编者按: The following is a sponsored blog post from SafeBreach.
在安全领域, today’s teams have to navigate significant layers of complexity, 与太多不同的标准和太多不同的技术竞争. When we talk about security, we have a lot of buzzwords, 标语, 和, 当然, 首字母缩略词, which too often serve to compound the confusion. Teams are tasked with combating threats, while operating in a world of BCPs (business continuity plans), DRM (digital risk management), IT风险管理, 关键风险指标, 还有更多.
术语的激增引出了一个更大的挑战:让整个组织的团队使用相同的语言谈论风险的困难. 这种脱节的部分原因是董事会层面的职责和优先事项本来就不同. 例如:
- ciso传统上专注于沟通安全风险,并获得解决这些风险所需的财务和运营支持.
- 首席信息官负责为业务转换安全和技术观点,并优先考虑和证明总体技术支出.
- 首席财务官负责管理组织的整体支出,并确保其符合首席执行官和董事会设定的目标.
- CEO和董事会需要了解安全风险是如何影响组织的, 和 make high-level resource allocation decisions, while focusing on optimizing business performance 和 results.
现实情况是,在安全策略和业务之间经常存在根本的差距,这种差距阻碍了这些角色的成功. These different teams have unique concerns:
- Security teams are focused on these questions:
- Do we have the right security controls?
- Are our existing security investments effective?
- Am I protected against the latest threats?
- What are our main security gaps?
- Business leadership is focused on these questions:
- What’s my exposure in financial terms?
- Are our technology investments supporting our business goals?
- How can we further reduce risk to the business?
- Where should I invest to maximize my ROI?
- 我们如何降低成本?
当这些不同的团队不一致时,风险就会从根本上缺乏明确性. 缺乏可见性, 围绕安全策略和投资做出关键决策的高管们并没有深入了解他们需要做出明智选择的风险. When business goals 和 priorities, 预算分配, 和 security controls aren’t optimized, the bottom-line impacts can be significant.
CISO Imperative: Business Alignment 和 Value Delivery
特别是对于首席信息安全官, 只关注安全性而不确保业务一致性将导致失败. 换句话说, those CISOs that focus solely on security, 和 ignore the gap that persists with the business, will not maintain their seat at the table for very long.
考虑到, according to Gartner research, by 2023, 30%的首席信息安全官的有效性将直接衡量他们为澳门赌场官方下载创造价值的能力. 如果这是准确的, 和 if the expectations 和 criteria continue to evolve, business alignment will only get more critical. 为了缩小差距,ciso需要得到以下问题的答案:
- What are my business processes?
- What is the business value of each process?
- How is the technology stack mapped to business processes?
- Which security controls support that stack?
- How do I quantify security risks in business terms?
The Solution: A New Approach to 风险 Quantification
To gain authoritative answers, particularly to the final question, 团队需要在澳门赌场官方下载内部建立网络风险量化(CRQ)模型. 通过CRQ, 跨组织的团队可以围绕最关键的风险建立一致性, 和 optimally align investments, 分配, 和 resources around those risks.
最终, ciso希望业务风险报告能够自动生成,并围绕风险场景提供可操作的见解和情报, 包括特定的威胁, risks facing specific groups or 业务单位, 和 risks specific assets are exposed to. 也就是说, 许多组织在构建持续识别组织风险的过程中将面临重大挑战,因为它涉及不同的涉众和跨职能协作.
So where should an organization start? 一种方法是通过查看高级实体的相对重要性来“简单地开始”, 业务单位, 和资产, 和 defining the high-level threat scenarios they face. 仅这一点就可以为业务层面产生大量的价值和见解. Then the security organization can decide at what pace, 和 what level of detail to develop the model.
While establishing unified visibility is key, 理解不同团队所需的不同级别的可见性也是至关重要的. Think about the visibility you want when you’re flying. You want to be able to look out the window 和 see your progress, 和理想, 你的航班将提供那些显示飞机位置的交互式地图. Then think about being the pilot on that plane, 以及让飞机到达目的地所需的详细仪表盘.
CRQ概述
在高层次上,CRQ可以看作是一个简单的计算:影响+可能性=风险. 以下是我们对组织应该如何考虑定义这些不同方面的建议:
- 影响. 要建立影响力,确定业务实体的价值是很重要的. 最终, this yields a concrete view of the entity’s “crown jewels,关键数据资产, 和 locations that must be protected. 影响 和 value can initially be rated 和 measured on a scale of high, medium 和 low relative risk to the business, 或者使用更复杂的模型,将实际的货币价值分配给业务风险, which is the ultimate end goal for a more mature organization.
- 可能性. 可能性是通过评估攻击的可能性和损失的可能性来确定的. 从攻击者的角度来看,可能性源于资产的重要性, 和 value to the adversary, 相关的漏洞, 和 the effectiveness of security controls. 安全控制验证工具可用于评估被认为具有高价值的业务实体的公开情况. 团队可以识别资产暴露的可能性及其脆弱性, 资产的重要性和相关的威胁和脆弱性得分的组合.
- 风险. 然后可以通过考虑业务影响和攻击造成损失事件的可能性来评估风险. 从根本上说,价值越高,可能性越大,风险也就越大. What’s key is that risk will be defined in a concrete, objective way that can truly guide effective, coordinated actions across the business.
An Aligned Approach to Tracking 风险
对于CISOs, 与业务保持一致将是他们组织成功的关键, not to mention their careers. 尽管许多组织远没有完全了解其技术和IT资产的价值, 一个有效的CRQ流程可以用一种代表其成熟度的方式来构建. 通过针对业务及其独特目标、IT和安全基础设施定制的有效CRQ, 团队可以开始以一种让每个人都在同一页面上的方式跟踪风险. Through this shared visibility 和 unified purpose, 团队将有更好的装备来确保投资和安全防御与业务和安全目标保持最佳一致, 和 to move the needle on risk in a pragmatic 和 verifiable manner.
欲了解更多有关SafeBreach如何支持澳门赌场官方下载CRQ计划的信息,请访问我们的网站 www.safebreach.com.
