IT CORPORATE SECURITY

Cyber security: Linchpin of the digital enterprise

Two consistent and related themes in enterprise technology have emerged in recent years, both involving rapid and dramatic change. One is the rise of the digital enterprise across sectors and internationally. The second is the need for IT to react quickly and develop innovations aggressively to meet the enterprise’s digital aspirations. The results of research on the progress of enterprise digitization within companies, encompassing sectors, assets, and operations. As IT organizations seek to digitize, however, many face significant cyber security challenges. At company after company, fundamental tensions arise between the business’s need to digitize and the cyber security team’s responsibility to protect the organization, its employees, and its customers within existing cyber operating models and practices. If cyber security teams are to avoid becoming barriers to digitization and instead become its enablers, they must transform their capabilities along three dimensions. They must improve risk management, applying quantitative risk analytics. They must build cyber security directly into businesses’ value chains. And they must support the next generation of enterprise technology platforms, which include innovations like agile development, robotics, and cloud-based operating models.

Cyber security’s role in digitization

Every aspect of the digital enterprise has important cyber security implications. Here are just a few examples. As companies seek to create more digital customer experiences, they need to determine to align their teams that manage fraud prevention, security, and product development so they can design controls, such as authentication, and create experiences that are both convenient and secure. As companies adopt massive data analytics, they must determine how to identify risks created by data sets that integrate many types of incredibly sensitive customer information.

They must also incorporate security controls into analytics solutions that may not use a formal software-development methodology. As companies apply robotic process automation (RPA), they must manage bot credentials effectively and make sure that “boundary cases” – cases with unexpected or unusual factors, or inputs that are outside normal limits – do not introduce security risks.

Likewise, as companies build application programming interfaces (APIs) for external customers, they must determine how to identify vulnerabilities created by interactions between many APIs and services, and they must build and enforce standards for appropriate developer access.1 They must continue to maintain rigor in application security as they transition from waterfall to agile application development.

Challenges with existing cyber security models

At most companies, chief information officers (CIOs), chief information-security officers (CISOs), and their teams have sought to establish cyber security as an enterprise-grade service. What does that mean? They have consolidated cyber security-related activities into one or a few organizations. They have tried to identify risks and compare them to enterprise-wide risk appetites to understand gaps and make better decisions about closing them. They have created enterprise-wide policies and supported them with standards. They have established governance as a counterweight to the tendency of development teams to prioritize time to market and cost over risk and security. They have built security service offerings that require development teams to create a ticket requesting service from a central group before they can get a vulnerability scan or a penetration test.

Across sectors, companies are digitizing, with profound implications for cyber security functions.

Digitization levels

  Asset Usage Labor
Sector   Overall digitization   Digital spend   Digitalasset stock   Transactions   Interactions   Business processes   Market making   Digital spend on workers   Digital capital   Digitization of work
                                         
Media                                        
                                         
Professional services                                        
                                         
Finance and insurance                                        
                                         
Wholesale trade                                        
                                         
Personal and local services                                        
                                         
Government                                        
                                         
Transportation and warehousing                                        
                                         
Healthcare                                        
                                         
Entertainment and recreation                                        

All these actions have proven absolutely necessary to the security of an organization. Without them, cybersecurity breaches occur more frequently – and often, with more severe consequences. The needed actions, however, exist in tension with the emerging digital-enterprise model – the outcome of an end-to-end digital transformation – from the customer interface through the back-office processes. As companies seek to use public cloud services, they often find that security is the “long pole in the tent” – the most intractable part of the problem of standing applications on public cloud infrastructure.

At one financial institution, development teams were frustrated with the long period needed by the security team to validate and approve incremental items in their cloud service provider’s catalog for production usage. Developers at other companies have puzzled over the fact that they can spin up a server in minutes but must wait weeks their application to production. IT organizations everywhere are finding that existing security models do not run at “cloud speed” and do not provide enough specialized support to developers on issues like analytics, RPA, and APIs .

The misalignment between development and cybersecurity teams leads to missed business opportunities, as new capabilities are delayed in reaching the market. In some cases, the pressure to close the gap has caused increased vulnerability, as development teams bend rules to work around security policies and standards.

Cybersecurity for the digital enterprise

In response to aggressive digitization, some of the world’s most sophisticated cybersecurity functions are starting to transform their capabilities along the three dimensions we described: using quantitative risk analytics for decision making, building cybersecurity into the business value chain, and enabling the new technology operating platforms that combine many innovations. These innovations include agile approaches, robotics, cloud, and DevOps (the combination of software development and IT operations to shorten development times and deliver new features, fixes, and updates aligned with the business).

Activities

Architecture and design

– Analyze resource availability from cloud service provider
– Analyze capacity requirements
– Develop initial solution design
– Design interfaces

Implementation

– Instantiate development and testing environments
– Begin solution implementation

Code review

– Review code
– Conduct automated code scanning
– Accept code into code base

Testing

– Develop test cases
– Do continuous testing
– Fix bugs and errors;
make changes
– Do regression testing

Deployment

– Instantiate cloud infrastructure
– Establish cloud services
– Deploy production application
– Do final testing

Using quantitative risk analytics for decision making

At the core of cybersecurity are decisions about which information risks to accept and how to mitigate them. Traditionally, CISOs and their business partners have made cyberriskmanagement decisions using a combination of experience, intuition, judgment, and qualitative analysis. In today’s digital enterprises, however, the number of assets and processes to protect, and the decreasing practicality and efficacy of onesize- fits-all protections, have dramatically reduced the applicability of traditional decision-making processes and heuristics.

In response, companies are starting to strengthen their business and technology environments with quantitative risk analytics so they can make better, fact-based decisions. This has many aspects.

Priority requirements have changed for acquiring Internet of Things products: Cyber security has moved to the top.

Top 5 priorities when buying IoT products,¹

number of survey responses

IoT = Internet of Things. Besides basic functionality. Source: FORFIRM 2019 IoT Pulse Survey of more than 1,400 IoT practitioners (from middle managers to C-suite) who are executing IoT at scale (beyond pilots). Composition was 61% from US, 20% from China, and 19% from Germany, with organizations of $50 million to more than $10 billion in revenue. This question on IoT-product purchases received 1,161 responses.

It includes sophisticated employee and contractor segmentation as well as behavioral analysis to identify signs of possible insider threats, such as suspicious patterns of email activity. It also includes risk-based authentication that considers metadata

– such as user location and recent access activity

– to determine whether to grant access to critical systems. Ultimately, companies will start to use management dashboards that tie together business assets, threat intelligence, vulnerabilities, and potential mitigation to help senior executives make the best cybersecurity investments. They will be able to focus those investments on areas of the business that will yield the most protection with the least disruption and cost.

Building cybersecurity into the business value chain

No institution is an island when it comes to cybersecurity. Every company of any complexity exchanges sensitive data and interconnects networks with customers, suppliers, and other business partners. As a result, cybersecurityrelated questions of trust and the burden of mitigating protections have become central to value chains in many sectors. For example, CISOs for pharmacy benefit managers and health insurers are having to spend significant time figuring out how to protect their customers’ data and then explaining it to those customers. Likewise, cybersecurity is absolutely critical to how companies make decisions about procuring group health or business insurance, prime brokerage, and many other services. It is the single most important factor companies consider when purchasing Internet of Things (IoT) products .

Leading companies are starting to build cybersecurity into their customer relationships, production processes, and supplier interactions. Some of their tactics include the following:

— Use design thinking to build secure and convenient online customer experiences. For example, one bank allowed customers to customize their security controls, choosing simpler passwords if they agreed to two-factor authorization.

— Educate customers about how to interact in a safe and secure way. One bank has a senior executive whose job it is to travel the world and teach high-net-worth customers and family offices how to prevent their accounts from being compromised.

— Analyze security surveys to understand what enterprise customers expect and create knowledge bases so that sales teams can respond to customer security inquiries during negotiations with minimum friction. For instance, one software-as-a-service (SaaS) provider found that its customers insisted on having particularly strong data-loss- prevention (DLP) provisions.

— Treat cybersecurity as a core feature of product design. For instance, a hospital network would have to integrate a new operating-room device into its broader security environment.

— Take a seamless view across traditional information security and operational technology security to eliminate vulnerabilities. One autoparts supplier found that the system holding the master version of some of its firmware could serve as an attack vector to the fuel-injection systems it manufactured. With that knowledge, it was able to put additional protections in place. Pharma companies have found that an end-toend view of information protection across their supply chains was needed to address certain key vulnerabilities.

— Use threat intelligence to interrogate supplier technology networks externally and assess risk of compromise.

Done in concert, these actions yield benefits. They enhance customer trust, accelerating their adoption of digital channels. They reduce the risk of customers or employees trying to circumvent security controls. They reduce friction and delays as suppliers and customers negotiate liability and responsibility for information risks. They build security intrinsically into customer-facing and operational processes, reducing the “deadweight loss” associated with security protections.

How to embed security into a product-development process.

From treating security and privacy as afterthoughts …   … to incorporating them by designing and building an agile security-and-privacy model
Developers are unclear when security and privacy requirements are mandatory Product owners don’t consider security and privacy tasks during sprint planning Requirements Prioritize security and privacy tasks according to product risk level Make product owners aware of need to prioritize security and privacy tasks and be accountable for their inclusion in releases
    Design    
Unclear how to handle distribution of tasks within development team Chief information-security and privacy ocers (CISPOs) have limited capacity to support development teams Development Security and privacy champions (tech leads) assist teams in distributing tasks Add capacity through CISPOs, who clarify security and privacy requirements with champions and product owners
No uni…ed real-time standardized monitoring of state of security and privacy tasks Testing Product-assessment dashboards give developers real-time views of security and privacy within products
Security and privacy needs are often dealt with before deployment, causing launch delays Teams unclear how often to engage CISPOs Deployment Launch delays eliminated as security and privacy tasks are executed across life cycles Simplified predeployment activities with CISPOs only for releases meeting risk criteria
Unclear accountability for security and privacy in product teams Lack of integration in security and privacy tool sets introduces complexity Throughout process Define and communicate roles and responsibilities during agile ceremonies Integrate and automate security- and privacy-related testing and tracking tools

cloud

Dynamic, cloud-based network optimization

left left left down--v1 down--v1 down--v1 down--v1 right right
 down--v1 left left left  down--v1 right  right right down--v1
 down--v1  down--v1     down--v1      down--v1 down--v1
 down--v1  down--v1      down--v1      down--v1  down--v1

exterior

Suppliers

country-house

Bulk manufacturing

country-house

Finishing and packaging

dog-house

Smart-warehouse distribution center

conference-call--v1

Customers

 
Advanced business capability   Resulting cyberrisks

Suppliers

  • Predictive supplier risk protection
  • Risk of exposed vendor details and trade secrets

Bulk manufacturing

  • Yield optimization through advanced analytics and digitized operations
  • Hacking of legacy equipment
  • Unauthorized changes in safety or compliance regulations
  • Loss of intellectual property and competitive advantage

 

Finishing and packaging

  • Fully integrated and automated production
  • Attack on process, leading to shutdowns or errors
  • Transition from closed to open systems prompts new security risks

Customers

  • No-touch order management
  • Leak of customer data, leading to loss of customer trust and competitive data

 

Overarching technologies

  • Machine-learning forecasting and integrated production planning
  • Inaccurate business decisions and bad-actor access
  • Real-time monitoring
  • Unauthorized monitoring of processes and leakage of business decisions

Enabling an agile, cloud-based operating platform enhanced by DevOps

Many companies seem to be trying to change everything about IT operations. They are replacing traditional software-development processes with agile methodologies. They are repatriating engineering talent from vendors and giving developers self-service access to infrastructure.

Some are getting rid of their data centers altogether as they leverage cloud services. All of this is being done to make technology fast and scalable enough to support an enterprise’s digital aspirations. In turn, putting a modern technology model in place requires a far more flexible, responsive, and agile cybersecurity operating model. Key tenets of this model include the following:

— Move from ticket-based interfaces to APIs for security services. This requires automating every possible interaction and integrating cybersecurity into the software-development tool chain. That will allow development teams to perform vulnerability scans, adjust DLP rules, set up application security, and connect to identify and gain access to management services via APIs.

— Organize security teams into agile scrum or scrumban teams that manage developer- recognizable services, such as identity and access management (IAM) or DLP. Also, recruiting development-team leaders to serve as product owners for security services can help, just as business managers are product owners for customer journeys and customeroriented services.

— Tightly integrate security into enterprise end- user services, so that employees and contractors can easily obtain productivity and collaboration tools via an intuitive, Amazon-like portal.

— Build a cloud-native security model that ensures developers can access cloud services instantly and seamlessly within certain guardrails.

— Collaborate with infrastructure and architecture teams to build required security services into standardized solutions for massive analytics and RPA.

— Shift the talent model to incorporate those with “e-shaped” skills – cybersecurity professionals with several areas of deep knowledge, such as in integrative problem solving, automation, and development – as well as security technologies.

Automation, orchestration technology, and application programming interfaces can eliminate manual security processes and interactions.

Automation opportunities in a notionally secure DevOps model

App application programming interfaces (APIs)

App application programming interfaces (APIs)

App application programming interfaces (APIs)

Architecture and design

API-configurable application-level controls designed into new applications

Implementation

APIs for configuration and debugging (eg, test instrumentation) added during implementation phase

Code review

Automated code-review systems modified to search for application specific threat scenarios

Testing

Automated and configurable security test cases added to nightly testing regime

Deployment

Fully configured, production-ready application possible via API calls alone

Process APIs

New application-level API options added to deployment configuration process

Configurable security tests added to nightly testing regime

Configurable automated code reviews added to precommit/ preacceptance process for newly written code

Nightly testing results collected and curated for individual developers/ teams via configurable test-management system

Predeployment security-review process replaced by automated tests and configuration checks

Infrastructure APIs

API for deployment and instantiation processes rearchitected to accommodate new applications

Configuration options for instantiation of automated, project specific development environment made available

Automated code scanning implemented for deployed web applications to maintain quality and code integrity

Cloud environments regularly tested for security via automated vulnerability assessment and identification tools

Security tools and configuration options applied via API to new environments at deployment time

How a large biopharma company built cybersecurity capabilities to enable a digital enterprise

A large biopharma company had recently concluded a major investment program to enhance its foundational cybersecurity capabilities, dramatically reducing its risk profile. However, the business strategy began to evolve in new ways, with expanding online consumer relationships, digitally enabled products, enhanced supply-chain automation, and massive use of analytics. The company now needed new cybersecurity capabilities that would both address new business risks and facilitate business and technology innovation.

To get started, the cybersecurity team engaged a broad set of business partners, capturing current and planned strategic initiatives. It then mapped out the new risks that these initiatives would create and the ways in which cybersecurity protections might slow or block the capture of business opportunities. At the same time, the cybersecurity team looked at a broad set of emerging practices and techniques from the pharma industry and other sectors, including online services, banking, and advanced manufacturing. Based on all this, it developed an overarching vision for how cybersecurity could protect and enable the company’s digital agenda, and it prioritized 25 initiatives. Some of the most important were the following:

— Collaborating with the commercial team to build patient trust by designing security into online patient journeys

— Collaborating with the manufacturing team to enhance transparency into configuration of plant assets

— Collaborating with the broader technology team to create the application programming interfaces (APIs) and the template to ensure secure configuration of systems running in the public cloud

— Dramatically expanding automation of the security environment to reduce time lags and frustrations developers and users experienced when interacting with the cybersecurity team

The cybersecurity team then used its vision and initiatives to articulate to senior management how it could enable the company’s digital business strategy and the support and assistance it would require from other organizations to do so.

Taken together, these actions will eliminate roadblocks to building digital-technology operating models and platforms. Perhaps more importantly, they can ensure that new digital platforms are inherently secure, allowing their adoption to reduce risk for the enterprise as a whole.

With digitization, analytics, RPA, agile, DevOps, and cloud, it is clear that enterprise IT is evolving rapidly and in exciting and value-creating ways. This evolution naturally creates tension with existing cybersecurity operating models. For organizations to overcome the tension, they will need to apply quantitative risk analytics for decision making, create secure business value chains, and enable operating platforms that encompass the latest innovations. These actions will require significant adaptation from cybersecurity organizations. Many of these organizations are still in the early stages of this journey. As they continue, they will become more and more capable of protecting the companies while supporting the innovative goals of the business and IT teams.

The risk-based approach to cybersecurity

Top managers at most companies recognize cyberrisk as an essential topic on their agendas. Worldwide, boards and executive leaders want to know how well cyberrisk is being managed in their organizations. In more advanced regions and sectors, leaders demand, given years of significant cybersecurity investment, that programs also prove their value in risk-reducing terms. Regulators are challenging the levels of enterprise resilience that companies claim to have attained. And nearly everyone – business executives, regulators, customers, and the general public – agree that cyberrisk is serious and calls for constant attention.

What, exactly, organizations should do is a more difficult question. This article is advancing a “risk based” approach to cybersecurity, which means that to decrease enterprise risk, leaders must identify and focus on the elements of cyberrisk to target. More specifically, the many components of cyberrisk must be understood and prioritized for enterprise cybersecurity efforts. While this approach to cybersecurity is complex, best practices for achieving it are emerging.

To understand the approach, a few definitions are in order. First, our perspective is that cyberrisk is “only” another kind of operational risk. That is, cyberrisk refers to the potential for business losses of all kinds – financial, reputational, operational, productivity related, and regulatory related – in the digital domain. Cyberrisk can also cause losses in the physical domain, such as damage to operational equipment. But it is important to stress that cyberrisk is a form of business risk.

Furthermore, cyberrisks are not the same as cyberthreats, which are the particular dangers that create the potential for cyberrisk. Threats include privilege escalation, vulnerability exploitation, or phishing.1 Cyberthreats exist in the context of enterprise cyberrisk as potential avenues for loss of confidentiality, integrity, and availability of digital assets. By extension, the risk impact of cyberthreats includes fraud, financial crime, data loss, or loss of system availability.

Cyberthreats are growing in severity and frequency.

Cyberthreat capacity and frequency today, threat actor

Decisions about how best to reduce cyberrisk can be contentious. Taking into account the overall context in which the enterprise operates, leaders must decide which efforts to prioritize: Which projects could most reduce enterprise risk? What methodology should be used that will make clear to enterprise stakeholders (especially in IT) that those priorities will have the greatest risk reducing impact for the enterprise? That clarity is crucial in organizing and executing those cyber projects in a focused way.

At the moment, attackers benefit from organizational indecision on cyberrisk – including the prevailing lack of clarity about the danger and failure to execute effective cyber controls.

Debilitating attacks on high-profile institutions are proliferating globally, and enterprise-wide cyber efforts are needed now with great urgency. It is widely understood that there is no time to waste: business leaders everywhere, at institutions of all sizes and in all industries, are earnestly searching for the optimal means to improve cyber resilience. We believe we have found a way to help.

The maturity-based cybersecurity approach: A dog that’s had its day

Even today, “maturity based” approaches to managing cyberrisk are still the norm. These approaches focus on achieving a particular level of maturity by building certain capabilities. To achieve the desired level, for example, an organization might build a security operations center (SOC) to improve the maturity of assessing, monitoring, and responding to potential threats to enterprise information systems and applications. Or it might implement multifactor authentication (MFA) across the estate to improve maturity of access control. A maturity-based approach can still be helpful in some situations: for example, to get a program up and running from scratch at an enterprise that is so far behind it has to “build everything.” For institutions that have progressed even a step beyond that, however, a maturity-based approach is inadequate. It can never be more than a proxy for actually measuring, managing, and reducing enterprise risk.

A further issue is that maturity-based programs, as they grow organically, tend to stimulate unmanageable growth of control and oversight. In monitoring, for example, a maturity-based program will tend to run rampant, aspiring to “monitor everything.” Before long, the number of applications queued to be monitored across the enterprise will outstrip the capacity of analysts to monitor them, and the installation of monitors will bog down application-development teams. The reality is that some applications represent more serious vulnerabilities – and therefore greater potential for risk – than others. To focus directly on risk reduction, organizations need to figure out how to move from a stance of monitoring everything to one in which particular applications with high risk potential are monitored in particular ways. Another issue related to the monitor-everything stance is inefficient spending. Controls grow year after year as program planning for cybersecurity continues to demand more spending for more controls. But is enterprise risk being reduced? Often the right answers lie elsewhere: for example, the best return on investment in enterprise-risk reduction is often in employee awareness and training. Yet a maturitybased model does not call for the organization to gather enough information to know that it should divert the funding needed for this from additional application monitoring. Spending on both will be expected, though the one effort (awareness and training) may have a disproportionate impact on enterprise-risk reduction relative to the other.

If the objective is to reduce enterprise risk, then the efforts with the best return on investment in risk reduction should draw the most resources. This approach holds true across the full control landscape, not only for monitoring but also for privileged-access management, data-loss prevention, and so forth. All of these capabilities reduce risk somewhat and somehow, but most companies are unable to determine exactly how and by how much.

The final (and most practical) drawback of maturity-based programs is that they can create paralyzing implementation gridlock. The few teams or team members capable of performing the hands-on implementation work for the many controls needed become overloaded with demand. Their highly valuable attention is split across too many efforts. The frequent result is that no project is ever fully implemented and program dashboards show perpetual “yellow” status for the full suite of cyber initiatives.

The truth is that in today’s hyperconnected world, maturity-based cybersecurity programs are no longer adequate for combatting cyberrisks. A more strategic, risk-based approach is imperative for effective and efficient risk management .

Reducing risk to target appetite at less cost

The risk-based approach does two critical things at once. First, it designates risk reduction as the primary goal. This enables the organization to prioritize investment – including in implementationrelated problem solving – based squarely on a cyber program’s effectiveness in reducing risk. Second, the program distills top management’s risk-reduction targets into precise, pragmatic implementation programs with clear alignment from the board to the front line. Following the risk-based approach, a company will no longer “build the control everywhere”; rather, the focus will be on building the appropriate controls for the worst vulnerabilities, to defeat the most significant threats – those that target the business’s most critical areas. The approach allows for both strategic and pragmatic activities to reduce cyberrisks.

For many companies, the risk-based approach is the next stage in their cybersecurity journey.

Security not considered

Security schmecurity

Lack of capability and awareness throughout organization, including among senior leadership

Example activities

• Assess cyber maturity (eg, data protection, access management) with or without benchmarks to highlight capability gaps

• Evaluate cyber awareness across organization

Foundational

Maturity-based approach

Build capabilities

Strengthen essential security and resilience fundamentals to plug gaps

Establish cyber operating model and organization to professionalize cybersecurity function

Example activities

• Build security operations center, incident-response playbooks, and identity- and access-management function; install multifactor authentication on apps; enable use of virtual private network

• Create and staff chief information security officer and connect to other relevant areas

Foundational

Risk-based approach

Reduce enterprise risk

Identify, prioritize, deliver, manage, and measure security and privacy controls in line with enterprise-risk- management framework

Set risk-appetite thresholds for linked pairs of key risk indicators and key performance indicators

Include stakeholders from full enterprise in cyber operating mode

Example activities

• Implement cyberrisk quantification

• Measure and report on reduction of risk, not progress of capabilities

Advanced

Proactive cybersecurity

Achieve holistic resilience

Transform processes and adoption of next-generation technologies to reduce detection and response times to within recovery-time objectives

Embed security in technology products, services, and processes from point of inception through to execution to achieve complete “security by design”

Fully incorporate customers, partners, third parties, and regulators into management of enterprise resilience

Example activities

• Deploy advanced analytics and machine learning for preventative detection

• Implement security by design with multilayer response-time reduction

Advanced

Companies have used the risk-based approach to effectively reduce risk and reach their target risk appetite at significantly less cost. For example, by simply reordering the security initiatives in its backlog according to the risk-based approach, one company increased its projected risk reduction 7.5 times above the original program at no added cost. Another company discovered that it had massively overinvested in controlling new softwaredevelopment capabilities as part of an agile transformation. The excess spending was deemed necessary to fulfill a promise to the board to reach a certain level of maturity that was, in the end, arbitrary. Using the risk-based approach, the company scaled back controls and spending in areas where desired digital capabilities were being heavily controlled for no risk-reducing reason. A particular region of success with the risk-based approach has been Latin America, where a number of companies have used it to leapfrog a generation of maturity-based thinking (and spending). Instead of recapitulating past inefficiencies, these companies are able to build exactly what they need to reduce risk in the most important areas, right from the start of their cybersecurity programs. Cyber attackers are growing in number and strength, constantly developing destructive new stratagems. The organizations they are targeting must respond urgently, but also seek to reduce risk smartly, in a world of limited resources.

A risk-based approach builds customized controls for a company’s critical vulnerabilities to defeat attacks at lower overall cost.

Maturity-based versus risk-based cybersecurity

A transformation in sequential actions

Companies adopting the risk-based approach and transforming their “run” and “change” activities accordingly inevitably face the crucible of how to move from maturity-based to risk-based cybersecurity. From the experience of several leading institutions, a set of best-practice actions has emerged as the fastest path to achieving this transformation. These eight actions taken roughly in sequence will align the organization toward the new approach and enable the appropriate efforts to reduce enterprise risk.

1. Fully embed cybersecurity in the enterpriserisk- management framework.

2. Define the sources of enterprise value across teams, processes, and technologies.

3. Understand the organization’s enterprise-wide vulnerabilities – among people, processes, and technology – internally and for third parties.

4. Understand the relevant “threat actors,” their capabilities, and their intent.

5. Link the controls in “run” activities and “change” programs to the vulnerabilities that they address and determine what new efforts are needed.

6. Map the enterprise risks from the enterpriserisk-management framework, accounting for the threat actors and their capabilities, the enterprise vulnerabilities they seek to exploit, and the security controls of the organization’s cybersecurity run activities and change program.

7. Plot risks against the enterprise-risk appetite; report on how cyber efforts have reduced enterprise risk.

8. Monitor risks and cyber efforts against risk appetite, key cyberrisk indicators (KRIs), and key performance indicators (KPIs).

1. Fully embed cybersecurity in the enterpriserisk-management framework

A risk-based cyber program must be fully embedded in the enterprise-risk-management framework. The framework should not be used as a general guideline, but rather as the organizing principle. In other words, the risks the enterprise faces in the digital domain should be analyzed and categorized into a cyberrisk framework. This approach demystifies cyberrisk management and roots it in the language, structure, and expectations of enterprise-risk management. Once cyberrisk is understood more clearly as business risk that happens in the digital domain, the organization will be rightly oriented to begin implementing the riskbased approach.

2. Define the sources of enterprise value

An organization’s most valuable business work flows often generate its most significant risks. It is therefore of prime importance to identify these work flows and the risks to which they are susceptible. For instance, in financial services, a loan process is part of a value-creating work flow; it is also vulnerable to data leakage, an enterprise risk. A payment process likewise creates value but is susceptible to fraud, another enterprise risk. To understand enterprise risks, organizations need to think about the potential impact on their sources of value.

Identifying the sources of value is a fairly straightforward exercise, since business owners will have already identified the risks to their business. Cybersecurity professionals should ask the businesses about the processes they regard as valuable and the risks that they most worry about.

Making this connection between the cybersecurity team and the businesses is a highly valuable step in itself. It motivates the businesses to care more deeply about security, appreciating the bottom-line impact of a recommended control. The approach is far more compelling than the maturity-based approach, in which the cybersecurity function peremptorily informs the business that it is implementing a control “to achieve a maturity of 3.0.”

The constituents of each process can be defined – relevant teams, critical information assets (“crown jewels”), the third parties that interact with the process, and the technology components on which it runs – and the vulnerabilities to those constituent parts can be specified.

3. Understand vulnerabilities across the enterprise

Every organization scans its infrastructure, applications, and even culture for vulnerabilities, which can be found in areas such as configuration, code syntax, or frontline awareness and training. The vulnerabilities that matter most are those connected to a value source that particular threat actors with relevant capabilities can (or intend to) exploit. The connection to a source of value can be direct or indirect. A system otherwise rated as having low potential for a direct attack, for example, might be prone to lateral movement – a method used by attackers to move through systems seeking the data and assets they are ultimately targeting.

Once the organization has plotted the people, actions, technology, and third-party components of its value-creating processes, then a thorough identification of associated vulnerabilities can proceed. A process runs on a certain type of server, for example, that uses a certain operating system (OS). The particular server – OS combination will have a set of identified common vulnerabilities and exposures. The same will be true for storage, network, and end-point components. People, process, and third-party vulnerabilities can be determined by similar methodologies.

Of note, vulnerabilities and (effective) controls exist in a kind of reverse symbiosis: where one is present the other is not. Where sufficient control is present, the vulnerability is neutralized; without the control, the vulnerability persists. Thus, the enterprise’s vulnerabilities are most practically organized according to the enterpriseapproved control framework.2 Here synergies begin to emerge. Using a common framework and language, the security, risk, IT, and frontline teams can work together to identify what needs to be done to close vulnerabilities, guide implementation, and report on improvements in exactly the same manner and language. Experience confirms that when the entire organization shares a common way of thinking about vulnerabilities, security can be significantly enhanced.

Experience confirms that when the entire organization shares a common way of thinking about vulnerabilities, security can be significantly enhanced.

4. Understand relevant threat actors and their capabilities

The groups or individuals an organization must worry about – the threat actors – are determined by how well that organization’s assets fit with the attackers’ goals – economic, political, or otherwise. Threat actors and their capabilities – the tactics, techniques, and procedures they use to exploit enterprise security – define the organization’s threat landscape.

Only by understanding its specific threatlandscape can an organization reduce risk. Controls are implemented according to the most significant threats. Threat analysis begins with the question, Which threat actors are trying to harm the organization and what are they capable of? In response, organizations can visualize the vulnerabilities commonly exploited by relevant threats, and appropriate controls can then be selected and applied to mitigate these specific vulnerability areas.

In identifying the controls needed to close specific gaps, organizations need to size up potential attackers, their capabilities, and their intentions – the threat actors’ strength and will (intention) to create a risk event. This involves collecting information on and understanding how the attackers connect, technically and nontechnically, to the people, process, and technology vulnerabilities within the enterprise.

5. Address vulnerabilities

To defeat threat actors, vulnerabilities discovered in the third action we describe will either be closed by existing controls – normal run activities or existing change initiatives – or will require new control efforts. For existing controls, the cyber governance team (for “run”) and the program management team (for “change”) map their current activities to the same control framework used to categorize vulnerabilities. This will show the controls already in place and those in development. Any new controls needed are added to the program backlog as either stand-alone or composite initiatives.

While an organization may not be able to complete all initiatives in the backlog in a single year, it will now be able to choose what to implement from the full spectrum of necessary controls relevant to the enterprise because they are applicable for frustrating relevant threat capabilities. The riskbased approach importantly bases the scope of both existing and new initiatives in the same control framework. This enables an additional level of alignment among teams: delivery teams charged with pushing and reporting on initiative progress can finally work efficiently with the second and third lines of defense (where relevant), which independently challenge control effectiveness and compliance. When the programdelivery team (acting as the first line of defense) sits down with the second and third lines, they will all be speaking the same language and using the same frameworks. This means that the combined groups can discuss what is and is not working, and what should be done.

6. Map the enterprise-risk ecosystem

A map of enterprise risks – from the enterpriseriskmanagement framework to enterprise vulnerabilities and controls to threat actors and their capabilities – makes visible a “golden thread,” from control implementation to enterprise-risk reduction. Here the risk-based approach can begin to take shape, improving both efficiency in the application of controls and the effectiveness of those controls in reducing risks. Having completed actions one through five, the organization is now in a position to build the riskbased cybersecurity model. The analysis proceeds by matching controls to the vulnerabilities they close, the threats they defeat, and the value-creating processes they protect. The run and change programs can now be optimized according to the current threat landscape, present vulnerabilities, and existing program of controls. Optimization here means obtaining the greatest amount of risk reduction for a given level of spending. A desired level of risk can be “priced” according to the initiatives needed to achieve it, or the entry point for analysis can be a fixed budget, which is then structured to achieve the greatest reduction in risk.

Cybersecurity optimization determines the right level and allocation of spending. Enterprise-risk reduction is directly linked to existing initiatives and the initiation of new ones. The analysis develops the fact base needed for tactical discussions on overly controlled areas whence the organization might pull back as well as areas where better control for value is needed.

By incorporating all components in a model and using the sources of value and control frameworks as a common language, the business, IT, risk, and cybersecurity groups can align. Discussions are framed by applying the enterprise control framework to the highest sources of value. This creates the golden-thread effect. Enterprise leadership (such as the board and the risk function) can identify an enterprise risk (such as data leakage), and the cybersecurity team can report on what is being done about it (such as a data-loss prevention control on technology or a social-engineering control on a specific team). Each part is connected to the other, and every stakeholder along the way can connect to the conversation. The methodology and model is at the center, acting both as a translator and as an optimizer. The entire enterprise team knows what to do, from the board to the front line, and can move in a unified way to do it.

7. Plot risks against risk appetite; report on risk reduction

Once the organization has established a clear understanding of and approach to managing cyberrisk, it can ensure that these concepts are easily visualized and communicated to all stakeholders. This is done through a risk grid, where the application of controls is sized to the potential level of risk.

The risk-based approach applies controls according to the risk appetite and the likelihood and potential impact of a risk event.

Risk events by size of impact and likelihood of occurrence