How can organizations protect critical information resources? What processes and procedures work best? What are the challenges to reducing risk?
To answer these questions and much more, I turned to a cybersecurity industry thought leader from Texas: Mike Davis
Mr. Davis is the CISO in alliantgroup’s Houston national office, where he operationalizes data security, privacy and risk management while advising leadership on protecting critical information resources and managing an enterprise cybersecurity portfolio. Mike and his team’s mission includes executing a risk-based security strategy that supports enabling the company’s success objectives by securing and protecting both sensitive company and client information and resources.
Before joining alliantgroup, Mike was the CISO of a large global maritime classification company. He is an experienced cybersecurity professional with 20-plus years in several environments (commercial, military and government) and diverse leadership positions: CISO, senior cyber technical authority, cybersecurity/risk management consultant, cyber program manager and chief systems engineer, among others. Mike is also a retired U.S. Navy Engineering Duty Officer and federal government employee (GS-15).
Mike supports several professional associations: the FBI InfraGard, IEEE (Life Member) and ISSA/ISC2, among others. His certifications are: CISSP, CISO and Systems Engineering, along with senior qualifications in Program Management and Risk Management, and he holds a master’s in electrical engineering and in management.
I have known Mike for several years, and he always brings insightful, thought-provoking content and insights to complex cyber discussions.
Dan Lohrmann (DL): What are the biggest cybersecurity risks most enterprises face?
Mike Davis (MD): To start our risk journey, we need to all have an overall risk assessment baseline — assess our vulnerability baseline and the top threats applicability to our environment. We use a periodic sampling approach from the many threat reporting sources (as part of our “CTI” program), then distill those results into the following current risk areas that we sense apply to most organizations:
Phishing: Over 90 percent of all security incidents start here (where someone will always “click”!)
Ransomware, including morphing malware/crypto-mining: It’s easy and profitable, and now comes with a data breach extortion threat too.
Poor cyberhygiene: known vulnerabilities not patched (98 percent of exploits use these)
Ineffective access controls: Identity is the new perimeter and core (ZTA) (e.g., we need multifactor authentication everywhere)
Hostile intruders: hackers, insider threats, careless users, any malicious user
Crime as a service: as now anyone can be a hacker, just pay the criminals
Internet of Things security: the many atypical computing devices connected to your network
Third-party/vendor access and risks: this is a major threat all by itself and accounts for half of all breaches
Regulation/compliance (e.g., GDPR, SOX, PCI DSS, etc.): Fines, loss of integrity/brand and competitiveness.
Overall, start with a risk assessment to set your baseline tailoring threats and associated mitigations to your organization, develop a clear risk-value-based risk reduction plan, with OPS/IT concurrence (as they will need to support many). Then get understanding from your IT/risk steering committee (ITSC), to then do the same with senior leadership. This in an older two-page article that goes into the question overall: “Cyber risk, what really matters?
By the way, if you are interested in which mitigations to focus on first, skim this article on the hierarchy of cybersecurity needs from Microsoft;
it follow’s the Maslow hierarchy of needs triangle, with a cyber perspective. The foundation is access control, and each layer is well described.
DL: How do you think about attacking the problem of reducing risk?
MD: Short answer: use an enterprise, holistic, Risk-Based Security Strategy (RBSS). Risk is a combination of threat, vulnerability, likelihood and impact/consequences, along with asset values. Within the risk strategy we need to provide the rationale and “cyber story” that goes with that RBSS assertion. Cybersecurity is a wide capability area with complex technical and business interactions, and must work in conjunction with a variety of other security measures: physical security, personnel security, contingency planning and disaster recovery, operational security, and privacy. Typically, one of the highest impacts from inadequate cybersecurity is a data breach, whereas most realize those damages can be extensive and expensive both in reputation and actual costs incurred.
A well-known framework for improving cybersecurity is the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) for Improving Cybersecurity, which has five phases: identify, protect, detect, respond and recover. NIST also has a small/medium business (SMB) version of this framework and processes therein called NIST-IR 7621 Rev1. This publication is a highly recommended authoritative source to use as your SMB implementation guide. We recommend folks start their risk management journey with the CIS CSC top 20 controls as their foundation, then complement that with NIST CSF. It’s also a solid basis for what “reasonable security” entails, as discussed here: “Cyber Security Risk, what does a “reasonable” posture entail, and who says so?
Overall, as mentioned, using some form of RBSS, which includes using a risk framework that the company can align to with an approved risk appetite set of thresholds, and provide a clear risk-value-based risk reduction plan (this is a common theme!). Take vulnerability management, for example cyberhygiene; a risk-based approach is effective to minimize the greatest actual risk to the company focused on more than just critical CVEs, where you work on the top 20 or so risks each week and make measurable progress. In addition, some assets will stand out based on their individual risk scores and you can focus on those as well.
DL: Are most of the top risks known to leadership or are many unknown?
MD: I think most of the top risks are “known” to leadership at this point (phishing, ransomware, data breaches, etc.), yet what is their full comprehension, especially for the negative business impacts? I like the saying “security always costs too much, until it is not enough” as it sums up the leadership awareness gap. This means we security folks are not communicating the tops risks well enough using the vernacular they understand. We don’t focus on their key concerns, like productivity, revenue, long-term stakeholder value, resiliency and innovation, as well as overall corporate risk management. We need to tell the risk story in their lingo.
In addition, risk management reporting needs to be periodic, not once a year (or adhoc). Engage a few key business stakeholders to see what their information needs are and the style they most relate to. No death by PowerPoint — consider a one-page, or at most two-page, risk report, as executives are used to getting those. Minimize the technical jargon and use an analogy that resonates (like protecting one’s house and valuables). Ideally, your organization has documented business success factors that you can relate the top risks to. If not, then start with the generally accepted key concerns listed earlier, and the typical business success factors: market share, customer trust and relationships, new business/markets, global presence, P&L and regulatory compliance, for a few. Run your report by OPS/IT first, then a business lead that understands the risk environment, to get feedback on the content, context and usability; then share with your ITSC next.
Overall, once you put your risk story into motion, get specific feedback on improvement, do it regularly and stay aligned with OPS/IT and a business champion. Ideally you have an ERM effort where the major business leads participate, as they will get the utility and process and support the cyberview.
DL: How do you recommend addressing known risks?
MD: Once you have a clear risk-value-based risk reduction plan, the known high-value risks need to be highlighted. By the way, the unknown risk elements need to be accounted for as well, and that entails having a Cyber Threat Intel (CTI) effort that monitors threat and vulnerability sources for new risks, TTPs and early vulnerability warnings of the systems you have (Solarwinds, Acelleron, etc.). Frequently, it’s the known risks that may not get fully addressed, like cyberhygiene, Secure SDLC, cloud security, etc., because of other operational priorities (building out new capabilities that directly support business productivity, revenue, etc.) and the full impact of the risks are not well understood by most. This risk-versus-operational-needs balance is frequently the source of why known risks are not well accounted for (e.g., patching versus building out requested revenue-enhancing capabilities).
That’s why any risk mitigation prioritization plan must start with OPS/IT — besides fully understanding the business impacts, do they have the resources to do their part? Using your risk-value-based risk reduction plan, ensure that has clear OPS/IT required support captured for all their parts, with an estimated level of effort. Then rank their efforts in terms of risk value and personnel availability, especially as that may entail the support of just a few folks who undoubtedly have other business-related tasks. This is where an integrated OPS/IT and security project plan comes in for personnel resource allocation. In addition, there are likely IT/network changes planned that might minimize the risk source or offer enhanced functions to use later on [e.g., upgrading to Microsoft E5 license which brings a lot of data and access capabilities (using “ATP” features)]. Thus the risk can be delayed to fit in with planned upgrades.
Overall, competition for resources will always be an issue for many risks, and that needs to be addressed up front. If organic support cannot be used, then external support can be proposed or management can formally accept the risk, documenting it in your risk register. Risk management is a companywide endeavor that requires a common understanding of the risk value and resource allocation. While obvious, your RBSS must factor this in from the start, yet doing so takes time and effort from all parties, which gets back to resources.
DL: Explain your approach to addressing these risks with the minimum possible cost.
MD: First assess your current security capabilities environment — are you one of those entities that has 20 to 30 security tools? Have you quantified your enterprise security risk requirements and then parsed those out to the major security capabilities, starting with taking advantage of your OEM products (Microsoft, Cisco, etc.), which have significantly advanced their features set and integrated operations in recent years. Once you do the capabilities to product mapping, the major functional overlaps will be clearer and you can proceed to rationalize what capabilities can be dropped. It’s not only the product cost that is removed, but the personnel resources to maintain and monitor them. You then have a defendable security capabilities road map, including any gaps and required new functionality.
Then comes minimizing the operational resource level of effort. As mentioned earlier, all proposed risk tasks need to have the resources to implement and maintain, the latter being frequently overlooked. Part of the capabilities to product mapping needs to include the effort to monitor, maintain and support each function. These will be rough estimates initially, but good enough to assess the sustainment effort each needs, being iterated as they are used — keeping metrics. This information can be used to justify added personnel or even outsource the risk support needed. Effective use of resources is a major part of minimizing the costs, as is using “lean” practices on resource-intensive processes.
Then, as part of the risk mitigation prioritization effort, collaborate with key stakeholders to ensure the risks are effectively quantified and understood by all. Assess all mitigations for both effectiveness and a potential phased approach, doing the more effective sub-tasks with fewer resources first. In addition, collectively explore alternative mitigations and compensating controls that could be used; that could offer effective risk reduction at reduced cost. Also as mentioned earlier, revisit the planned future state and new technologies that will minimize the risk, as innovation therein could be more cost effective.
Overall, start with the highest risk value mitigations, then factor in available resources (whereas the limitation is typically OPS/IT resources, as security is generally focused on the requirements, though their time is also limited). Rebalance your risk mitigation efforts and timeline as required and document all risks that are accepted or need additional external resources. Periodically brief any revised risk posture and required resources to leadership.
DL: In your experience, are some sectors more vulnerable than others?
MD: Sure, principally as some industries are more targeted for starters, as their data is valuable (like the medical industry), they are less prepared or their services are more critical; thus there’s a higher propensity for an attack. Higher vulnerability industries, in general, tend to be small/medium businesses (SMB), health care, government, retail, energy/utilities (many of the critical infrastructure sectors), higher education and of course corporations (especially those that are not actively supporting their security teams). Yet even then, an effective threat and vulnerability management (TVM) program can significantly reduce the risk posture — as it will for all of us. It still amazes me that while we all know doing the security basics like cyberhygiene can significantly reduce security incidents, we collectively don’t put enough effort into doing those well.
That’s where a structured, holistic, RBSS provides the best risk value in maximizing the business success factors. An RBSS should be based around assuming the hackers are inside and you’ve likely already been breached. This means you must have a well-practiced incident response plan to minimize damage and strictly control internal and external incident communications.
The main activities needed in what really matters are:
Cyber Education and Awareness Training Program: educate users with periodic training courses, email notes on security topics, posters, frequent phishing exercises, etc.
Tightly manage access controls: use multi-factor authentication (MFA) everywhere, strictly control privileged account management (PAM), monitor access changes (active directory, etc.).
Excel at TVM and cyberhygiene overal: go beyond just patching (yet that must be a top priority!), assess your status in the CIS items 1-6, then fix the gaps.
Data protection approach: endeavor to encrypt everywhere (it’s easiest in the long run), control data and classify it, and use a tailored identity access management. Combine with privacy elements as you can. Get cyberinsurance.
Third-party/vendor risk management: go beyond the paper drill (NDAs, Ts&Cs, SLAs, etc.) and actually have a risk assessment — lack of this causes over half of all data breaches — and start with a detailed questionnaire, then ask what certs they have.
Partner with a managed detection and response (MDR) provider: 24/7 coverage, gain extensive threat intel reach back, enhance your threat hunting, and reduce the alert fatigue of the security folks.
DL: What are the top risks to address for SMBs?
MD: The major risks are still the ones we all must account for, listed in the first question here, especially phishing, ransomware, poor cyberhygiene and weak access controls. Typically, SMBs don’t think they are targets or are overconfident in their actual residual risk posture. The question is then what data protections and risk mitigation efforts are most effective, affordable and do not require a heavy lift to implement and operate? Controls that mitigate several risks are clearly more valuable, as is using embedded OEM security functions from major systems (Microsoft, CISCO, etc.).
Just as for the rest of us, they need to have an overall risk assessment to baseline their residual risk posture and where the key gaps are. Many SMBs have strong cloud presence, and in many ways the SMB risks are similar to those we all face from remote work (endpoint security, connectivity/secure VPN, access controls/MFA, effective security training and cloud/SaaS security), few are all in the cloud, so any on-premise environment must be accommodated as well. Policies are always needed to ensure consistent application of company directives in use of IT and data protection. Critical technical capacities are firewall, NGAV, email security, access controls (password quality and at least 2FA), DNS/URL filtering, mobile security and secure backups, plus that security and awareness training.
Overall, SMBs need to know their security baseline (as we all do), and using one of the free, self-administered risk assessment tools is a good start. It will be a high-level view, yet relatively easy to conduct, which will help identify their key weaknesses. From the risk assessment, develop a simple RBSS based on their environment and structure it by risk value — the greatest impact reduction for the least resources — and focus on the top items therein. Generally those will be in the capability areas mentioned here, starting with ransomware. In almost all cases, SMBs should partner with an MDR to get the 24/7 broad coverage and extensive back-end threat coverage, as well as early warning of attacks on other companies they support. Cyberinsurance is also recommended, not only for the liability coverage, but they offer several other services (forensics, extensive data breach experience, bitcoin broker, etc.). Join local cybersecurity professional and community groups, and share what works. There is a lot of SMB security support, they don’t have to go it alone and there are numerous groups that will help them.
Dan Lohrmann: Thanks for your insights and for sharing best practices with us.