Mushrooming industry and government mandates that govern IT security have led to a highly regulated environment and annual compliance fire drills. The number of regulations that affect average organizations can easily exceed a dozen or more, and grow more complex by the day. This is forcing most companies to assign an inordinate amount of resources to governance and compliance efforts on top of their lengthy list of IT priorities. Are these efforts warranted? Or simply a check-box requirement as part of a compliance-driven approach to security?
The bitter truth is that you can schedule an audit, but you cannot schedule a cyberattack. Nearly every day, we are reminded of this fact when breaches make headline news. As a result, many organizations have concluded that to gain insight into their risk posture, they must go beyond simple compliance assessments. As a result, they are taking threats and vulnerabilities, as well as business impact, into account. Only a combination of these three factors assures a holistic view of risk.
The Pitfall of Compliance
Organizations that pursue a check-box, compliance-driven approach to risk management only achieve point-in-time security. That’s because a company’s security posture is dynamic and changes over time. This has been proven time and again.
Recently, progressive organizations have begun to pursue a more proactive, risk-based approach to security. The goal in a risk-based model is to maximize the efficiency of an organization’s IT security operations and provide visibility into risk and compliance posture. The ultimate goal is to remain in compliance, reduce risk and harden security on a continuous basis.
A number of factors are causing organizations to move to a risk-based model. These include, but are not limited to:
- Federal Information Security Management Act (FISMA) of 2002
- Federal Risk and Authorization Management Program (FedRAMP)
- Securities and Exchange Commission (SEC) Cyber Guidance
- Emerging cyber legislation (e.g., Cyber Intelligence Sharing and Protection Act)
- Presidential Executive Order on Cyber Security
- The Council of Europe Convention on Cybercrime
- Supervisory guidance by the Office of the Comptroller of the Currency (OCC)
Security to the Rescue?
It is commonly believed that vulnerability management will minimize the risk of a data breach. However, without placing vulnerabilities into the context of the risk associated with them, organizations often misalign their remediation resources. Often they overlook the most critical risks while only addressing "low-hanging fruit."
This is not only a waste of money, but it also creates a longer window of opportunity for hackers to exploit critical vulnerabilities. The ultimate goal is to shorten the window attackers have to exploit a software flaw. Therefore, vulnerability management must be supplemented by a holistic, risk-based approach to security, which considers factors such as threats, reachability, the organization’s compliance posture and business impact. If the threat cannot reach the vulnerability, the associated risk is either reduced or eliminated.
Risk as the Sole Truth
An organization’s compliance posture can play an essential role in IT security by identifying compensating controls that can be used to prevent threats from reaching their target. According to the 2013 Verizon Data Breach Investigations Report, an analysis of the data obtained from breach investigations that Verizon and other organizations have performed during the previous year, 97 percent of security incidents were avoidable through simple or intermediate controls. However, business impact is a critical factor in determining actual risk. For example, vulnerabilities that threaten critical business assets represent a far higher risk than those that are associated with less-critical targets.
Compliance posture is typically not tied to the business criticality of assets. Instead, compensating controls are applied generically and tested accordingly. Without a clear understanding of the business criticality that an asset represents to an organization, an organization is unable to prioritize remediation efforts. A risk-driven approach addresses both security posture and business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces and improve investment decision-making.
As mentioned earlier, risk is influenced by three key factors: compliance posture, threats and vulnerabilities, and business impact. As a result, it is essential to aggregate critical intelligence about risk and compliance postures with current, new, and emerging threat information to calculate impacts on business operations and prioritize remediation actions.
Three Elements to a Holistic View of Risk
There are three main components to implementing a risk-based approach to security:
- Continuous compliance includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation. With continuous compliance, organizations can reduce overlap by leveraging a common control framework to increase accuracy in data collection and data analysis, and reduce redundant, as well as manual, labor-intensive efforts by up to 75 percent.
- Continuous monitoring implies an increased frequency of data assessments and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds and vulnerability scanners. In turn, organizations can reduce costs by unifying solutions, streamlining processes, creating situational awareness to expose exploits and threats in a timely manner, and gathering historic trend data, which can assist in predictive security.
- Closed-loop, risk-based remediation leverages subject matter experts within business units to define a risk catalog and risk tolerance. This process entails asset classification to define business criticality, continuous scoring to enable risk-based prioritization, and closed-loop tracking and measurement. By establishing a continuous review loop of existing assets, people, processes, potential risks and possible threats, organizations can dramatically increase operational efficiency, while improving collaboration among business, security and IT operations. This enables security efforts – such as time-to-resolution, investment in security operations personnel, purchases of additional security tools – to be measured and made tangible.
Compliance mandates were never designed to drive the IT security bus. They should play a supporting role within a dynamic security framework that is driven by risk assessment, continuous monitoring and closed-loop remediation.