurity Success

By Raef Meeuwisse, CISM, CISA, ISACA expert speaker, and author of “Cybersecurity for Beginners” And Doug Grindstaff, Senior Vice President of Cyber Security Solutions, CMMI Institute

Security professionals not only suffer from a barrage of cyber threats amid an increasingly complex threat landscape – but they also suffer from a crisis of confidence.

In ISACA’s recently released State of Cybersecurity 2019 research, only 1 in 3 respondents (34 percent) are highly confident in their organization’s cybersecurity team’s ability to detect and respond to cyber threats. This is an alarming data point that reinforces the fundamental shortcomings enterprises are dealing with when it comes to protecting their mission-critical digital assets.

The reality, though, is enterprises cannot do it all when it comes to security – the threats are too diverse, too sophisticated and resources are limited. That is why it is essential that organizations take a risk-based approach to measuring and managing security risks in the context of their business strategy.

For example, a company whose business model is based on building a community of users might view personal customer information breaches as the most fatal to that business, while a B2B business focused on proprietary product information might view espionage or data breaches as most significantly damaging to its model. Using the lens of risk unique to the business, enterprises need to focus on cyber resiliency – protecting the part of their organization most vulnerable to severe damage and preparing it for recovery. Enterprises shouldn’t necessarily be focused on the latest high-profile breach in the headlines. Don’t fight the last war. Instead, focus on the next war most likely to affect the enterprise.

Given that boards understand strategic threats, not cybersecurity functions, developing a risk-based roadmap to cyber resilience becomes essential. Resiliency roadmaps provide unparalleled insights to board directors, allowing them to review maturity status over time and gain a better understanding of the strategic concerns the company faces, along with a comprehensive view of the ways to address them. Maturity and resilience reports provide a common language that enables organizations to prioritize their operational needs and evolve their programs in response to the fluid threat landscape.

In many cases, this process helps bring into focus the need for greater emphasis on security fundamentals. Take access control as an example. Did you know that the controls relating to managing identity and appropriate access with adequate security are usually considered the most important? It may seem logical and obvious that having features such as a central identity and access architecture –consistently restricting access to the least amount required to do each person’s job and splitting high-value approvals to require at least two different people to sign-off – are important. However, security auditors who take a look inside many different organizations rarely find those essentials are properly in place.

“We lost your data – but we value your business” is becoming a very tired message. “We cannot keep your data perfectly secure – but we would like to have it anyway” also is a bizarre message. The larger question becomes: can breaches be prevented?

The answer is that it is possible to keep data secure, but it requires what has now become known as security by design, also sometimes referred to as DevSecOps. Fundamentally, these two terms mean that security can only be fully effective when it has been adequately established from the very beginning – and is then continuously monitored and maintained.

Yet again, though, go on a few cybersecurity assignments as an auditor or manager, and very much in line with the results from the ISACA State of Cybersecurity research, infosec departments rarely have enough resources, and many are still not invited to look at the security of a new product until after it was built or purchased. This is very much analogous to being asked to make a building earthquake-proof after it was already built. Cybersecurity is not very effective when you try and treat it like glitter and sprinkle it lightly over something later on!

It may not call for high-level sophistication to fix security fundamentals, but choosing security by design does take considerable budget, resources and requires deep organizational resolve. Most cybersecurity experts have a good idea about what needs to be done, but persuading executives to adequately resource and invest precious funds on security can be a challenge. That is why developing a risk-based roadmap for improvement is a step that cannot be missed for all organizations serious about strengthening their security posture.

About the Authors

Raef Meeuwisse is an ISACA governance and cybersecurity expert and Director of Cyber Simplicity Ltd. He holds multiple ISACA certifications for information security and is the author of many books on cybersecurity, including Cybersecurity for Beginners and Cybersecurity Exposed: The Cyber House Rules. He also created AdaptiveGRC, the world’s first single data source / zero replication governance, risk management, and compliance suite. He is an active member of the ISACA London chapter and an entertaining international speaker.

E Douglas Grindstaff II is a successful executive with deep experience in the biotech and technology industries. In addition to his current role as Senior Vice President of Cybersecurity Solutions with the CMMI Institute, he previously served as CEO of NuSirt Sciences, CEO-in-Residence for Carnegie Innovations Portfolio and President of the Invisible Fence brand. Prior to that, he served as Chairman and President of Bioganic Biopesticide, where he oversaw rapid expansion into the retail marketplace, as well as the acquisition by a well-known consumer brands company. Grindstaff also served as an executive for a number of private and public consumer brand companies, including Kraft Foods, Inc.