Chief Information Security Officers (CISOs) and their staff often face significant challenges when it comes to understanding how the evolving threat landscape impacts their organizations. Competing priorities, understaffed cybersecurity teams or complacency due to existing security tools all play a role in losing sight of what matters. A foundational element of managing risk to an organization is a full understanding of your cyberthreat and risk profile. When organizations do not take the time to fully comprehend their threat profile, it may adversely impact the effectiveness of their security tools, controls and processes.
For an organization to understand its cyberthreat profile, the following should be considered:
- Industry Matters: The Defense Department is going to face different threats than the Interior Department.
- Data: What sensitive information, patents or technology would motivate an adversary?
- Attack Surface or Public-Facing Systems: How visible and accessible are the applications being maintained? Threats to an internal database are different than a public-facing web server.
- Users: Know the breakdown of your user types (general users vs. administrators), their accesses and behaviors (how susceptible they are to phishing).
- Upcoming IT Changes: Implications of future system changes may impact risk to the organization.
- Periodic Review: Creating a threat profile should not be a one-time exercise, but a recurring effort that evaluates organizational changes and implementation of new technology.
Once an organization has a firm grip on the aforementioned characteristics, it is highly beneficial to perform threat modeling. The exercise of creating scenarios and use cases to categorize threats and associated mitigation responses reduces risk by improving incident response capabilities. Unfortunately, many organizations struggle in this area and are not on par with evolving threats. Regardless, it is never too late to get started or build on what is already in place. Compiling a threat profile and associated threat modeling based on operational, technical and strategic factors is what should drive security tool selection, configuration and support resources.
The cyberthreat landscape is constantly changing. Industry leaders should leverage research by expert organizations such as ISACA, SANS and ISSA to guide their cybersecurity program and maintain awareness of the latest trends and evolving threats.
Ultimately, each organization is unique. CISOs must weigh the risk appetite, organization threat profile and evolving threats collectively. When leaders have greater security awareness and understanding of cybersecurity risks, fully informed decisions can be made to apply mitigations and controls.
To learn more on this topic, consider checking out the following resources:
Jason Yakencheck is part of the GovLoop Featured Contributor program, where we feature articles by government voices from all across the country (and world!). You can follow him on Twitter. To see more Featured Contributor posts, click here.