Taking a Priority-Based Approach to Cybersecurity

By Editorial Team | March 08, 2019

As the threat landscape becomes increasingly complex, it is critical to take a priority-based approach to cybersecurity. Budgets to finance cybersecurity investments and operations are always limited in both private- and public-sector organizations. Nonetheless, firms need to protect both their own private concerns (growth, profitability, competitiveness) and exercise fiduciary responsibility towards safeguarding customers, investors, employees, public stakeholders, and governments from cybersecurity attack.

Since trying to 'protect everything protects nothing,' companies need to set and follow priorities regarding what assets to protect, what threats to defend against, and where to spend and invest in cybersecurity countermeasures.

Aligning Business and Cybersecurity Priorities

The first hurdle to overcome in protecting an organization’s crown jewels is to bridge the gap between business leader and cybersecurity expert perceptions of what organizations need to protect. A study by the Economist Intelligence Unit reveals significant differences in how business and cybersecurity leaders perceive the cybersecurity agenda.

 

  Business Leader Priorities Business Leader Priorities
Our reputation with customers 25 16
Private intra-company communications 14 6
Strategic plans and communications 12 7
Regulated data 12 25
Customer information 10 20
Applications and services 8 14
Product specifications and pricing 6 1
Proprietary process 6 5
Proprietary research 4 5
Employee information 3 4
Liquid financial assets that could be stolen 1 1

What’s Looming in the Threat Landscape

Organizations face multiple and constantly mutating threats to crown jewel assets. While the following list may seem like old news to many readers, it’s important to recall just how many things can go seriously wrong on the cybersecurity front:

  1. Physical Intrusions/Burglary
  2. Connection Hijacking
  3. Intrusions and Worms
  4. Viruses and Spyware
  5. Spam and Cryptocurrency Mining Botnets
  6. Malicious Sites
  7. Malicious Apps
  8. Advanced Targeted Attacks
  9. Machine-to-Machine Attacks

Not all threats are created equal. Threat defense priority setting combines assessing the potential economic damage posed by a threat against the cost of effectively combatting it. Even then, the cost of completely eliminating a threat might prove much more expensive than reducing it to what the organization believes to be a tolerable level. For example, an organization might be okay with two or three spam messages a day reaching employees if eliminating 100% of spam costs twice as much as reducing it by 99.9%. Here, it would be much less expensive to send employees regular emails reminding them to ignore any spam that might appear in their inbox.

Know Your Vulnerabilities

While I don’t want to appear to “blame the victim” for poor security outcomes, it’s important to recognize that more cybersecurity risk factors originate within organizations than from external causes.

Internal vulnerabilities that weaken organizations irrespective of the external threat environment include:

  1. Insider threats (disgruntled or malevolent employees, contractors, or anyone with infrastructure access privileges)
  2. Fragmented, uncoordinated defenses or vendor/solution sprawl
  3. Lack of end-user awareness
  4. Insufficiently skilled security professionals or problems staffing security roles
  5. Lack of crown jewel definitions and priority-setting
  6. Business activity and process change outpacing security strategies and investments
  7. Lack of executive ownership for security; ambiguities with roles and responsibilities
  8. Focus on abstract compliance versus real protection

It doesn’t help that external factors can also generate additional vulnerability risk factors:

  1. Increased attack surface as organizations grow, invest in new technologies, or expand their IT infrastructure
  2. Increasing threat actor sophistication
  3. Emergence of new threat types; adversary innovation
  4. Rapidly changing business landscape
As the old saying goes, organizations need to be aware of the risk factors they can and need to change, the ones they must defend against the best they can, and the wisdom to know the difference.

Threat Actor Sophistication and Motivation

Cybersecurity attackers vary widely in their levels of expertise and objectives. The following table summarizes the major species of threat actors, motivations, and objectives:

 

Actor Motives Objectives
Unsophisticated Attackers and Script Kiddies SelfGratification Amusement, Experimentation, Nuisance, Mischief
Sophisticated Attackers and Hackers Access Valuable Information Money, Embrrassment, "Hacktivism"
Malicious Insiders Financial Gain and Revenge Operational Disruption, Stock Price Manipulation, Extortion
Criminals, Organized and Freelance Financial Gain Cash, Credit Card, Identity Frauds, Ransomware, Insider Info
State-Sponsored Attacks; Cyberterrorists Espioage and Cyberwarfare Political and Technology Espionage, Sabotage, Public Infrastructure Attack, Military Objectives

In general, unsophisticated attackers, hackers, and insiders will deploy well-known threats and attack methods that should be relatively easy to intercept and defeat. As actor class moves up to encompass more sophistical criminal, terrorist, and state-sponsored attackers, the more likely they will deploy zero-day and previously unknown threats.

One thing to consider in crown jewel priority-setting is that, even if your organization does not hold information valued by a sophisticated criminal or state-sponsored attacker, they could target you as a springboard into other organizations they would like to penetrate. Such was the case of the heating and ventilation contractor whose computers were used as a vector to breach debit card transaction customer data held by a major home improvement store chain.

 Cybersecurity Roles and Responsibilities

As mentioned above, it’s extremely important for an organization’s business decision-makers and cybersecurity experts to achieve alignment and mutual understanding regarding cybersecurity roles, responsibilities, and priorities. Establishing and maintaining a successful partnership begins with clear understanding of who’s responsible for what both on the business and security sides of the relationship.

Here, business leaders will take responsibility for:

  1. Making it clear what they worry about in terms of negative outcomes from poor cybersecurity execution, and how they would define a successful cybersecurity program
  2. Identifying assets, people, and processes critical to performance of the organization’s mission
  3. Setting goals for cybersecurity investment and processes
  4. Setting budgets for cybersecurity investment and processes

In return, cybersecurity leaders need to:

  1. Identify and report cybersecurity vulnerabilities
  2. Identify threats to the organization
  3. Recommend programs and countermeasures
  4. Measure, monitor, and report on the cost-effectiveness of cybersecurity investment and spending
  5. Make cybersecurity sourcing and hiring decisions
  6. Execute cybersecurity operations

Most important of all, business and cybersecurity leaders need each other to effectively carry out their responsibilities. Business leaders simply cannot set priorities, goals, and budgets without information and advice from their cybersecurity experts. Cybersecurity leaders need business executive understanding and buy-in to be effective in their roles. Although business and cybersecurity leaders respect each other’s distinctive roles, neither performs their work in a silo.

Needed: Dynamic and Durable Security Fabric

Finally, taking a priority-driven, crown-jewels approach to cybersecurity strongly argues for a security fabric-based security operations and investment program. The only constant in business and cybersecurity is change. Business goals, processes, priorities, market conditions, organizational structures, and stakeholder communities change at an accelerating pace. The velocity of threat “innovation” speaks for itself. In the meantime, the world is undergoing a fourth industrial revolution as digital technologies transform every aspect of economic, political, and social relationships.

As the world changes, cybersecurity programs and processes must change with it. But in many ways, how fast a cybersecurity program changes are not as important as the ability to execute change with as little friction as possible. The kind of change that involves a constant cycle of reinvestment, rapid depreciation, and forklift replacement of cybersecurity hardware is becoming increasingly unsustainable. It is far better to execute change from a technology base that has developmental headroom sufficient to cope with expected future performance demands and able to add new features and capabilities in software.