POSTED: April 2, 2021
How your organization defines risk is vital to its ability to identify and mitigate it.
Real cyber risk takes into consideration a specific organization’s attack surface, threat profile, and vulnerabilities in the context of the assets and data they may impact. It doesn’t decide risk based on a general external standard and act, nor does it disregard this insight. It maps what is known about active threats that may target the organization and known organizational vulnerabilities to key internal people, assets, or processes to determine prioritization. The difference can mean that you make smarter resource decisions to mitigate a medium or low CVSS-designated vulnerability because of the exposure you have to a vital business process.
A smarter cyber risk-taker considers the following:
- Transparency creates trustworthiness.
- Can you explain to an executive your organization’s cyber threats?
- Do you feel like you are focusing current mitigation efforts on protecting what’s most valuable or are you simply trying to check off stagnant controls from a recent compliance report?
- A methodical approach builds a strong defense foundation.
- Is your team familiar with MITRE ATT&CK such that they are referencing it when they discuss threats and vulnerabilities?
- Does your team consider the relationship between ATT&CK and your controls framework and how to apply that to the organization?
- Is your team looking beyond standard frameworks to see how things may change given specific threats to your environment?
- A pragmatic approach can work well and is less costly.
- Why should we apply that control or mitigation? What’s the probability of being attacked?
- How much effort/expertise would it take to apply a control? What if we prioritize another project?
- Can we better protect the business if we apply a holistic approach to vulnerability management instead of a point-in-time patch or remediation?
- A strategic view of risk and a departmental approach to mitigation are key.
- With supporting evidence, can you equate your defensive strategies in terms of maturity to your business unit partner?
- What assurances can your supply chain vendors provide regarding operational risk?
Incorporating a thorough understanding of your IT operational risk helps position your department as a partner to the rest of the organization. Because you will have the right information in the right way, you will be able to explain the threat background and reasoning behind the recommended actions. The improved lines of communication help build resilience into your organization as you become a smarter risk-taker.