An hour after commencing my new job, I sat at my desk reading the findings of a recent security audit. The internal audit was a comprehensive assessment of the information security posture of my new organization. It was based on the National Institute of Standards and Technology (NIST) cybersecurity framework and assessed every section and every category. The results were overwhelming. The organization I had joined was relatively small, was challenged with a number of legacy technologies, and was under-resourced. And now, we were confronted with addressing the results of an audit that would test a well-appointed organization.
First, the audit was necessary, and although it was overwhelming, it provided a necessary appraisal of our security preparedness. The baby may have been ugly; none the less, it was my baby. Over the course of several days, as I digested and pondered the audit results, I began to formulate a mitigation strategy. There was no doubt that I would need to prioritize. Should I focus on the most achievable and demonstrate immediate progress, or should I go down the list of findings in a sequential method, addressing one area at a time? The audit results offered remediation suggestions varying from addressing those areas that would result in the greatest impact to those findings that were most concerning – priority 1 issues. I could simply follow their suggestions.
“No cyber defense is impenetrable and identifying the most valued asset provides a specific focus that will inform many other efforts”
In truth, my first approach was to consider the findings as a sort of punch list, a list of issues that needed to be fixed that I could apply a process, tool, or human resource to solve. The findings would be divided into three categories based on severity, ability to resource the solution, and an estimated time to resolve. I would then bin the remediation efforts into three phases and set about moving down the list in a systematic manner. However, after more deliberation, it occurred to me that the audit findings and my initial response were in no way considerate of the organizational culture that I had just joined. I had not spent any time assessing what the company viewed as its most valued asset – what did it prize more than any other. More importantly, I did not apply any process to determine the cyber threats and their relation to our most valued asset. At that exact moment, my audit remediation effort shifted from a systematic approach to a threat-based method. My assertion, and my intuition tells me, that threat-based security should be the standard approach for cybersecurity programs.
As I mentioned, the first consideration when applying a threat-based security program must be an analysis of the organization’s most valued asset – what is most important. You must know what is critically worth defending. No cyber defense is impenetrable and identifying the most valued asset provides a specific focus that will inform many other efforts, from fiscal investment in the right cyber tools to network design to the creation of an effective disaster recovery program. For most organizations, this process will lead to the identification of a resource that has a business-impacting consequence if a cyber event menaces it. A broad vulnerability assessment is not the same. The analysis of your most valued asset should be specific and limited in scope. It should be one or two items; however, it is typical to discover associated, critical linkages that enable the most valued asset, and these may be several in quantity. For example, if a business’ brand is well known and respected, their reputation may be their most valued asset. The loss of consumer data through a breach would result in an unacceptable consequence. In this instance, the most valued asset is an intangible – their reputation, however, the physical resource that is connected to the most valued asset is the consumer data repository and may include several systems that process and store that information. Most analysis will reveal physical assets that operate at the application layer as the enablers that link to the most valued asset. And, that is what you want your analysis to reveal because you can now begin considering the threat more deliberately through the viewpoint that these applications are likely targets.
Now you must view the cyber threat spectrum and consider how select threat tactics could target your most valued asset. This is the crux of threat-based security. The application of resources is viewed through the lens of defending the most valued asset from the most likely and dangerous threats. Those resources may be a specific tool, or network design, or prioritized patching program, or even a disaster recovery plan that enables the rapid restoral of business confidence. Some of these threat tactics are likely already evident in your environment. For example, if malware is a concerning threat and the likely tactic employed is phishing, and if the introduction of this threat into the organization’s information environment jeopardizes an application linked to your most valued asset, then you must focus your defense on countering this through a tool that blocks or quarantines suspicious mail. The acquisition and implementation of this counter-measure now become a priority. Unstated but implied is the fact that there is risk tolerance in other areas that are not as highly valued. But most essential, this method places the most important asset at the center of an information security strategy, which allows focused investment and effort.
A comprehensive and layered cyber defense is essential, however threat-based security is a reasonable method to focus on the most valued asset of an organization. No defense can stifle every threat, but a program that places concerted emphasis on protecting a core asset is more effective than spreading defensive efforts thinly in a uniformed, systematic method. It proved to be a positive method in my organization and demonstrated to the audit team that our approach was both well-reasoned and successful in mitigating information security risks.