
In this episode of Inside the CISO’s Office, I spoke with Tom Siu, virtual CISO from Inversion6, about the role of a CISO in facilitating IT risk management and how a CISO can adapt to be more effective in the modern risk landscape. We discussed frameworks for identifying and prioritizing risk, the necessity of cross-functional partnerships, and the importance of robust disaster recovery planning.
Cutting through the “fog of more”
Technology is the foundation for many aspects of our modern life, and cybersecurity threats are also a part of our modern life. For the CISO these threats come in multiple directions and on every possible area, which can lead to feeling overwhelmed, with a blizzard of notifications, and sometimes analysis paralysis—something we professionals have referred to as “the fog of more.”
“It’s always good to be able to say, ‘Here’s a principle that we’re going to follow to find the risks,’” said Tom. “You could go through a checklist, but that checklist may have aged in five minutes from the different types of threat spaces. So that’s why I’m a proponent of the OCTAVE threat model.”
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology, developed by Carnegie Mellon University in 1999, is one example of a threat modeling strategy. It offers a framework for identifying your organization’s most critical assets, their most pressing vulnerabilities, and the potential consequences of damage or loss.
A wide variety of threat modeling frameworks and supplemental tools exist. Some examples are:
- STRIDE, developed by Microsoft in 1999.
- Process for Attack Simulation and Threat Analysis (PASTA).
- Common Vulnerability Scoring System (CVSS), developed and maintained by NIST.
- LINDDUN, a privacy-oriented framework.
- Rapid Risk Assessment (RRA), developed by Mozilla.
Threat modeling provides company leadership with essential guidance in IT risk management. These frameworks increase buy-in and alignment across the organization by bringing business leaders together to establish risk management priorities.
“You need the business unit representatives, as well as owners, looking at what the outcomes are like,” said Tom. “They can make those sort of business-impact discussion decisions—even though you [yourself] may have seen several as a cybersecurity professional, you need to have this sort of team mentality.”
A clear and comprehensive foundation for risk assessment is a crucial tool for enabling a holistic cybersecurity strategy.
Learn more: What is a security assessment?
Cybersecurity is physical security: cross-functional collaboration
The distinction between cybersecurity and a more generalized understanding of security continues to blend and mix, without a clear distinction. Cybersecurity incidents have increasingly visible real-world consequences; think about the Colonial Pipeline attack, or the attack on MGM hotels in Vegas. The overlap between cybersecurity and physical security points to the need for interdepartmental collaboration and knowledge-sharing for effective IT risk management.
With so many real life examples it makes sense for CISOs to leverage real-world events for business partners to align around.
“I think that’s part of your job in identifying risk,” Tom said. “To say, ‘Hey, this other organization had this issue—how does that apply to our situation here? What can we learn from that?’” Examples from current events offer non-technology business units perspectives on the risks at play and highlight the importance of working together.
“I think it’s really good that people do share the root cause, or their… post-analysis,” said Tom. “The [2023 cyberattack on MGM Resorts International] was very helpful for me, to see these cases and use it to explain [cybersecurity incidents] to people.”
Real-world incidents demonstrate the full scope of a cyberattacks’ potential fallout. That can mean months of stalled work for some organizations as a technology department replaces compromised hardware. In other cases, the results may be more destructive—as in the Stuxnet worm, which was discovered in 2010 and caused centrifuge equipment in Iranian nuclear research facilities to tear itself apart. Multi-disciplinary planning and response helps organizations identify incidents quickly and resolve them more thoroughly.
“As I mentioned to Tom, “A business continuity plan involves the entire business.”
Building an IT risk management strategy from disaster recovery
Many organizations begin their IT risk management strategy from the perspective of preventing an incident or—as businesses acknowledge these days, cybersecurity incidents are all but inevitable—from their incident response plan. While these aspects are critically important, Tom highlights another category of NIST’s Cybersecurity Framework that very often goes unacknowledged: recovery.
“If [recovery’s] not in the CISO’s book of business, so to speak, it ought to be,” said Tom. “Because it isn’t always—sometimes it’s in some other department.” For example, backup and recovery tasks often fall to the IT Operations group and receive less-than-optimal integration with an organization’s larger cybersecurity efforts.
Backups and continuity planning, however, offer the opportunity to plan and prepare so that you can limit the damage from a cybersecurity incident—and your recovery strategy can inform your larger cybersecurity strategy in valuable ways.
“Maybe you should think [about] disaster recovery [and] business continuity first, so that what programs you have, feed into that,” said Tom. “What if [a cybersecurity incident] becomes disaster recovery planning? That involves more than just your cybersecurity team.” Tom emphasized that if your organization has not already established disaster recovery protocols, the process can become chaotic, resulting in greater business losses.
While the role of a CISO is crucial in modern businesses, individual CISOs may not yet have the authority within their organizations to execute necessary cybersecurity strategies. Because disaster recovery involves every department and highlights the seriousness of the risk, it can offer a point of entry for a CISO seeking alignment on necessary security improvements.
Navigate the evolving world of cybersecurity with CBTS
The surge in cyberattacks in recent years has significantly heightened the need for expert information security services. This uptick in security breaches has left many businesses scrambling, unsure of where to find the necessary guidance to fortify their defenses.
CBTS stands as your dependable ally in navigating the complexities of IT risk management. CBTS offers a comprehensive suite of services that includes thorough assessments to identify potential vulnerabilities, strategic planning to address these risks, and managed services designed to continually protect your business against the ever-changing landscape of cyber threats. By partnering with CBTS, you gain access to cutting-edge solutions and the expertise needed to secure your operations effectively.
Contact CBTS today to embark on a journey towards enhanced cybersecurity and peace of mind.