If someone asked what your security organization’s strategy is this year, would you be able to talk to it? Every organization should have a strategy clearly articulated to the entire team so that they know what they should be doing and how they add value to the organization. But how should the strategy be framed to make sense and be useful? How about leveraging Threat Modeling to set the right direction? Threat modeling can be used for so much more than software development and is often overlooked to help understand a holistic risk and strategy picture. Where to start?
Start by asking questions. Talk to various leaders and folks on the ground doing the work and find out what’s truly at risk around your organization. Ask what they are truly worried about. Once you have covered a considerable, diverse representation of your organization, start to categorize those risks into major areas. Take those risks and examine what you already have in your portfolio. When looking at that inventory, make sure that you include people, process and technology. The last step in the process will be to map the risks against the controls that you already have and identify the gaps.
Let’s take an example to better understand how this might work. After your question-asking tour, you should have a good idea of your biggest vulnerabilities. Who are your enemies? What would hurt the organization the most if it happened? What type of data do you have? Where is the data? What regulations apply to that data?
The outcomes of these questions will likely be able to offer some trends, like: ransomware, nation states, malware, web-based attacks. More than likely you have some level of controls in place, but the interviews will like reveal areas that haven’t had enough focus in the past. For purposes of discussion, suppose that you find your highest area of concern is ransomware.
If you are concerned that nation states may decide to target your organization via ransomware, then research known threat actors who target similar organizations to yourself. A convenient tool to leverage is the MITRE ATT&CK Groups page (https://attack.mitre.org/groups/). This tool has several known threat actor groups already identified with their typical tactics to attack organizations. Using the groups mapping on the actual ATT&CK page, you can quickly see what tactics are used by these groups.
With this map, you can take your list of current controls in place to support your security posture, as well as, other efforts already in play and then see where gaps in your defenses are. You may also have some gaps from the security framework that you use (e.g., NIST, HIPAA, PCI or FFIEC). This is even greater leverage to support your strategy because without compliance with regulatory requirements, you have a another, but equally significant, type of risk than just in the ‘cyber’ category.
Now comes the prioritization exercise. You’ll have a healthy list of items that need to be targeted for remediation. There will be risks that rise to the top very quickly and the key will be their impact. This is where your strategy starts to form. There will be shorter term items that can be quickly organized and fixed, but then there will be longer term efforts that must be remediated with the commitment of an enterprise project supported by senior leadership. So now you have the who, the what, the why of your strategy, and once there is buy in to continue, the communication planning can begin.
This may seem like a fairly simplistic view of how to build a strategy, but we as security organizations tend to focus on the fire of the day rather than on what the focus of the long game should be. Having a well-articulated strategy will set the direction for the team, the organization and the board of directors so that everyone is in sync with what the security team is doing today and into the future.