Risk vs. Threat: Best Practices from a Fortune 50 Retailer
I’m happy to present a guest post from an experienced cyber intelligence analyst for a Fortune 50 retailer — who happens to be a Flashpoint client. He wanted to share some best practices based on his experience leveraging cyber threat intelligence to assess business risk, address threats, and shape the strategy for his company’s information security program. As Flashpoint always works with our clients to deliver Business Risk Intelligence (BRI) in a manner that best protects not only their organization but also their proprietary security measures and anonymity, we agreed it was best to publish this post without the author’s name. For more information on how Flashpoint’s retail clients leverage BRI to address threats and mitigate risk across the enterprise, please download our retail use cases.
Most chief information security officers (CISOs) refer to their information security programs as risk-based or risk-focused. However, the critical role cyber threat intelligence (CTI) plays in any risk-based cyber program is not always recognized.
The traditional definition of risk:
Risk = Likelihood x Impact
Across most private-sector organizations, Impact is measured in dollars and is typically outside of the information security function’s control. The value of a business’s assets or value generated by business operations is determined by a plethora of external factors that exist far beyond a CISO’s scope of influence. For example, let’s say a company’s website is down and as a result, the company’s brand reputation suffers, sales plummet, and the company loses money. In any such scenario, the value lost is largely exogenous; it is what it is.
Consequently, Likelihood is really the only variable in the risk equation that is within the CISO’s control. Likelihood is a function of two things: 1) how likely an actor is to attempt malicious activity and 2) if that attempt occurs, how likely is the actor to be successful given the current control environment?
Risk = [(Likelihood of an attempt) x (Likelihood of success of that attempt)] x Impact
A cyber threat intelligence program — as the title implies — focuses on Threat, which in turn consists of two things:
1. Intent: the likelihood that an actor will attempt malicious activity against an organization
2. Capability: the likelihood that an actor will be successful in accomplishing his or her goals given the organization’s current control environment
So, as a practical matter, if not definitionally:
Risk = Threat x Impact
As previously stated, the value of Impact is outside of a CISO’s control. Similarly, no information security program can control which or how many actors have intent to target their organization. Therefore, the only variable aspect of the risk equation that is within the CISO’s control is the likelihood that actors will be successful against their current control environment. This variable is precisely what a good cyber threat intelligence program focuses on.
Such a program systematically, rigorously, and continuously focuses on which actors are the most likely to attempt malicious activity against an organization, what these actors would likely attempt to accomplish, and the likelihood that their attempt would be successful. Only after any of these actors’ potential attempts have been identified, analyzed, and prioritized does the cyber threat intelligence team work to improve controls to reduce the likelihood of success by those actors. By improving controls to counter actual and emerging threats, a cyber threat intelligence program empowers a CISO to more efficiently reduce his organization’s risk. Indeed, while not always easy to quantify, this process is what yields the return on investment for a cyber threat intelligence program.
Before cyber threat intelligence, most information security programs would work with the business to identify the assets with the highest potential Impact. Teams would then rely upon a strategy rooted in “best practices” and “defense-in-depth” procedures to protect these assets. As many people have said before, such a strategy is really just throwing a bunch of different controls at a problem and hoping for the best. While the industry has recognized this approach as flawed for years now, many organizations continue to practice it.
A true risk-based information security program necessitates an intelligence function. Such a function is fundamental. Threat intelligence increases the effectiveness of an information security program, which lowers the organization’s risk and ultimately reduces costs.
In a threat-focused information security program, the most important factor in expediting a software patch is not the CVE score, but rather if and who is exploiting the vulnerability. Architecture decisions are made based upon specific actual and emerging threats. Controls are specifically chosen and placed to maximize the effectiveness against those threats, all the while minimizing business impact.
Flashpoint acknowledges that organizations seeking to lower their overall risk require comprehensive visibility into all relevant actors, campaigns, and threats — most of which emerge from the Deep & Dark Web. It’s crucial to note that while many security teams leverage cyber threat intelligence to strengthen cyber and information security, many threats can and do target all business functions and assets within an organization. Flashpoint recognizes the challenges such threats can yield, which is why the company’s Business Risk Intelligence derived from the Deep & Dark Web empowers all business functions across the enterprise to not only address information security threats but also bolster cybersecurity, confront fraud, detect insider threats, enhance physical security, assess M&A opportunities, and address vendor risk and supply chain integrity. This comprehensive approach to addressing all relevant threats is ultimately what helps organizations reduce their risk.
For more information and specific use cases about how Flashpoint’s retail sector clients leverage Business Risk Intelligence to address threats and mitigate risk across the enterprise, please visit: http://go.flashpoint-intel.com/use-cases/retail