What is currently a typical starting point when organizations are thinking about protection against cyber threat and how often is that the right place to start?
Organizations can start from one of three places when thinking about protection against cyber threat:
- Strategic Level
- Management Level
- Delivery Level
Organizations that start at the delivery level typically implement point solutions such as firewalls and anti-virus software without thinking too much about the bigger picture. This can lead to both insufficient controls in vital areas and over spend in non-critical areas.
Those organizations that start at the management level may begin with an ISO 27001 internal audit. This isn’t a ‘bad’ place to start and does cover all the standard controls an organization might require but can lead to tactical decisions being taken without proper consideration of the strategic context.
The best place to start is at the strategic level to understand the organizational context that cyber security must be delivered in. This ensures that any expenditure is proportional to the organization’s risk perception and risk appetite. This is where the adoption of RESILIA can really help.
For people who have studied for the RESILIA Foundation exam – or those who are wondering how it would help make their organizations more cyber resilient – one particular exam question tackles the issue of how to identify the protective controls needed in the face of cyber threats.
What BEST helps to determine countermeasures for organizational protection?
- Assets, threats and vulnerabilities
- Resource, impact, and time to resolve
- People, governance and compliance
- Capabilities, strengths and weaknesses
The question uses the terminology “countermeasures” which isn’t used in the RESILIA manual. However, a countermeasure is simply a measure or action taken to counter or offset another one. In this case the question is referring to organizational protection, so using the terms in the manual the question could have been: What BEST helps to determine Protective Controls?
Let’s consider each of the options in the real world and then in the context of the question:
Capabilities, strengths and weaknesses.
Yes, an organization needs to consider these factors when determining what protective controls to use to counteract a particular threat, if only to know when to bring in third party assistance.
People, governance and compliance
Organizations need to consider who will be involved in managing and executing the protective controls and determine governance that will ensure the protective controls are effective, up to date and compliant
Resource, impact, and time to resolve
One of the key activities in risk management is the assessment of impact, which will have a significant influence on the resources allocated to countermeasures. Impacts expected to take a long time to resolve are likely to be assessed as higher impact than those that can be resolved quickly.
Assets, threats and vulnerabilities
In any organization in the context of cyber risk, your assets are the vital information and capabilities cyber criminals want to access and are therefore under threat if there is a way for them to do so due to a vulnerability.
Therefore, going back to the question, you first need to determine your assets, threats and vulnerabilities to provide the context for all the other actions in creating protective controls. So, option (a) is the best way to determine the countermeasures your organization needs. Without understanding that first, the other actions are useless.
See our RESILIA section for more information.
Read the previous posts in Matt Trigg's RESILIA Foundation Examination Questions series
RESILIA™ exam questions: Part One
RESILIA™ exam questions: Part Two
Read Matt's previous AXELOS blog post, A culture of success: the thread that links PRINCE2 Agile, RESILIA and ITIL Practitioner.