Does your company have a documented cyber-threat strategy? Here are five key questions to help you assess your stategy, along with links to more information about developing cyber threat risks assessments and response plans.
Does your company have a cyber-threat strategy?In a recent survey… only 53% of respondents have a documented security strategy, and only 47% indicated that their current strategy adequately addresses the risks. - Ernst & Youngs Global Information Security Survey Does your company have a documented strategy with a realistic and comprehensive cyber-security plan?
Thinking you have a plan whenyou do not, is dangerous If system administrators and management believe they have a cyber-security strategy, they are less likely to actively allocate and focus resources. It becomes easy to be complacent and ignore risks, hoping the status quo is sufficient and then be surprised when it is not. The next five key questions can help you assess your company’s strategy.
1. Does your strategy identify threat agents who will beattacking your organization over the next 3 to 5 years? A defense posture can only be evaluated in relation to threats. Without knowing the attackers, defenders remain in the dark and are forced to protect from risks both real and imagined. The first step to any realistic strategy is to know who the opposition is, both today and in the future, thereby understanding their capabilities, objectives, and likely methods. McAfees 2012 Threat Predictions report is a great document to start your analysis.
2. Does your strategy articulate how you willlikely be attacked by those threat agents? Understanding your IT environment, where it is less secure, and how specific threat agents will attack over time, is imperative to a strategy. Does the strategy talk about generic worms viruses, and system patching? Or does it take into account likely exploits paths….the ones which align to the common methods of pervasive threat agents?For more on Intel IT’s cyber-security strategy,read our Threat Agent Risk Assessment paper.
3. What impacts and losses are estimated from these attacks, given the expected defenses? Strategy is about planning. Planning security is about finding the right balance between spending for controls, versus the residual losses of an attack that are acceptable. Without knowing the likely losses, even at a generic level, it is impossible to plan forward.You can learn more about Intel IT’s new enterprise security strategy, in our Rethinking Information Security paper.
4. How do your security budget and efforts align to acceptable levels of loss? Impervious security, where no losses occur, either do not exist or are far too costly to employ. Some losses are inevitable and knowing the range that is acceptable to management and/or shareholders is essential. If your company is outside the range, it should trigger plans to increase or contract your security spending.Intel’s model for measuring the value of security investments paper includes prioritization against a variety of threats.
5. Who is responsible for the care and maintenance of your company’s security strategy? Given the rapid and unpredictable nature of security threats, vulnerabilities, and impacts, a strategy must be continually assessed and adapt accordingly. Without clear ownership, most strategies quickly become stale and worthless. Without a person entrusted and empowered to actively plan and manage the cyber-threat security strategy, your answers to questions 1 thru 4 become irrelevant. Malcolm Harkins, Intel’s Chief Information SecurityOfficer, talks about balancing business growth versus risk in this "Can Information Security Survive?" webcast.
Don’t become discouraged if your company does not have a robust cyber-security strategy… it is the norm, not the exception. Collectively, we are still at the beginning of this endeavor and have much to learn. Rushing to claim maturity is not the prudent path. Be realistic and recognize where you company is and where it needs to be.
Intel IT is passionate about driving businessvalue through innovation and sharing IT best practices with our industry peers. Learn more about Intel IT’s information security initiatives at: Intel.com/IT