Everything we do within our security programs should reduce risk. But when was the last time you clearly showed how exactly you reduce risk? In my experience, we make the risk discussion so complicated that our true value provided is not truly understood. Let’s make an effort to change that conversation and clearly articulate how our programs add value through reducing risk.
Where to start? What framework are you using to measure your maturity by? Let’s take NIST CSF for example. There are the five domains: Identify, Protect, Detect, Respond and Recover. Running through a quick assessment of where you stand against such a framework gives you a baseline, and then you measure your progress of improvements made over time. But how do each of these help reduce risk?
By using plain language, you can easily articulate how each domain relates to risk. For example, take the Respond domain, specifically RS.AN-3: Forensics are performed. We generally understand that forensics is needed during or after an incident to gather artifacts to support analysis for an investigation. Guess what? Most executives or business partners don’t care about that part.
Executives want to understand how forensics and the processes used to support them help support security due diligence efforts, comply with potential legal and regulatory requirements or help protect impacts to sensitive company data. When you tie progress in the Respond domain and compare it to your original baseline, you can also show how risk is decreasing in that area over time because you are increasing your capability and speed to respond, as well as make suggested improvements for prevention of future incidents, reducing the potential impact of said incidents to your organization.
Another example where we often miss discussing risk is our threat intelligence efforts. Whether you have a person who does this part time for your organization or if you have a dedicated full-time organization, threat intelligence is all about reducing risk, yet we tend to focus on detailed reports about threat actors chock full of interesting details and splashy diagrams, some that may or may not be relevant to our organization. However, when you add stories of how these threat actors have directly impacted or could directly impact your organization, the story changes dramatically.
When you take an example of such a threat actor’s tactics that either walks through the Lockheed Martin Kill Chain or the MITRE ATT&CK matrix, you can show where an attacker might succeed in your organization and where they should be stopped by your existing controls. The gaps in controls translate directly into risk, and the impact of those attacks can be shown against vulnerable systems, people and processes. Further examination of recovery efforts could be played out to demonstrate what the fallout would be, and then the tangible conversation of risk begins. Even better, once you have these tangible items, you get a better sense from your organization what the risk tolerance level is, and then you can base your investment decisions on where best to stop the highest impact attack.
Where is your biggest threat? This is another output of a threat intelligence program that can help explain where your security program can reduce risk. The threat profile ensures that the detailed briefs on threat actors includes how these actors relate back to your organization. This doesn’t have to be a huge financial investment on the organization as there are many excellent resources available that can paint this picture, but a good picture can help justify additional investments.
Forensics and Threat Intelligence are just two areas of security where we often struggle to clearly define and show true value. There are many others to explore throughout your program. The important takeaway is to start exploring your own program for potential opportunities to expand that risk outlook and start showing where and how these programs reduce risk through plain language and realistic examples.