Experts Now Adopt a Riskbased Framework

Introduction

For many years security experts have preached that cybersecurity needs a risk based approach. According to a new survey it appears organizations are now taking active heed of that advice, with more and more adopting risk based strategies. This is driven by a number of things, including the IoT. The survey also highlighted a number of other improvements in dealing with cybersecurity, including collaboration efforts.

The 18th Global State of Information Security Survey – a worldwide survey by CIO, CSO, and PwC – has shown a fundamental shift in the way business leaders respond to today's security challenges. Recognizing the rising risks in cybersecurity, a growing number of boards and executives are taking action to improve their organization's security outlook.

Maritza Santillan, summarizing the survey for Tripwire, writes that the key take-away from the survey is that an overwhelming 91% have now adopted a risk-based cybersecurity framework. The most commonly adopted framework is the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

The main benefits of the risk-based framework are that organizations find themselves able to better identify and prioritize security risks. Furthermore, nearly half of companies have been able to quickly detect and mitigate incidents when they do occur since taking on the framework.

The take-up of cloud based services – 69% of organizations are now using cloud-based cybersecurity tools – is key to understanding the huge jump in companies using risk-based approaches. The Internet of Things also needs consideration here. The huge advantages the many interconnected devices bring also quickly expand the attack surface, as millions of devices are connected together on a company's network.

With the risk-based approach helping companies deal with an expanding attack surface, threat intelligence sharing has also increased. Sixty five percent of organizations now say they collaborate to improve security and reduce cyber-risks up from 50% in 2013. Many organizations can learn from others across industries, as the challenges posed by cybersecurity issues often have more to do with size than sector. For example, a large bank might have more in common security-wise with a large pharmaceutical company than with a regional bank.

What the report highlights is that there is noteworthy progress in terms of organizations taking responsibility and becoming willing to invest in security issues. More than ever, cybersecurity is showing how it has real strategic, cross-functional, legal, and financial implications. However, there is no one-size-fits-all model for effective cybersecurity. What is needed is the right mix of technologies, processes, and people skills. Cybersecurity can potentially serve as an indispensable ongoing business enabler.

Summary

·         Organizations are increasingly taking a risk based approach to cybersecurity

·         The NIST Cybersecurity Framework is the most common framework

·         A driver of this is the IoT because it is increasing the attack surface for companies

·         Increased cybersecurity collaboration across industries is also improving security and reducing risk

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."