This post first appeared on Risk Management Magazine. Read the original article.
There has been tremendous progress in the cybersecurity discipline in terms of defining strategy by outcomes rather than the methods used. This is especially apparent in the financial services industry, where frameworks such as CBEST and FFIEC encourage practitioners to not only think about risk-based approaches, but also to understand levels of maturity and capabilities relative to industry benchmarks.
When it comes to cybersecurity, the reality is that we no longer talk about technology first—we talk about the risks, and then discuss the processes and technical capabilities required to address them.
When using risk-based approaches for proactive technology reviews and business planning, you first identify the risks (commonly known as a threat model when dealing with cybersecurity), prioritize them, and then go about building a set of controls or mitigations in order to address these risks. This approach is increasingly applied by financial services regulators around the world, incorporating advanced techniques such as penetration testing and maturity models that provide evidence and compare current performance to historical baselines.
The Check-The-Box Compliance Mindset
Several years ago, the typical information security professional was burdened by a check-the-box compliance mindset where budgets and priorities were predominantly directed toward passing audits. This gave the illusion of achieving higher levels of security and meeting best practice standards, but it was just that—an illusion. As breaches became more widespread and impactful (both in terms of immediate business cost and reputation damage), the industry saw a movement toward incident response. With this approach, the lessons from incidents were better understood and measures were put in place to reduce the likelihood of recurrence.
While responding to such incidents made the strategy more relevant to real-world threats, these early incident responses were still based on historical events. As incidents became more frequent and the scope of larger issues better documented, the industry has experienced another shift, toward proactive, risk-based security and a better definition of maturity models based on understanding industry baselines and best practices.
The Risk-Based Approach
Taking a risk- and evidence-based approach to the testing of cyber readiness, CBEST moves as far away from the theoretical check-the-box compliance approach as one can get. Created by the Bank of England, CBEST is designed to measure the likely impact of real-world threats against systemically critical institutions within the U.K., including banks and critical intermediaries like financial service providers, by emulating the actions of attackers on those environments. The process includes creating a threat model against an organization, examining the attacker’s motivations and capabilities, and executing a set of tests to measure the institution’s defense posture. This is essentially a combination of theoretical analysis and practical execution of penetration tests to help measure an organization’s cyber defense capabilities.
One common exercise in the CBEST threat model is to understand the controls separating critical data repositories and systems from general purpose user infrastructure. The analysis and subsequent penetration test would determine whether an organization is able to detect and prevent unauthorized access between the general-purpose user and critical systems within the organization. Out of these risk-based analyses, the lack of internal segmentation is consistently identified as a significant challenge.
Using Maturity Models
The Federal Financial Institutions Examination Council (FFIEC) is a U.S. government interagency body that includes the Federal Reserve and has regulatory responsibility for the “prescription of uniform principles and standards” to systemically critical financial institutions and their service providers within the United States.
The FFIEC Cybersecurity Assessment Tool takes another risk-based approach to assessing and mitigating an organization’s underlying risk and its ability to mitigate that risk using controls and processes. The results of the assessment provide an organization’s leadership with a better understanding of their relative maturity against the rest of the industry across several domains including technology, organization and process.
The FFIEC Cybersecurity Assessment Tool provides a mechanism for organizations to assess their cyber readiness and maturity against industry baselines, effectively comparing themselves (anonymously) with their peers. In a world where highly publicized cyber breaches can cause huge reputation and client impact, no board of directors wants to be lagging in cyber best practices, and this level of “anonymized” competition is being used to drive improvements throughout the system.
Looking specifically at some of the FFIEC requirements, it is even more apparent that reactive, perimeter-facing controls are no longer sufficient. For example, according to Domain 3, Cybersecurity Controls-Infrastructure (intermediate level requirement): “The enterprise network is segmented in multiple, separate trust/security zones with defense-in-depth strategies (e.g., logical network segmentation, hard backups, air-gapping) to mitigate attacks.” In addition, Domain 3, Cybersecurity Controls-Access and Data Management (baseline level requirement) reads: “Production and nonproduction environments are segregated to prevent unauthorized access or changes to information assets.”
Consistent with CBEST, FFIEC cites requirements for internal environment segmentation for organizations displaying relatively basic capability levels. Internal segmentation requirements are being drawn along multiple dimensions (trust/security zones and production function), which renders simple network-based solutions (where systems can only be instantiated within a single endpoint group, as opposed to being represented in a more flexible policy model) ineffective. The FFIEC Cybersecurity Assessment Tool, consistent with the National Institute of Standards and Technology (NIST) cybersecurity framework used by regulators across industries, also stresses requirements for the visibility of threats and events within an institution’s environment.
Addressing Modern Cyberrisks
Regardless of industry sector, if you are looking to take a proactive approach to assessing cyberrisk and identifying areas for overall security improvement, both the CBEST and the FFIEC Cybersecurity Assessment Tool are worth understanding. The frameworks provide a method for an organization to measure its cyber maturity across technology, operational processes and organizational readiness. As a result, the opportunity to decide and implement maturity and risk requirements in common language creates a method for reporting against strategic business goals.