Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

7/7/2020
10:00 AM
Dan Blum
Dan Blum
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv

Applying the 80-20 Rule to Cybersecurity

How security teams can achieve 80% of the benefit for 20% of the work.



Information risk has multiple components. With too many threats to assess individually, too many vulnerabilities to patch all at once, and many choices among controls, where should security leaders start? What's the priority? As I worked on my book, Rational Cybersecurity for Business, I became fascinated with this question: How can we find a way to gain 80% of the benefits for 20% of the work? Named after Italian economist Vilfredo Pareto, the "Pareto Principle" asserts that for many events, roughly 80% of the effects come from 20% of the causes.

Can we identify a Cybersecurity Pareto Principle? We can if security teams concentrate on these six priorities:

Principle 1: Develop and Govern a Healthy Security Culture
According to Mike Gentile — president and CEO at CISOSHARE and someone who has worked as a chief information security officer for many years — a lot has changed in the security space by 2020, but two things remain the same:

  1. Senior executives don't prioritize cybersecurity enough for security programs to be fully effective.
  2. The reason for point No. 1 is not that executives don't care — they do, and they don't want their name in the headlines after a breach — but that they lack a clear definition of security.

Each organization's unique definition of security should be set forth in a security charter document, which prescribes a mission and mandate for the security program as well as governance structures and clarified roles or responsibilities. More specifically, the charter defines how and where the security organization reports and answers questions such as: Should the business have a CISO, and should the position report to IT or to the CEO?

Typically, a consultant's answer would be "It depends." But don't let that end the discussion: For any one business, there is one right answer. My take: Once businesses reach a certain size or level of security pressure, they should give their top security leader the CISO title. Leaders with the CISO title should have access and visibility to executive management and the board.

Organizations should also strengthen security culture through effective communications and awareness programs. Employ user awareness and training programs both to improve security behaviors and to create a network of cybersecurity advocates (or champions) in target audiences.

Principle 2: Manage Risk in the Language of Business
For business risk owners to take accountability for information risk and give the right security measures 100% backing, they need to understand risk in business terms such as time to market, monetary losses, opportunity cost, and the brand. For that, I recommend that businesses adopt the
Factor Analysis of Information Risk (FAIR) model for quantitative risk analysis within the ISO 31000 Risk Management Framework. This provides a complete set of processes to manage risk in terms both security and business leaders can understand.

Why FAIR? The Open Group has standardized on FAIR as a taxonomy for risk analysis. Why a quantitative approach? Because without it, it is difficult to prioritize security activities or spending. As Jack Jones, chairman of the FAIR Institute, likes to say: "For most companies, security spend is like the advertising budget. You know you're wasting half of it; you just don't know which half."

Principle 3: Establish a Control Baseline
To mitigate risks, businesses must establish baseline controls. For each business, there exists some set of controls as basic to its defense as the locks on your house door. But what kind of locks? Who has the keys and who's checking? Do we need surveillance cameras and alarms? You get the idea; industry control frameworks like NIST 800-53 contain hundreds or thousands of controls and subcontrols.

Better to develop 20 major control categories aligned with the NIST Cybersecurity Framework, but simplified. For example:

  • Prioritize granular controls within the categories based on risk
  • Use a shared responsibility model to specify control requirements for third parties such as cloud security providers
  • Tune or scale control deployment style to the business' logical or physical footprint and its cultural, operational, and compliance requirements.

Principle 4: Simplify and Rationalize IT and Security
What you cannot manage, you cannot secure. A control baseline cannot be consistently implemented across a chaotic IT environment. Many IT organizations have accumulated technical debt by not rationalizing excessive numbers of infrastructure platforms and enterprise applications, and adding hybrid cloud often further confuses the issue. Larger organizations even have multiple business units running parts of multiple IT stacks in silos. Security budgets go to waste building a security infrastructure that rivals the IT infrastructure in complexity.

Security leaders can play a constructive role by:

  • Understanding and contributing to IT strategy discussions
  • Taking advantage of security's cross-functional role to help improve the IT architecture and align security controls with it
  • Cross-fertilizing security staff or expertise into business or IT organizations responsible for third-party management, cloud security, and DevSecOps.

Principle 5: Control Access with Minimal Drag on the Business
Privacy regulations such as the European Union's General Data Protection Regulation have made identity and access management and data governance more critical. Every business has requirements for how information assets should be accessed, shared, or used. Usually, business managers and staff must manage access or define access control rules themselves. These rules must balance customer privacy or information confidentiality against staff productivity needs. But they must do so using security tools and processes for role management or access provisioning.

Principle 6: Institute Resilient Detection, Response and Recovery
Living under constant threats and regulatory pressure, businesses require cyber resilience. Cyber-resilience is the ability to quickly detect, respond to, and recover from cyberattacks and outages. Key capabilities include incident response, security monitoring, and business continuity/disaster recovery programs. These programs must be aligned with business functions such as IT, legal, HR, facilities management, and public relations. Businesses can also benefit from upfront contingency planning.

Mastering all the cybersecurity Pareto Priorities is a long-term effort. Which one to do first, in what order, what granular controls to focus, and how far to take the effort depend on the business type and maturity level. However, these priorities should be top of mind for most businesses. Because they are mutually reinforcing, try to pursue them in parallel. Look for the synergies and business alignment. Define your business's own rational approach to cybersecurity.

Related Content:

 

Dan Blum is an internationally recognized strategist in cybersecurity and risk management. Dan was a Golden Quill award winning vice president and distinguished analyst at Gartner, Inc. He has served as the security leader for several startups and consulting companies and has ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27621
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
CVE-2020-27620
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
CVE-2020-27619
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
CVE-2020-17454
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
CVE-2020-24421
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.