Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

7/7/2020
10:00 AM
Dan Blum
Dan Blum
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Applying the 80-20 Rule to Cybersecurity

How security teams can achieve 80% of the benefit for 20% of the work.

Information risk has multiple components. With too many threats to assess individually, too many vulnerabilities to patch all at once, and many choices among controls, where should security leaders start? What's the priority? As I worked on my book, Rational Cybersecurity for Business, I became fascinated with this question: How can we find a way to gain 80% of the benefits for 20% of the work? Named after Italian economist Vilfredo Pareto, the "Pareto Principle" asserts that for many events, roughly 80% of the effects come from 20% of the causes.

Can we identify a Cybersecurity Pareto Principle? We can if security teams concentrate on these six priorities:

Principle 1: Develop and Govern a Healthy Security Culture
According to Mike Gentile — president and CEO at CISOSHARE and someone who has worked as a chief information security officer for many years — a lot has changed in the security space by 2020, but two things remain the same:

  1. Senior executives don't prioritize cybersecurity enough for security programs to be fully effective.
  2. The reason for point No. 1 is not that executives don't care — they do, and they don't want their name in the headlines after a breach — but that they lack a clear definition of security.

Each organization's unique definition of security should be set forth in a security charter document, which prescribes a mission and mandate for the security program as well as governance structures and clarified roles or responsibilities. More specifically, the charter defines how and where the security organization reports and answers questions such as: Should the business have a CISO, and should the position report to IT or to the CEO?

Typically, a consultant's answer would be "It depends." But don't let that end the discussion: For any one business, there is one right answer. My take: Once businesses reach a certain size or level of security pressure, they should give their top security leader the CISO title. Leaders with the CISO title should have access and visibility to executive management and the board.

Organizations should also strengthen security culture through effective communications and awareness programs. Employ user awareness and training programs both to improve security behaviors and to create a network of cybersecurity advocates (or champions) in target audiences.

Principle 2: Manage Risk in the Language of Business
For business risk owners to take accountability for information risk and give the right security measures 100% backing, they need to understand risk in business terms such as time to market, monetary losses, opportunity cost, and the brand. For that, I recommend that businesses adopt the
Factor Analysis of Information Risk (FAIR) model for quantitative risk analysis within the ISO 31000 Risk Management Framework. This provides a complete set of processes to manage risk in terms both security and business leaders can understand.

Why FAIR? The Open Group has standardized on FAIR as a taxonomy for risk analysis. Why a quantitative approach? Because without it, it is difficult to prioritize security activities or spending. As Jack Jones, chairman of the FAIR Institute, likes to say: "For most companies, security spend is like the advertising budget. You know you're wasting half of it; you just don't know which half."

Principle 3: Establish a Control Baseline
To mitigate risks, businesses must establish baseline controls. For each business, there exists some set of controls as basic to its defense as the locks on your house door. But what kind of locks? Who has the keys and who's checking? Do we need surveillance cameras and alarms? You get the idea; industry control frameworks like NIST 800-53 contain hundreds or thousands of controls and subcontrols.

Better to develop 20 major control categories aligned with the NIST Cybersecurity Framework, but simplified. For example:

  • Prioritize granular controls within the categories based on risk
  • Use a shared responsibility model to specify control requirements for third parties such as cloud security providers
  • Tune or scale control deployment style to the business' logical or physical footprint and its cultural, operational, and compliance requirements.

Principle 4: Simplify and Rationalize IT and Security
What you cannot manage, you cannot secure. A control baseline cannot be consistently implemented across a chaotic IT environment. Many IT organizations have accumulated technical debt by not rationalizing excessive numbers of infrastructure platforms and enterprise applications, and adding hybrid cloud often further confuses the issue. Larger organizations even have multiple business units running parts of multiple IT stacks in silos. Security budgets go to waste building a security infrastructure that rivals the IT infrastructure in complexity.

Security leaders can play a constructive role by:

  • Understanding and contributing to IT strategy discussions
  • Taking advantage of security's cross-functional role to help improve the IT architecture and align security controls with it
  • Cross-fertilizing security staff or expertise into business or IT organizations responsible for third-party management, cloud security, and DevSecOps.

Principle 5: Control Access with Minimal Drag on the Business
Privacy regulations such as the European Union's General Data Protection Regulation have made identity and access management and data governance more critical. Every business has requirements for how information assets should be accessed, shared, or used. Usually, business managers and staff must manage access or define access control rules themselves. These rules must balance customer privacy or information confidentiality against staff productivity needs. But they must do so using security tools and processes for role management or access provisioning.

Principle 6: Institute Resilient Detection, Response and Recovery
Living under constant threats and regulatory pressure, businesses require cyber resilience. Cyber-resilience is the ability to quickly detect, respond to, and recover from cyberattacks and outages. Key capabilities include incident response, security monitoring, and business continuity/disaster recovery programs. These programs must be aligned with business functions such as IT, legal, HR, facilities management, and public relations. Businesses can also benefit from upfront contingency planning.

Mastering all the cybersecurity Pareto Priorities is a long-term effort. Which one to do first, in what order, what granular controls to focus, and how far to take the effort depend on the business type and maturity level. However, these priorities should be top of mind for most businesses. Because they are mutually reinforcing, try to pursue them in parallel. Look for the synergies and business alignment. Define your business's own rational approach to cybersecurity.

Related Content:

 

Dan Blum is an internationally recognized strategist in cybersecurity and risk management. He recently authored the  book "Rational Cybersecurity for Business." Dan was a Golden Quill award winning vice president and distinguished analyst at Gartner, Inc. He has served ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20001
PUBLISHED: 2020-08-04
An issue was discovered in RICOH Streamline NX Client Tool and RICOH Streamline NX PC Client that allows attackers to escalate local privileges.
CVE-2020-15467
PUBLISHED: 2020-08-04
The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise.
CVE-2020-5615
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2020-5616
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
CVE-2020-5617
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.