POSTED: June 10, 2020
As the nation grinds through the COVID-19 pandemic, we are collectively experiencing a significant business continuity and disaster recovery situation, and it's happening in real-time. Our organizations are being tested on all levels from resiliency to the efficacy of our workforce—including organizational infrastructure as well as human and business systems. The ability for core systems to operate “business as usual” successfully is supported by our understanding of risk, specifically cybersecurity risk in a holistic and integrated fashion.
Traditional risk management leaves blind spots and gives little insight into the resiliency of your core business functions.
Managing an effective cyber risk program is always an uphill battle. Often risk processes designed to maintain and mature a program cannot keep up with the pace at which threats evolve. When one thinks of risk as it applies to organizations and business systems, there have been multitudes of layers in terms of documentation from the assessment function, execution from vulnerability management and security operations, and testing from external adversarial emulations and red teaming. These functions are usually siloed, operate on very different time frames, and rarely are ever in sync. It's more difficult to coordinate and track these functions in these challenging times with a distributed remote workforce, non-standard devices, and with rapid acceleration into the cloud. Because of this siloed nature, the detection of threats and the subsequent risk response applied to business systems have been traditionally slow. In order to disseminate, prioritize, and test risk in critical systems in a meaningful way, one needs to be able to process risk data—including threats, vulnerabilities, and compensating controls—quickly and consistently. This takes analysis from multiple factors, quantifying it consistently, and comparing the overall risk.
The nation is collectively shifting again—this time toward phase 2 of releasing stringent quarantining. The rapid shift conceptually in ideas of what “business as usual,” work, and the workplace mean has changed and will likely be different for quite some time. The accelerated pace of how business is conducted and the resiliency of organization adaptation to these operational movements have fundamentally changed business operations. To respond to these changes, there should be a call for an update to how risk management and responses to threats are conducted. Opportunistically, this is the time to tightly integrate and give transparency to the disparate functions, processes, and teams that the pandemic exposed.
The landscape of business operations has change drastically. A rapid and iterative response in risk management is needed to keep up.
Consider an approach toward an integrative view of risk management. The benefits are shorter input, analysis, and feedback cycles. Ideally, weekly activities of a vulnerability management team’s findings on vulnerabilities and threats on a core business system would constantly and consistently encompass the controls and mitigations from an annual security assessment. The direct attachment of these mitigations, policies and procedures to all entities that comprise a business system gives transparency and quantifies real risk. Continual testing of these individual systems by targeted automated attacks gives constant feedback much like a unit test is used in development. A larger-scale adversarial emulation would test the system as it relates to the organization—akin to a regression test in development. These shorter cycles will unify an organization’s understanding of risk, resiliency, and the true cost of a critical system. Additionally, it gives the cybersecurity function a way to test detection and response to measure the efficacy of their programs. This gives each function a complete program view with opportunities to adjust rapidly.
“Nothing in life is to be feared, it is only to be understood. Now is the time to understand more, so that we may fear less.” —Marie Curie
While your organization is continually assessing its risk in this unprecedented time, there may be opportunities to employ intelligent operation concepts in your cyber security team. Cyber security risk is more than threats and attacks of vulnerabilities on critical business systems that are comprised of multiple assets and applications. Cyber security risk is also the mitigations and controls that these systems are beholden to.
- Continually test this holistic integrated notion of security risk.
- Consider looking into each of your cybersecurity function’s processes and procedures to find ways for transparency into all the layers that define critical systems.
- Take into account the ability to detect, respond, and adjust rapidly to risk situations that threaten business continuity.
We, at Covail, have learned our capacity for resiliency during this pandemic. It’s time to capitalize on our learning and move towards integrated risk management to improve transparency and efficiency of evaluation, detection, and response. Interested in learning more about integrated risk management? We can help. Contact us today to learn more.