Information risk has multiple components. With too many threats to assess individually, too many vulnerabilities to patch all at once, and many choices among controls, where should security leaders start? What's the priority? As I worked on my book, Rational Cybersecurity for Business, I became fascinated with this question: How can we find a way to gain 80% of the benefits for 20% of the work? Named after Italian economist Vilfredo Pareto, the "Pareto Principle" asserts that for many events, roughly 80% of the effects come from 20% of the causes.
Can we identify a Cybersecurity Pareto Principle? We can if security teams concentrate on these six priorities:
Principle 1: Develop and Govern a Healthy Security Culture
According to Mike Gentile — president and CEO at CISOSHARE and someone who has worked as a chief information security officer for many years — a lot has changed in the security space by 2020, but two things remain the same:
- Senior executives don't prioritize cybersecurity enough for security programs to be fully effective.
- The reason for point No. 1 is not that executives don't care — they do, and they don't want their name in the headlines after a breach — but that they lack a clear definition of security.
Each organization's unique definition of security should be set forth in a security charter document, which prescribes a mission and mandate for the security program as well as governance structures and clarified roles or responsibilities. More specifically, the charter defines how and where the security organization reports and answers questions such as: Should the business have a CISO, and should the position report to IT or to the CEO?
Typically, a consultant's answer would be "It depends." But don't let that end the discussion: For any one business, there is one right answer. My take: Once businesses reach a certain size or level of security pressure, they should give their top security leader the CISO title. Leaders with the CISO title should have access and visibility to executive management and the board.
Organizations should also strengthen security culture through effective communications and awareness programs. Employ user awareness and training programs both to improve security behaviors and to create a network of cybersecurity advocates (or champions) in target audiences.
Principle 2: Manage Risk in the Language of Business
For business risk owners to take accountability for information risk and give the right security measures 100% backing, they need to understand risk in business terms such as time to market, monetary losses, opportunity cost, and the brand. For that, I recommend that businesses adopt the Factor Analysis of Information Risk (FAIR) model for quantitative risk analysis within the ISO 31000 Risk Management Framework. This provides a complete set of processes to manage risk in terms both security and business leaders can understand.
Why FAIR? The Open Group has standardized on FAIR as a taxonomy for risk analysis. Why a quantitative approach? Because without it, it is difficult to prioritize security activities or spending. As Jack Jones, chairman of the FAIR Institute, likes to say: "For most companies, security spend is like the advertising budget. You know you're wasting half of it; you just don't know which half."
Principle 3: Establish a Control Baseline
To mitigate risks, businesses must establish baseline controls. For each business, there exists some set of controls as basic to its defense as the locks on your house door. But what kind of locks? Who has the keys and who's checking? Do we need surveillance cameras and alarms? You get the idea; industry control frameworks like NIST 800-53 contain hundreds or thousands of controls and subcontrols.
Better to develop 20 major control categories aligned with the NIST Cybersecurity Framework, but simplified. For example:
- Prioritize granular controls within the categories based on risk
- Use a shared responsibility model to specify control requirements for third parties such as cloud security providers
- Tune or scale control deployment style to the business' logical or physical footprint and its cultural, operational, and compliance requirements.
Principle 4: Simplify and Rationalize IT and Security
What you cannot manage, you cannot secure. A control baseline cannot be consistently implemented across a chaotic IT environment. Many IT organizations have accumulated technical debt by not rationalizing excessive numbers of infrastructure platforms and enterprise applications, and adding hybrid cloud often further confuses the issue. Larger organizations even have multiple business units running parts of multiple IT stacks in silos. Security budgets go to waste building a security infrastructure that rivals the IT infrastructure in complexity.
Security leaders can play a constructive role by:
- Understanding and contributing to IT strategy discussions
- Taking advantage of security's cross-functional role to help improve the IT architecture and align security controls with it
- Cross-fertilizing security staff or expertise into business or IT organizations responsible for third-party management, cloud security, and DevSecOps.
Principle 5: Control Access with Minimal Drag on the Business
Privacy regulations such as the European Union's General Data Protection Regulation have made identity and access management and data governance more critical. Every business has requirements for how information assets should be accessed, shared, or used. Usually, business managers and staff must manage access or define access control rules themselves. These rules must balance customer privacy or information confidentiality against staff productivity needs. But they must do so using security tools and processes for role management or access provisioning.
Principle 6: Institute Resilient Detection, Response and Recovery
Living under constant threats and regulatory pressure, businesses require cyber resilience. Cyber-resilience is the ability to quickly detect, respond to, and recover from cyberattacks and outages. Key capabilities include incident response, security monitoring, and business continuity/disaster recovery programs. These programs must be aligned with business functions such as IT, legal, HR, facilities management, and public relations. Businesses can also benefit from upfront contingency planning.
Mastering all the cybersecurity Pareto Priorities is a long-term effort. Which one to do first, in what order, what granular controls to focus, and how far to take the effort depend on the business type and maturity level. However, these priorities should be top of mind for most businesses. Because they are mutually reinforcing, try to pursue them in parallel. Look for the synergies and business alignment. Define your business's own rational approach to cybersecurity.