Cyber Risk means different things to different people in an organization. Deloitte distinguishes it well : A CEO might worry about the expected financial loss related to cyber risk exposure; while the CFO is challenged to show the value of security while managing the associated costs. The CMO might worry about the impact to the brand if a breach to the company occurs; while the CISO is thinking about which key initiatives to prioritize to maximize risk buy down. But one thing that savvy executives agree on is that cyber security is a business risk that should be included in corporate risk mitigation strategy and processes.
Cyber Risk Mitigation focuses on the inevitability of disasters and applies actions and controls to reduce threats and impact to an acceptable level.
Lisa Lee, Chief Security Advisor for Financial Services in Microsoft’s Cybersecurity Solution Group, partnered with Circadence in April 2020 to talk about this topic in a webinar. Originally broadcast for a financial risk mitigation audience, the practical advice Lisa offers in 6 areas of cyber risk mitigation is broadly applicable.
Cyber Risk Insurance
Insurance can help to reduce the financial impact of an incident, but it does NOT mitigate the likelihood of a cyber breach happening – in the same way that having car insurance helps with the financial consequences of an accident but cannot in anyway prevent an accident from occurring.
Identity and Access Management
Microsoft recommends making “Identity” the security control plane. Employees use multiple devices (including personal devices), networks, and systems throughout their lifecycle with a company. The explosion of devices and apps and users makes security built around the physical device perimeter increasingly complex. At the same time, access to on-premise systems and cloud systems are shifting to transform to meet business needs. Partners, vendor/consultants, and customers might also all require varying degrees of access. A strongly protected, single user identity at the center of business for each of these constituents can exponentially improve the efficiency and efficacy of the overall security posture of the company.
Configuration and Patch Management
This is IT or cyber security 101. Everyone should be doing it on a consistent basis. But 20% of all vulnerabilities from unpatched software are classified as High Risk or Critical. The Center for Internet Security is an excellent resource for more information on best practices.
Asset Protection (devices, workload, data)
There is a massive amount and diversity of signal data coming in from the network and there are many tools on the market to help assist in the collection, management, and assessment. Lisa advised not to spend too much time trying to evaluate and select the best of breed tool in each category. Rather, find a suite that works well together so that you don’t have to spend time on integration. Beyond devices, also consider your security policies and practices to ensure visibility for workloads across on-prem, cloud, and hybrid cloud environments. And finally, consider protecting the information directly so that wherever data elements go, even outside the company, they carry protection with them. The key to this is encryption.
Monitoring and Management
These two concepts are seemingly more about ‘risk management’ vs. ‘risk mitigation’. But monitoring helps you to ‘know what you don’t know’ in order to adapt and improve mitigation strategies. And today, many of the monitoring tools from Microsoft and other vendors have features that enable cyber analysts to take action, i.e analysts can use the same tool that helps identify a vulnerability to then resolve it.
Cyber Security Training
Security is an ever-changing situation because bad actors are always developing new attacks. Therefore, training and education is an ongoing requirement for cyber professionals. Circadence’s Project Ares is a cloud-based learning platform specifically designed for continuous cyber security training and upskilling. IT and cyber organizations that invest in on-going training for their people are making as strong an investment in mitigation as in the tool stack that the analysts use on-the-job.
With consideration in all 6 of these areas, you will be able to architect and compose a comprehensive cyber mitigation strategy.
Here’s a link to the full webinar. It’s only 45 minutes long and Lisa provides more detail in each of these categories.