As the nation grinds through the COVID-19 pandemic, we are collectively experiencing a significant business continuity and disaster recovery situation, and it is happening in real-time. Our organizations are being tested on all levels from resiliency to the efficacy of our workforce – including organizational infrastructure as well as human and business systems. The ability for core systems to operate “business as usual” successfully is supported by our understanding of risk, specifically cybersecurity risk in a holistic and integrated fashion.
Traditional risk management leaves blind spots and gives little insight to the resiliency of your core business functions.
Managing an effective cyber risk program is always an uphill battle. Often risk processes designed to maintain and mature a program cannot keep up with the pace at which threats evolve. When one thinks of risk as it applies to organizations & business systems, there have been multitudes of layers in terms of documentation from the assessment function, execution from vulnerability management and security operations, and testing from external adversarial emulations and red teaming. These functions are usually siloed, operate on very different timeframes and rarely are ever in sync. It is more difficult to coordinate and track these functions in these challenging times with a distributed remote workforce, non-standard devices, and with rapid acceleration into the cloud. Because of this siloed nature, the detection of threats and the subsequent risk response applied to business systems have been traditionally slow. In order to disseminate, prioritize, and test risk in critical systems in a meaningful way, one needs to be able to process risk data including threats, vulnerabilities, and compensating controls quickly, and consistently. This takes analysis from multiple factors, quantifying it consistently, and comparing the overall risk.
The nation is collectively shifting again. This time towards phase 2 of releasing stringent quarantining. The rapid shift conceptually in ideas of what “business as usual”, work and the workplace means has changed and will likely be different for quite some time. The accelerated pace of how business is conducted and the resiliency of organization adaptation to these operational movements have fundamentally change business operations. To respond to these changes, there should be a call for an update to how risk management and responses to threats are conducted. Opportunistically, this is the time to tightly integrate and give transparency to the disparate functions, processes, and teams that the pandemic exposed.
The landscape of business operations has change drastically. A rapid and iterative response in risk management is needed to keep up.
Consider an approach towards an integrative view of risk management. The benefits are shorter input, analysis, and feedback cycles. Ideally, weekly activities of a vulnerability management team’s findings on vulnerabilities and threats on a core business system would constantly and consistently encompass the controls and mitigations from an annual security assessment. The direct attachment of these mitigations, policies and procedures to all entities that comprise a business system gives transparency and quantifies real risk. Continual testing of these individual systems by targeted automated attacks gives constant feedback much like a unit test is used in development. A larger-scale adversarial emulation would test the system as it relates to the organization akin to a regression test in development. These shorter cycles will unify an organization’s understanding of risk, resiliency, and the true cost of a critical system. Additionally, it gives the cyber security function a way to test detection and response to measure the efficacy of their programs. This gives each function a complete program view with opportunities to adjust rapidly.
“Nothing in life is to be feared, it is only to be understood. Now is the time to understand more, so that we may fear less.” — Marie Curie
While your organization is continually assessing its risk in this unprecedented time, there may be opportunities to employ intelligent operation concepts in your cyber security team.
We, at Covail, have learned our capacity for resiliency during this pandemic, it’s time to capitalize on our learning and move towards integrated risk management to improve transparency and efficiency of evaluation, detection and response. Interested in learning more about integrated risk management? We can help. Contact us today to learn more.