Organizations everywhere are rightly concerned about cybersecurity threats, especially in the midst of daily reports...
of cyber intrusions with massive theft of information and intellectual property, and the rise of new exploitation methods, including ransomware, advanced persistent threats and insider threats.
Add to that a rapidly changing operating environment, including cloud computing, the internet of things, supporting mobile and remote users, and the demand to support whatever network-capable device users bring to work, and the question of how, where and what specific security measures to deploy becomes confusing and difficult to answer.
In a 2014 interview, former FBI director James Comey said, "There are two kinds of big companies in the United States. There are those who have been hacked by the Chinese, and those who don't know that they have been hacked by the Chinese."
More than a year later, at the World Economic Forum in January 2015, John Chambers, former CEO of Cisco said, "There are two types of companies: Those who have been hacked, and those who don't yet know they have been hacked."
Are cybersecurity breaches inevitable, as these remarks seem to indicate? If experiencing a cybersecurity breach is inevitable, and if breach prevention is truly impossible, then is trying to protect information and information systems a colossal waste of time and money?
As discouraging as these comments are, if cybersecurity breaches were truly inevitable, then organizations wouldn't store vital intellectual property and personal and financial information on networked systems. Either that, or there must be some benefits to using networked systems that outweighs the risks.
Cybersecurity is a process of managing risk
Even if cybersecurity breaches are inevitable, there are still things that can and should be done to protect information. In any environment where risk is managed, there are always strategies that can be employed if risk scenarios cannot be prevented or avoided. In fact, management of risk is grounded in the premise that the uncertainty surrounding any risk scenario cannot be completely eliminated. If uncertainty could be eliminated, risk would be eliminated, too.
If a cybersecurity breach is inevitable, or if the risk of a cybersecurity breach isn't zero, there are two basic protection strategies that can be used. The first strategy is to reduce the probability that a cybersecurity breach might occur, and the second is to reduce the impact or damage that can occur when a cybersecurity risk scenario is realized.
These basic protection strategies are appropriate in managing any kind of risk, including cybersecurity risk. The general approach in managing cybersecurity risk is very straightforward.
First, assets critical to the operation of the business are identified. In this case, information assets that must be protected are identified. Information assets may include people, processes and technology, in addition to raw data.
Second, a risk assessment process identifies risk scenarios that could damage the security of information through unwanted disclosure, unauthorized modification or loss of access to the information asset. The components of risk are few.
The general case of a cybersecurity intrusion looks like this: A threat actor exploits a vulnerability and damages the security of the information asset. In that general case, the components of risk are the existence of a vulnerability, an exploit that takes advantage of the vulnerability and a threat actor willing to use that exploit to damage the security of the asset.
In that general cybersecurity breach scenario, the only thing that can be controlled by a network security manager is the existence of the vulnerability on the network. Therefore, the last step in managing cybersecurity risk is the process of identifying and eliminating or remediating vulnerabilities.
Ideally, once a vulnerability is identified, it is eliminated. Eliminating a vulnerability also eliminates all threat scenarios where that vulnerability is exploited, reducing the probability of exploitation to zero.
Prioritizing cybersecurity risk
At its core, risk management is a decision-support tool. Once all relevant cybersecurity risk scenarios have been identified, the decision-support task is to prioritize the order in which the identified risk scenarios are remediated.
Prioritization of cybersecurity risk mitigation activity is important if there are insufficient resources to handle all the identified vulnerabilities; prioritization is also valuable even if there are sufficient resources to remediate the vulnerabilities because understanding potential impact is critical.
Outcome vs. impact
Vulnerabilities are usually prioritized by the potential impact to the organization if risk scenarios exploiting that vulnerability are realized. If potential impact is the prioritization factor, it is important to understand what the impact is.
When a vulnerability is exploited, there is some unwanted outcome, such as unwanted disclosure, unauthorized modification or loss of access to the information asset affected by the exploitation of the vulnerability. Impact is what happens as a result of the unwanted outcome.
For instance, if health records covered by the HIPAA privacy or security rules are stolen, the outcome is the disclosure of information, but the impact to the organization could include the costs of mandatory breach notification and the potential for fines and civil penalties that could reach into the millions of dollars.
Prioritization of vulnerability mitigation by potential impact can be done in a number of ways. A commonly used prioritization tool is the Common Vulnerability Scoring System (CVSS), which provides a framework for understanding the characteristics and impacts of information technology vulnerabilities. The National Vulnerability Database, maintained by the National Institute of Standards and Technology, provides CVSS scores for almost all known vulnerabilities.
Even if CVSS scores are used as the basis for prioritizing cybersecurity risk remediation, it is imperative that organizations make certain that this method makes sense for them. For instance, if a particular vulnerability receives a CVSS rating of low severity or medium severity, many organizations will choose to not remediate that vulnerability.
But what of the organization that has many systems, including mission-critical systems, with that vulnerability? That organization needs to understand that the potential impact to them is not well-represented by the CVSS rating, that it may be much higher that the CVSS rating, and that the organization should remediate the vulnerability.
Even if it is true that cybersecurity breaches are unavoidable, all is not lost. What is really being said is that it is not possible to completely eliminate uncertainty regarding cybersecurity breaches.
The traditional way of managing uncertainty is through risk management. Once it is understood that managing cybersecurity is managing risk, there is no reason why cybersecurity risk cannot be managed using the risk management methods that are used everywhere else.
Read an excerpt from Measuring and Managing Information Risk
Discover why CISO and CFO communication is critical for cyber-risk management
Get a better understanding of risk management for the internet of things