However, as organizations expand into the cyber sphere at the same time that risks become increasingly frequent and sophisticated, it becomes impractical, if not impossible, to scale a consistently high level of security up and out – complexity and budget are limiting factors to what can be done technologically.
What is a Risk-Based Security Plan?
Traditional risk management plans focused on protection like firewalls, data encryption, authentication, and other IT tools which are best applied brute-force style, across the board. All users must be authenticated; all internet communications are encoded with Symantec SSL certificate, and so on. These are important tools that will never go away, but to cope with the real state of risk in an environment where data and its value are growing exponentially, a more nuanced and well-considered approach has to be used to manage risk intelligently, ensuring meaningful spending on tools that enable your security planning to be targeted more closely to real risk.
Risk-based security planning is a pragmatic approach to security planning that looks at the real risks of different assets, and focuses efforts on protecting assets that really matter while avoiding spending budget on assets that don’t matter.
Traditional security planning painted with a broad brush, but as assets multiply, it becomes ever more urgent that each organization ask itself:
- What assets are we protecting?
- What is it worth to us?
- What are we protecting them against?
- What happens when we fail, and how much does it cost?
Companies benefit on many levels by using risk-based security planning, which can most fundamentally be defined as the process of assessing one’s data, understanding what risk exists, and basing the organization’s security planning on the level of risk.
Understanding your organization’s assets seems obvious in retrospect, but as companies were becoming more and more data-driven, solutions were usually local or departmental rather than organization-wide. This is changing, as companies realize the value of their data for both positive (marketing) and negative (exposure to attack) reasons. Risk-based assessment is also easier for business stakeholders to understand. Usage of encryption technology to protect intellectual property seems rather abstract at budget time, but when data is explored and understood, the importance of protecting customer data, or retaining certain records for compliance, or protecting the alpha test of a new application, data protection becomes much more tangible.
Risk-based security planning, by requiring first an understanding of an organization’s assets, is a win for all business and IT stakeholders. Once consumers of a system see their assets in terms of pertinent and private business knowledge, user accounts and the humans who use them, customer information, network portals, internet sites, and so on, the need to assign appropriate protections becomes easier and even more affordable.
How to Implement a Risk-Based Security Plan?
Implementing a risk-based security plan is a challenge for most businesses, because most businesses have not done risk assessments before. Where to start can be daunting but a place to begin might be by asking the following three questions:
- What are our main information assets, where are they, and who owns them?
- Who can legitimately access these assets, and how is that access protected?
- Who and what might pose a threat to our assets, and why?
As your organization answers these questions, you will be able to begin the process of risk-based security planning, which by its nature must begin with a security risk assessment. The entire process can be broken down into three steps: Risk Assessment, Creating a Security Plan, and Budgeting. The first step of Risk Assessment is by far the most complex.
Security Risk Assessment
A security risk assessment covers a lot of ground. It identifies, measures, and prioritizes risks based on a number of relevant factors such as impact of failure, probability of occurrence, areas affected, and so on. Once the risks are identified and described, some strategy or tactic can be developed to deal with the risk. This is easily said, but to accomplish this is much more difficult. A number of industry standards have been built to provide reusable, formal frameworks for risk assessments such as OCTAVE, FAIR, and NIST-RMF, and they can greatly help ensure the dependability – and repeatability – of your assessment.
When you assess risk, you must also determine the value of your asset. Sometimes the value of assets, like an internal business application, can be hard to assign a dollar value to, and it may be preferable to use qualified, rather than quantified, information to determine “value”.
Your customer-facing application may be amenable to having a dollar value on it – it makes so much per hour, or per day – but what is the value of your internal inventory system? Sometimes relative value is sufficient to find that you’ve probably deployed expensive, top-of-the-line tools and expertise to assets that don’t really need it.
You don’t have to know the dollar value of the anonymous customer polls entered into your system to know you don’t need to exert the same degree of protection over them as you do over those same customers’ names and credit card information in your ecommerce system.
So how do you go about doing a highly complex task like this? As with most complex tasks, a good approach is to break it down into steps.
1. Information Gathering: In this phase you pretty much just want to identify what you’ll take a closer look at later: assets, threats, and vulnerabilities.
a. Asset Identification. The very first step is to identify assets that are part of core business operations. Assets may be physical or digital, machine or human. Assets include employee computers, applications, operating systems, files, and much more. Later, the assets can be given a rank or category based on how critical and/or sensitive they are.
b. Threat Identification. Threats can be internal or external; they can be human or environmental, they can be accidental or deliberately malicious. Anything that can potentially harm or damage your assets is a threat, and understanding the nature of that harm is a crucial part of the process. You might be in hurricane territory, but your facilities might be built to survive in such situation, so the risk doesn’t pose any real problem. The goal of threat identification is to rank threats based on their likelihood and impact.
c. Vulnerability Identification. Threats can only have an impact if there is vulnerability. Many traditional security tactics were meant to reduce specific – and usually technical – threats. Threats that currently are not mitigated are vulnerabilities, and for this part of the process, the goal is to log the vulnerabilities of your assets and to classify them based on severity. Protective measures already in place should be taken into account in this classification.
2. Risk Analysis: After performing the above identifications, you will have collected (1) data on the assets critical to your business, (2) the threats posed to those assets by any means, and (3) the vulnerabilities, which are unmitigated threats to assets. When you have an asset that is vulnerable to a threat, you have a risk. Risk is present when assets, threats, and existing vulnerabilities coincide. Now that you have this information, the assets can be ranked or categorized according to their level of risk.
3. Develop Security Plan: After assigning risk values to your assets, you can now develop a plan to handle those risks. Typically, handling a risk means that you are doing one of four things:
a. Risk Transfer: Is the risk reduced if you outsource the service, such as storage or software-as-a-service? Can insurance offset the risk?
b. Risk Avoidance: Is it possible to eliminate the risk entirely, possibly with a systems upgrade or new account management rules?
c. Risk Mitigation: If you can’t transfer or avoid the risk, the next step is to reduce it. Reduce the exposure to risk by using security practices within the organization, allowing individuals, processes, and technology among the solutions.
d. Risk Acceptance: Finally, some risk must just be accepted, usually because it isn’t worth the cost or complexity of fixing the vulnerability.
Part of creating the security plan is to think about the future, and to plan for maintenance and periodic reassessment to ensure your plan stays relevant. Implementation should be part of the plan, and often a phase-in over a period of time can be beneficial. You can plan short-term deliverables that can be accomplished in three to six months, medium-term accomplishments that can be completed within one or two years, and long-term goals that look forward five to ten years.
4. Identify the Gaps: In addition to long-term planning, another important wrap-up activity is to identify existing gaps in the security structure for high-risk assets, and determine how best to handle these risks. It defines the gap between current business environment and the future business environment.
Information gathering and risk analysis, IT expertise, as well as institutional knowledge of the business goals of the organization are the input to the security plan. The plan is an answer to the need for security based on understanding of existing threats and vulnerabilities, and risks to your assets, driven by the value or sensitivity of those assets. The plan should have span of up to five years to accomplish all associated activities and main objects. A plan should address at least the following:
- Security Policy
- Network and Systems Security
- Employee/Account Security
- External User Security (customers and partners)
- Business Continuity Planning
- Physical Security of premises
- Audit and Compliance
Now that your organization has committed to a risk-based security plan, it’s important to ensure they budget it correctly. Budget plan gives overview of vulnerability found in risk assessment and allows deciding to mitigate or avoid the risk. With a value-based risk assessment to work with, a fair budget can be created that covers your short-, medium-, and long-term goals. Don’t let it give way due to lack of funds – but also, don’t spend your budget on low-value assets. With levels of protection assigned to your asset categories, you can get a fair estimate for each activity, taking into account employee hourly rates, hardware and software costs.
Organizations benefit in many ways from risk-based assessment:
- They become more aware of their own assets;
- They can introduce preventative measures, which reduce the likelihood of disaster, attack, or failure;
- There is a response plan that enables an organization to minimize the impact of a disaster, attack, or failure.
As the volume of data grows, risk-based assessment is becoming the preferred way to deal with the costs of security. According to a 2016 PWC report, the risk-based approach is becoming preferred, with 91% of respondents saying they had a “significant” or “very significant” commitment to risk-based security. Risk-based security planning is clearly the way of the future.