SolarWinds, Colonial Pipeline, JBS meatpackers – it’s been a time for unexpected, highly disruptive “emerging threats” in cybersecurity, and CISOs can expect that boards will be asking, “What’s next and are we resilient enough to handle it?”
No one has a crystal ball in cyber risk management, but CISOs can prepare to effectively answer questions on emerging information technology risks with these tactics:
Build Credibility by Reporting Cyber Risk in Quantitative Terms
Before crisis time, set a pattern of meeting board expectations by reporting on cyber risk in financial, not technical, terms.
That’s the goal that the National Association of Corporate Directors (NACD) has set for board members. “Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks,” the NACD Cyber Risk Oversight handbook said. The handbook cites Factor Analysis of Information Risk (FAIR™) as one of the recommended models for cyber risk quantification. The RiskLens platform implements FAIR risk analysis.
As the handbook states, quantification paves the way for boards to understand the effectiveness of cybersecurity programs, set risk appetite and view cyber risk in the wider context of enterprise risk.
With the data generated by RiskLens/FAIR analysis, CISOs can report on cyber risk in the high-level themes appropriate to board consideration. See examples in these blog posts:
Report to the Board in Financial Terms with a Cyber Risk Dashboard Based on RiskLens Risk Quantification
Building a True Cyber Risk Dashboard Worth Taking to the Board
Learn FAIR risk analysis through the RiskLens Academy
Focus on the Critical Assets for Business Operations
You can’t know every way attackers may gain a foothold in your network but you can know the assets that are critical for the functioning of your organization. As RiskLens Risk Consultant Sara Dominick recommended in some recent blog posts:
- Start with a focus on your crown jewel assets.
- Use the MITRE ATT&CK framework to identify the likely types of attacks and threat actors for those types of assets. Reality-check those insights with your SOC or Threat Intel teams.
- Define loss event scenarios for FAIR analysis. Working through the FAIR factors to model scenarios is a great way to discover, for instance, the probable Threat Event Frequency for attacks on your assets of most concern, and the Vulnerability (or Susceptibility) of your infrastructure to those types of attack.
With FAIR quantitative risk analyses on loss events impacting critical assets, a CISO can evaluate mitigations to protect those assets, more generally harden the organization against crippling cyber attacks from whatever direction – and give a compelling answer to the board on the resiliency question.
Read Sara Dominick’s posts:
Threat Actors Constantly Evolve Tactics. How Can Cyber Risk Management Keep Up?
3 Steps to Combine MITRE ATT&CK and FAIR to Focus Cyber Risk Management
Future-Proof Your Risk Register
Tony Martin-Vegue, Senior Information Security Risk Engineer at RiskLens client Netflix, and a longtime FAIR practitioner, suggested in a blog post that CISOs should prepare for emerging threats by re-thinking the risk register.
“Risk registers should be forecasts, not a big ‘o list of problems that need to be fixed,” Tony wrote. Specifically, risk register entries should be phrased as FAIR risk scenarios, with a threat actor impacting an asset by some means.
When a new “vulnerability du jour” (as Tony said) emerges and is likely to capture board and senior management attention, “I look at who the threat actors are, their motivations, vector of attack, and probable impact” and sketch out some FAIR analysis scenarios.
“I then compare my analysis with the list of existing risks and ask myself, Am I missing anything? What lessons can I learn from the past to help me forecast the future?” The next step is to adjust existing scenarios or create new ones for the register, if needed. As new threats emerge, you should be able to look to the register (with collaboration from Threat Intel and SOC teams) and work up a ready answer for the board on the probable risk for an emerging threat.
Read Tony Martin-Vegue’s posts on Modeling the Vulnerability du Jour.
Improve your board reporting with RiskLens - learn about the Rapid Risk Assessment and Risk Treatment Analysis capabilities of the RiskLens platform. Schedule a demo.