In a densely and highly interconnected world dependent on information, where timely and relevant information can provide faster decision-making and advantage to all businesses, cyber risk management becomes a critical discipline, especially a mission-oriented one. Therefore, to successfully turn the cybersecurity team into a business enabler, the Chief Information Security Officer (CISO) must shift their mindset from a technologist to a business leader.
Protecting the Mission Objective
The CISO and its organization must maximize a system’s or solution’s ability to operate in today’s challenging cyber environment by minimizing its organization’s mission objective risk. Protecting the organization’s mission objectives is a path to mission-based risk management or mission-based cybersecurity. Here are four focus areas:
- Identify – and have a process for continually identifying – the business needs.
- Identify – and have a process for continually identifying – what the business deems valuable and not what cybersecurity believes is essential.
- Focus on the top 3 threats to your business objectives. Do not attempt to protect against everything. Protecting everything is protecting nothing.
- Focus on how to move away from a technology-centric approach to a business-centric or people-centric practice.
Great Security Tools do not Guarantee Great Results
Having the latest and greatest cybersecurity tools in place is not reason enough for a company to claim they have a good cybersecurity program. A business-driven CISO will examine whether or not their management team understands the actual needs of the organization and customers and whether or not they have identified the organization’s critical systems supporting the mission, vision, and services provided to the customers and shareholders.
The CISO and their management team must:
- Define “mission-based risk management” in terms of financial and non-financial goals, timetables, and acceptable risk levels.
- Commit the leadership to mission-based risk management as defined, and align the entire organization’s plans and activities towards this goal.
- Be watchful for forces of change that may require a strategy realignment, such as emergent technologies that may break barriers to shared understanding.
Mission-Based Risk Management and Cybersecurity Program
The goal of mission-based risk management is to analyze the organization’s mission, cyber threats to the mission, and information technology (IT) systems that support the organization’s mission to answer four fundamental questions:
- If a threat were to happen, what would be the impact on the organization’s mission objective?
- What is the level of effort for a threat actor to carry out a given threat?
- What mitigation steps are required to protect the system with high mission impact and make it easy for a threat actor to conduct an attack?
- What are the mitigation-related costs?
The CISO must consider that critical infrastructure or operational technology (OT) systems are tightly coupled to the mission they support compared to their IT counterparts; therefore, mitigation actions must be implemented concerning the mission impact.
With over 186,000 known vulnerabilities in the Common Vulnerability and Exposure (CVE) database and 555 attack patterns documented in the Common Attack Patterns Enumerations and Classification (CAPEC) list, how do you protect your mission-critical systems?
One effective way to address all the vulnerabilities and attack patterns is not to address them. Well, let me explain; according to Mussman & Turner (2018), by applying the DIMFUI taxonomy, you’ll focus on the incident effects rather than the incident or the threat effects. The logic is that for every vulnerability identified in the CVE database, the results will manifest in one or more of six potential outcomes, as described in the table below.
|Attack Category||Effect on Process||Effect on Information|
|Degradation||Speed of process is slowed by some multiple||Rate of information delivery is decreased; quality or precision of information produced by an activity is decreased.|
|Interruption||Process is unavailable for some time period and will not commence until the incident is recovered.||Information is unavailable for some time period.|
|Modification||Process characteristics have been altered in a way that can affect the output/result of the process.||Information has been altered, meaning that the processes that use it may fail, or produce incorrect results.|
|Fabrication||A false mission instance has been inserted into the system, which may interfere with real mission instances.||False information has been entered into the system.|
|Interception||The process (perhaps software, perhaps embodied in hardware) has been captured by the attacker.||Information has been captured by the attacker|
|Unauthorized Use||Raises the potential for future effects, or unexpected outcomes on processes.||Raises the potential for future effects on information.|
Note: Musman, S., & Turner, A. (2018). A game theoretic approach to cyber security risk management. The Journal of Defense Modeling and Simulation, 15(2), 127–146. https://doi.org/10.1177/1548512917699724
In conclusion, by focusing on mission-critical systems and addressing the potential outcome of cyber-attacks, the CISO will effectively implement a mission-based risk management program driven to provide organizational value while being financially responsible and effective.