The National Institute of Standards and Technology (NIST) has laid out the Cybersecurity Framework as a set of guidelines that offers outcomes that organizations can use in their cybersecurity efforts. The NIST categories include identify, protect, detect, respond, and recover.
Pondurance, a managed detection and response services provider with a 24/7 security operations center, aligns its service lines with these same five categories. That way, your organization can easily understand what the service lines can do and how Pondurance can develop a holistic program around them. Pondurance believes your cybersecurity approach should align with your organization’s objectives, outcomes, and risks, making a risk-based approach to cybersecurity the best strategy to protect against cyber threats.
In a recent webinar, Dustin Hutchison, Chief Information Security Officer and Vice President of Services at Pondurance, discusses Pondurance’s risk-based approach to cybersecurity. A risk-based approach focuses on your organization’s specific cyber risks and considers what your organization wants to accomplish and what it needs to protect. He defines the terms and talks about the steps involved in each of the five categories. In this blog, we’ll review Dustin’s explanation of the identify category, which involves prioritizing assets and prioritizing risks.
Prioritizing Assets
To protect against a cyberattack, your organization needs to identify each of its digital assets. After all, your organization must know what assets it has before it can safeguard those assets from a cyberattack. In particular, you must understand your IT inventory, classify your assets, and know where your critical data resides.
- An IT inventory involves an accounting of all internet-connected devices, endpoints, logs, networks, software applications, clouds, and more, which can be a difficult endeavor, especially for large organizations that collect and store volumes of sensitive data. As the attack surface has expanded in recent years, the number of possible vulnerabilities, or weaknesses within the system, has increased. Therefore, it’s crucial that your organization identify every device to understand precisely where any possible vulnerability may exist.
- Asset classification, including the confidentiality, integrity, and availability (CIA) of information, is determined by the sensitivity of the data and the potential impact the exposed data would have on your network should an attack occur. Dustin defines each of these asset classification terms and explains how Pondurance can help with the classification of your organization’s data.
- Knowing the location of critical data is important because, ultimately, that’s what the threat actors are looking to exploit. Your organization must know where any personally identifiable information, protected health information, IP information, and other critical data reside within the system to keep it safe from a cyberattack.
Prioritizing Risks
Once your organization prioritizes the assets, you’ll want to prioritize the risks. No company can eliminate all risk, but you can focus on where you can reduce it. Ask yourself what risks your organization is willing to take, what risks pose the greatest risk for your organization, and what risks require the most protection.
To define risk, Dustin uses the equation “risk = likelihood x impact,” meaning that the risk changes depending on how likely it is and how impactful it would be if an attack occurs. Risk can be measured by the impact to safety, revenue, reputation, regulatory compliance, and other factors. However, not all risk is created equal. Dustin uses a hospital example to show when the risk is high in different scenarios, and heightened when the potential impact to patients is greater.
When prioritizing risks, performing a risk assessment is the best way to proactively find vulnerabilities and weaknesses before the threat actors do. Pondurance uses risk assessments, and also cyber risk management tools such as MyCyberScorecard, to accurately measure and prioritize risks. A risk assessment analyzes your entire network to determine where your organization is vulnerable to an attack. Dustin stresses that an organization can never do one single risk assessment and be done because, unfortunately, the cyber landscape constantly evolves and changes. There are always new risks.
After you’ve considered the priority of all cyber risks, Pondurance can continue working with your organization to rank the risks in order of importance, preventing the immediate problems first and following with ongoing solutions. This ranking provides a guideline for how to move forward and make informed decisions about where to allocate resources for maximum effect.
Conclusion
A risk-based approach aligns an organization’s cybersecurity efforts with its objectives, outcomes, and risks to offer the best strategy available to protect against cyber threats. Identifying assets and risks and prioritizing them are the first steps of the strategy. Watch the webinar to learn more about the five categories involved in Pondurance’s risk-based approach to cybersecurity.
