By Adel Zahiry, CNM Cybersecurity & Privacy Managing Director
Clay Young, CNM Senior Advisor
Cybersecurity continues to expand in its sophistication, as well as the risk posed to companies across the global economy. Adversaries are using the latest in Cyber AI technologies and techniques to thwart corporate defenses. In parallel, advances in threat intelligence and methods of risk-informed cyber governance have also evolved to enable a higher level of cyber protection. However, mid-market organizations need accessible and practical application of these emerging threat-informed tools and risk governance principles in their organizations, balanced with their limited resources and dynamic risks presented by rapid organizational growth and change.
The Tenets of Cyber Intelligence and Threat-Informed Risk Governance
With the increasing capabilities of real-time intelligence gathering technologies, the strategy of implementing risk-based, threat-informed cyber governance is being increasingly evaluated and adopted. Your intelligence gathering and threat-informed cyber governance processes should all be viewed through the lens of your organization’s crown jewels – the data so critical to the success and viability of your company, it must be protected with the highest priority.
Gathering Intelligence & Understanding Attacks
There are a number of sources which can assist an organization in gathering intelligence to identify emerging cybersecurity threats. While not an exhaustive list, we’ve listed some notable sources below which can be leveraged to begin your intelligence gathering journey.
– Cybersecurity & Infrastructure Security Agency (CISA)
– SANS Institute
– MITRE ATT&CK
– Verizon Data Breach Investigations Report (DBIR)
– Microsoft Digital Defense Report
Given the volume of available data, it’s critical to narrow the number of cyber risks on which your organization should focus. You should concentrate on those that could jeopardize your company’s crown jewels.
Developing your Cybersecurity Design
Next, your cybersecurity design will require an assessment of your options in mitigating the risks of those threats that are most significant to your company. There are various methods for mitigating risks, so how should you most effectively reduce your company’s exposure? Make some assumptions and quantify cybersecurity losses/exposures to the extent possible to make the case for prudent risk mitigation investments. This could include planned vulnerability remediation, (re)architecture considerations, and processing (re)engineering; all efforts which will reduce Cyber risk commensurate with observed threat intelligence.
Implementing your Threat-Informed Cybersecurity Design
Then comes the task of implementing your threat-informed cybersecurity design; in other words, making it operational. This journey is one that requires developing a thoughtful implementation plan, which includes the identification and sequencing of important activities, ownership, timelines, and milestones. Brainstorm potential obstacles to implementing your cybersecurity design. Appropriate senior management support and engagement is critical to the implementation of your threat-informed cybersecurity strategy.
Establishing Cyber Partnerships
Leading practices in implementing threat-informed cyber governance involve a partnership between your organization and the public sectors, as well as sharing threat information across the ecosystem. An effective private/public partnership is essential to keeping your cyber intelligence current, thus also maintaining your understanding of the latest threats and primary risks to your company. Identify reputable sources of sustained intelligence, build relationships, and participate in industry consortiums to stay connected and informed.
Mid-Market Challenges Implementing Cyber Intelligence and Threat-Informed Risk Governance Processes
Mid-market organizations are filled with high talent and ambitious people who are often stretched thin, focusing on advancing a number of important initiatives all in tandem. As such, implementing cyber intelligence and threat-informed risk governance can seem like an overwhelming task to take on, especially against the backdrop of competing priorities. Some frequent challenges faced by mid-market companies that are relevant in this context include the following:
Lack of Awareness
One of the most fundamental problems mid-market organizations face is the lack of awareness of emerging cyber risks, coupled with an incomplete understanding of vulnerabilities in their current cyber landscape.
Lack of Resources/Expertise
Related to lack of awareness, sometimes mid-market companies have yet to make an investment in personnel who possess enough depth of expertise to manage their cybersecurity risks.
Beyond investments in personnel, often, mid-market organizations have significant budget constraints for tools and technologies which could otherwise enable a more secure cyber posture. With increased awareness of cyber risks, and some fundamental risk quantification, these organizations can more fully evaluate cyber investments in terms of the true risk reduction benefit (return on investment) they provide to the company.
Tips on Implementing Threat-Informed Cyber Governance in a Mid-Market Company
There’s a lot to do. Where do I start? What’s next?
You need to efficiently narrow your focus to just the most important threats, while staying current about emerging threats that are on the horizon. And, most importantly, you must accomplish this with the typical rapidly changing landscape and limited resources inherent in a mid-market company. Some ideas to consider:
- Cyber Governance – Take Stock
Do you have Executive leadership support? Are Risk Management processes defined? Is the responsibility for Cyber Governance distributed across the organization? Effective Cyber Governance is an organizational imperative which requires coordinated and communicated efforts and initiatives.
- Cyber Intelligence – Collaborate
At a minimum, start with developing a repeatable process for timely researching threat intelligence from established public sources of information (e.g., CISA, MITRE, DBIR).
Leverage your network and/or outside specialists for leading ideas, then tailor them to your organization. Your peers at other mid-market companies are struggling with this as well, so share ideas and borrow what makes sense for your organization. Brainstorm with a trusted external advisor about what they are seeing.
- Know your Risks
Cyber/IT teams should rationalize gathered threat intelligence, while leading a working group comprised of key business functions spanning the enterprise, to prioritize the most significant risks to relevant processes and technologies. These steps should be followed by the development of tactical remediation plans targeting critical risks to the organization.
- Team Up and Remediate
Resources are limited, so collaborate and share responsibility for tactical remediation. Develop roles and responsibilities, establish intel gathering and remediation cadence and develop implementation workplans for successful remediation. It’s a marathon, not a sprint, and consistency is key to ensure scalable and repeatable processes as the threat landscape evolves.
It is critical to translate the rapidly changing and voluminous intelligence data into specific and usable information to mitigate the most critical cyber risks present in your environment.
Mid-market companies have advantages in their ability to be nimble, however team size and technology investment constraints challenge the organization to implement effective cyber risk mitigation processes and technologies. Even with these challenges, there are a number of pragmatic actions that mid-market organizations can take to effectively implement the most critical elements of Cyber Intelligence and Threat-Informed Cyber Governance.