25th june 2020 a risk-based approach to cybersecurity: a … · 4 about crmg cyber risk management...

Getting cyber security right. First time.

25th June 2020

A Risk-based approach to Cybersecurity: a masterclass on what to do and how to do it

Proud to be a Member:

2 Copyright Cyber Risk Management Group Limited 2020

Housekeeping

• Today’s session will be 2 hours in total, with breaks throughout and time to take questions

• Please submit your questions through the Q&A panel on your Zoom console

• This session will be recorded. We will send a copy of the recording and slides to all attendees

About the masterclass

This masterclass is a deep dive session, aiming to provide clarity on what a ‘good’ cyber risk management capability looks like, and a pragmatic approach to delivering an effective risk assessment.

The session is a knowledge share based on real practitioners experience who have worked for many years’ in different industries and organisations, using tried and tested models and frameworks.

3

Your speakers

Copyright Cyber Risk Management Group Limited 2020

Martin TullyPrincipal ConsultantCRMG

Nick FrostCo-Founder & DirectorCRMG

Simon LaceyFormer Information Security Policy Manager at the Bank of EnglandCRMG

4

About CRMG

Cyber Risk Management Group (CRMG) is a leading provider of cybersecurity and information risk consultancy services and training courses.

We cut through complexity by focusing solely on what matters – protecting your business sufficiently with minimum fuss and disruption. We pride ourselves on the delivery of pragmatic approaches that protect your organisation in line with your true risk profile, at a sensible price point.

Consultancy Services Tools & Solutions Education & Training Partners

5

This masterclass is supported by

The Chartered Institute of Information Security (CIISec) is the only pure play information security institution to have been granted Royal Charter status and is dedicated to raising the standard of professionalism in information security.

www.ciisec.org

Galvanize builds security, risk management, compliance, and audit software to drive change in some of the world’s largest organisations.

www.wegalvanize.com

6

Objectives & agenda over the next two hours


1. Set out the foundations that are needed before you start assessing risk2. Determine what a risk assessment process MUST cover3. Walk through a plan for establishing a risk capability and a process for evolving one4. Recognise the future for cyber risk assessment in the context of cyber security.

Agenda

1. Setting the scene2. Getting the basics right3. Building on solid foundations4. Case studies from the trenches5. Cyber risk and the future.

Objectives


Introduction – Cyber risk webinar series

In the cyber risk webinar series with Galvanize and CRMG, we hosted 3 webinars on the topic of cyber risk management:

Total number attended = 500>

Co

mp

lian

ce t

o r

isk Essential for an

effective programme

Must be tied to business goals

Serves to highlight rationale behind investment M

ind

of

the

Bo

ard Boards are aware of

their responsibility for risk management

Cyber literacy is increasing

Get in the mind of YOUR Board

Tell a story to get attention

End

uri

ng

a cr

isis Prioritise risk

Understand business critical functions

Simplify and reduce complexity to manage risks

Stick to basics: People, Process, Technology


1. Setting the scene


Pros and cons of a compliance-based approach

Compliance to meet security requirements

CAN

UK

IC

FR

Meeting requirements

Not meeting requirements

Benefits of a compliance led approach:

• Easy to understand and follow• Approach adopted across many areas (Legal,

HR, Finance)• Works well in a relatively static environment

Limitations of a compliance led approach:

• Difficult to update for dynamic environments (e.g. cyber security)

• Over-engineering of controls (excessive costs against risk)

• Under-engineering of controls (under investment and increasing exposure to attack)


Why is a risk based approach key to managing cyber security?

• Compliance-based approaches do not typically adequately identify the risks

• Risk identification is vital for today’s cyber security management

• Risk-based approaches are better at targeting investment

• Risk-based approaches achieve greater transparency and rationale as to why controls for managing security are needed

• Risk-based approaches enable the business to make better informed judgements about whether investment is needed or not

At the end of the day – it is all about reducing risk, and this is why it usually means we must take the harder route to defining security controls.

11

Acknowledgement: The Cyber Security Hub

Risk in a nutshell…

12

It’s still all about the information


Fundamentals of a risk-based approach

Framework for conducting risk

assessments

Training and education to

equip staff with skills

Easy to follow process

Approved data sets (threat lists, control libraries)

Plan for delivery and execution

Agreement on reporting

Stakeholders identified

Assets identified


2. Getting the basics right

15

Cyber Risk Assessment (CRA) Approach


1

2

3

4

5

6

7


DESCRIPTION OF THE STEP

Structure of the slides

Who to involve Role A Role B Role C Role D

Their role in this step

Contribute Contribute Listen Facilitate

Inputs

Agenda

Data type examples

Understanding of the system

EST.TIME

• Description of key activities• Key points for consideration


CREATE THE TARGET PROFILE

Cyber Risk Assessment Step 1

Who to involve System owner Business owner

IT Rep. Cyber risk analyst (you!)

Their role Contribute Contribute Listen Facilitate

Inputs to this Step

Identify the stakeholders

Organise the workshop and Agenda

Brief all parties on the objectives and process

1 HOUR

1. Goal is to define exactly what is being assessed2. Avoid being over complex when it comes to the scope of

the assessment3. Visualise the system and environment under review 4. Understand the data types and how the data flows (e.g.

Inbound and/or outbound systems involved)

18



DETERMINE BUSINESS IMPACT

1. Goal is to gain an understanding of impact 2. Present realistic scenarios based on your knowledge of the

scope3. Reach a consensus of the ‘possible’ impact for C, I and A4. Use a reference framework to challenge and make informed

Who to involve System owner Business owner



Inputs

Agenda for workshop

Data type examples

Understanding of the system2

HOURS

19

Determine business impact (basic example)

Low Moderate High Very High

Financial <£100,000 £100,001 - £500,000 £500,001 - £1.5 million >£1.5 million

Reputational No or low media coverage

Moderate adverse coverage (e.g story runs over 1-2 days)

Significant adverse coverage >2 days, main focus of attention

Adverse coverage sustained over more than 1 week

Regulatory No increased regulatory focus

Slight increase in regulatory focus / impact

Significant attention from regulator / Notified single breach

Multiple breaches / License withdrawn

Health / Safety Very minor injury / No ongoing effect

Non-critical injury requiring medical intervention / No prolonged effect

Critical injury requiring hospitalisation / medium term effect

Death / Long term debilitation

* Consider running this as a workshop

Once a business impact assessment has been completed: ‘Go / No Go’ to next step?

CONSIDER RISK APPETITE!

20



1. Goal is to assess the threats that are relevant to your environment2. Knowledge of threats is imperative to assessing cyber risk3. Organisations have to understand what is going on in the threat space4. Agree on a standard threat list before conducting a threat assessment5. Today we must reflect on actions of the organisation and possibly

changes in geopolitics

Who to involve Security analyst

System owner IT Rep. Cyber risk analyst (you!)


Inputs

Agenda for workshop

Understand the system under review

Use the agreed threat list and sources of threat data

4 HOURS

Possible one off activity

ASSESS CYBER THREAT

21

Assess cyber threats

Examples of threats:

• Unauthorised access• Misuse of systems by staff• Introduction of unauthorized code• User error• Denial of service• Compromise of third-party partner

Consider:

• Intent (malicious orunintended?)

• Capability• Strength• Likelihood• Timescale

Remember: The initiator (agent / source / actor) , is different from the action!

* Use a standard list of threats as your starting point* Consider running this as a workshop

HOW RELEVANT ARE DIFFERENT THREATS TO YOUR ENVIRONMENT, AND WHAT’S THEIR POTENTIAL CAPABILITY?

22



ASSESS CYBER VULNERABILITY




Inputs

Agreement of the control library to be used

Approved matrix

Review of the ratings – do they feel right

2 HOURS

1. Goal is to understand your capability to mitigate previously identified threats

2. Semi-automate the selection of control questions based on threats

3. Self-assessment or workshop approach4. Template control sets or use them at the

application/system level (be aware of elapsed time!)

Control templates

23

In assessing vulnerabilities:

• Identify controls that are most relevant, given the prioritised threats identified at the previous stage

• Focuses on identifying control weaknesses• Consider a range of techniques (automated / interviews / evidential)• Align with a recognized framework where possible

(e.g. NIST, ISO 27002, ISF 2020 Standard of Good Practice)• Fast track by referring back to recently completed audits / assessments

Assess cyber vulnerability

24



DETERMINE CYBER RISK



Their role Contribute Contribute Facilitate

Inputs

Approved risk matrix

Impact and Likelihood ratings to determine risk

2 HOURS

1. Goal is to determine the final risk rating using a risk matrix2. Involves review and decision by the risk analyst and system

owner3. ‘Moderated’ versus ‘Calculated’ rating using the matrix4. Often included with the next step (Identifying cyber risk

remediation) in a single workshop

PROBABILITY

25

PROBABILITY X IMPACT = RISK

In understanding probability:How likely is it to happen in the first place? (from Step 3)How likely is it to overwhelm our controls if it does happen? (from Step 4)

In understanding impact:What’s the potential damage to the business? (from Step 2)To what extent will our controls reduce damage? (from Step 4)

PROBABILITY

Determine cyber risk

26



IDENTIFY CYBER RISK

REMEDIATION

Who to involve Business owner


Their role Contribute Contribute Contribute Facilitate

Inputs

Draft Agreement of the risks

Draft report

Draft risk ratings and recommended options to remediate risks

2 HOURS

1. Goal is (usually!) to identify the prioritised controls for each prioritised risk

2. Assess themes for controls for this or multiple risk assessments3. Review the context of the business, budget and criticality of the

system before finalising the remediation controls4. Prepare the draft remediation strategy to discuss with stakeholders

27

Getting your mix of remediation controls right

Think about:

• Cost

• Capability

• Complexity

• Integration

• Timescale to implement

• Maintenance

• Business obstacles (e.g. need to gain ‘buy in’)

• Efficiency opportunities across environments

• Testing and Assurance

LEVEL OF PROTECTION

DEFEND DETECT & RESIST DETER

28



REPORT CYBER RISK

Who to involve Business owner


Their role Contribute Contribute Contribute Facilitate

Inputs

Agreement of the risks and risk ratings

Draft report for review and feedback

More than one option for remediation

1 HOUR

1. Goal is to report risk in a way that focuses on prioritised risk and recommended remediation, is concise and has impact

2. Common language for reporting risk is essential3. Understand the type of audience that will receive the report4. Illustrations of the risks for establishing a dialogue5. Iterations of the first report will be necessary but aim for a

standard format

29

Example 1: Criteria for generation actionable cyber risk reports

1. Must provide a narrative that features all the key elements from the assessment

The likelihood of a DDoS attack targeting the EMEA billing system is very high, as controls in place are poorly implemented. If an attack occurs over 72 hours, the primary impact to the organisation would be loss of availability -which could equate to a cash flow loss for the month of between $350,000 and $500,000.

Secondary impacts would include; delayed payments, disgruntled customers and increase in competition.Recommended remediation controls to reduce the risk to within appetite are set out below in prioritised order.

CAPEX cost OPEX costs to maintain

Disruption to finance department

Control description $20,000 to $30,000 $20,000 (Eqiv. .25 FTE)

Control description $15,000 to $25,000 $10,000 (MSSP)

30

Example 2: Criteria for generation of actionable cyber risk reports

2. Illustrate the risks to establish a dialogue – create situational awareness

ARisk description

Identified impacts Recommended controls

Control owners

Unauthorised access to sales database by disgruntled employee

Loss to competition = HighRegulatory impact = High

2-factor authentication

N. Jones

Review of access rights

M. Schmidt

M. SchmidtImplementation of DLP

B

A

B

Current risk profile

Reviewed risk profile if recommendations introduced

31

Sample reports from HighBond (Galvanize)


32

Questions?

We will take a pause to cover any questions on this section of the masterclass.

Please submit questions through the Q&A panel in the Zoom console.



3. Building on solid foundations


A plan for enterprise-wide risk assessments

Business awareness

Customisation (BIA ratings, control libraries, threat lists for different tech)

Conduct multiple pilot assessments

Training and education

Risk review board

GRC evaluation

Project 1

Project 2

Project 3

Project 4

Data feedsProject 5

Time


Identifying key themes from the risk data

Finance dept. Sales and marketing Manufacturing Ops.

Key controls Risk remediated

2 Factor Authen. Unauthorised access

Access rights review Internal data theft

Encrypt. In transit Man in middle attacks


Encryption at rest Data loss


Remote wipe Data loss


Data backups Loss of key systems


2 Factor Authen. Unauthorised access

Enterprise viewPrioritised risks to the enterprise1. Data loss2. Unauthorised access

Security transformation

project


Incorporating risk themes into the broader roadmap

TARGETED AWARENESS

SECURITY AUDIT FRAMEWORK

PROCUREMENT AND SUPPLIER

CONTRACTS

SCENARIO PLANNING / CRISIS M’GT

UPDATING POLICIES AND STANDARDS

INPUT TO THE SOC

SOURCE OF RISK DATA


Incorporating risk themes into the broader roadmap

Policy for cyber security

1.1 Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do

1.2 Sed ut perspiciatis unde omnis iste natus

1.3 At vero eos et accusamus et iusto odio dignissimos ducimus

Policy for cyber security

1.1 Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do

1.2 Sed ut perspiciatis unde omnis iste natus

1.3 At vero eos et accusamus et iusto odio dignissimos ducimus

Criticality

High

Critical

Nice to have


Risk triggers for assessment or re-assessment

NEW TECHNOLOGIES

CHANGE IN MANAGEMENT SITUATIONAL AWARENESS REGULATORY

REQUIREMENT

ACCESS TO SUPPLIER / 3RD PARTY

SIGNIFICANTBUSINESSCHANGE

MAJOR CYBER SECURITY INCIDENT

TRIGGERS FOR CONDUCTING RISK

ASSESSMENTS

39

Questions?





4. Case studies from the trenches


Case Study 1 – Background to the organisation

Profile: Manufacturing SME based in Europe

Challenge: Implement a structured risk assessment across a large number of systems and applications.

Considerations:• The availability of their systems and applications is very important• Large number of applications to be risk assessed• Building a strong brand and reputation, becoming more widely known in the industry• Largely immature in cybersecurity and risk assessments• Requirement to enhance risk assessment to win supplier contracts• Part of a wider supply chain with various third parties• Only previous risk assessments were paper (and opinion) based but now need to

implement a formal, structured risk assessment process.

NOTE: IMAGE IS ILLUSTRATIVE ONLY AND NOT INDICATIVE OFIDENTITY OR SECTOR OF CASE STUDY ORGANISATION


Case Study 1 – Summary of the approach

Objectives:

• The cybersecurity team have been tasked to risk assess a large number of systems and applications

• Priority is to focus on the availability of the systems and applications

• Establish similarities across the applications and create categories of information types

• Understand the business processes and define the scope of the risk assessments

• Evaluate the possibility of applying ‘threat templates’ for each category

• Identify controls offering the best ‘bang per buck’ in mitigating threats that are common to multiple applications

• Present a snapshot of the results on a single page, showing separate ‘BAU’ controls from those requiring additional investment based on risk

• Identify findings that should be recorded in a risk register, with date of completion and identifying an owner to report progress for mitigation.


Case Study 2 – Background to the organisation

Profile: Financial services SME, with Headquarters in the UK

Challenge: Identifying critical controls based on the organisation’s key threats

Considerations:• Confidentiality of information regarded as the most important attribute • Risk assessment based on understanding the key threats and the critical security

controls• Significant compliance obligations• Small but effective cybersecurity team that have identified their main cyber threats• Requirement to demonstrate that these cyber threats are being managed effectively

and that this can be demonstrated to the regulators as part of a wider review of cybersecurity.


Case Study 2 – Summary of the approach

Objectives:

• Identify the key organisational risks that are reported on a monthly basis

• These risks should come from discussions with the Red Team, Blue Team, Threat Intelligence specialists and the wider cyber team

• Map these controls to threats to identify ‘Critical’ controls (those controls that map to the greatest number of threats)

• Assess the effectiveness of those controls in terms of how well they have been implemented (obtain evidence to support this assessment)

• Highlight control gaps and those that need to be improved based on the type and number of risks that have been mapped

• Update security policies, standards and third-party agreements with no exceptions for controls that are ‘Critical’.

45

Questions?




5. Cyber risk and the future


30 years of risky business

1990

Driven by notoriety

2000

Media attention

and first real

signs of concern

2010

Financially driven

2020

Nation state

attacks

Largest DDoS

Cyber risk

“To know your future you must know your past” – George Santayana

48 Copyright Cyber Risk Management Group Limited 2020 http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf

Cyber attacks

http://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf


CRMG’s cyber risk predictions

Business analysts for cyber security

Regulation and legislation explicitly covering cyber risk

Quantitative approaches will develop fast

Time 1 yr 2 yr 3 yr

Increasing integration with enterprise risk

CIRO or CRO with deep cyber risk knowledge

Fully developed real-time cyber risk capability

Capital Adequacy


A model for real-time cyber risk assessment

Connect to

disparate data

Sources

Extraction of

Contextual Data

Objectives > Criteria >

Risk > Frequency

> Data Requirements

Automated

monitoring

Threat

detected

Remove the operational burden using automation

Alert

stakeholders

Human InsightFlexible Scheduling


Lets talk Quant! – Observations from industry

Cyber security community

divided

Increasing interest in Quant for cyber security

Approaches needed to

transition from Qualitative to Quantitative

Good data and informed

decisions are still required to get

value

Many key principles apply

Impact (monetary loss) and

Frequency

Focus Quant modelling on

prioritised risks

Avoid the Quantum physics

conundrum


What could a transition model look like

Key systems / environments to

assess

Determine the technique to apply

Assess the applicability of the

data

What to include in the scope

Good data is required for modelling / simulations.

Retailers website

FS Settlement systems

ALE (Annual Loss Expectancy)

Monte Carlo simulations

Bayesian networks

Compare and contrast to Qualitative

Understand when and where to use

Is it informing better decisions?

Select prioritised risks from qualitative

assessments

Select an area / system that has accurate data


20 years into one slide

Focus on those systems and data assets that are business-critical

Establish a practical process that incorporates the fundamentals of information risk

Evaluate GRC products to help streamline and semi-automate the cyber risk process to minimize staff utilisation

Present the business argument to help establish a cyber risk approach (e.g. target investment, quick wins, best practice)

Establish a phased approach (do not attempt to boil the ocean)

Extrapolate risk insights to other areas of the security programme (e.g. policy update, awareness and education)

Start to investigate the Quantitative approaches but figure out when the time is right.

54

Questions?




55

Thank you for joining us today

Connect with the speakers:

Nick [email protected]://www.linkedin.com/in/nickfrost/

Martin [email protected]

https://www.linkedin.com/in/martin-tully-a050378/

Simon [email protected]

https://www.linkedin.com/in/simon-oliver-lacey/

For more pragmatic guidance on cyber risk management, please contact the speakers or

email [email protected]

mailto:[email protected]

https://www.linkedin.com/in/nickfrost/


https://www.linkedin.com/in/martin-tully-a050378/


https://www.linkedin.com/in/simon-oliver-lacey/


Thank you

Visit us at www.crmg-consult.com or follow us:

Twitter: @ConsultingCrmgLinkedIn: cyber-risk-management-group

http://www.crmg-consult.com/

25th june 2020 a risk-based approach to cybersecurity: a … · 4 about crmg cyber risk management...

Documents