Think Like a Hacker.

Defend Like a CISO.

Confidently protect your organization’s data and assets with a risk-based approach to information security

Introduction

CISOs and hackers evaluate the same security problem from different perspectives

Chief Information Security Officers (CISOs) and hackers are both interested in a system’s weaknesses. A CISO defends that system from the inside out, while a hacker enters the system from the outside in.

Consider both perspectives together to build an information security program that protects your data and your organization from its highest-risk threats.

Malicious hacking happens

As a CTO of a small to medium-sized organization, you may not have a dedicated security team. You own the responsibility of protecting your organization’s product and customer information, but putting together an information security program that confidently reduces business disruption in today’s world can feel overwhelming and time-consuming.

When you search the internet for cybersecurity threats, you will see that 2021 is on pace to break the record for the total number of publicly reported compromises in one year [1] .

The number of reported compromises has trended upwards over the last decade and continues to rise. You will also find dozens of different types of cyberattacks to consider while making your security plan.

Where should you focus your efforts?

[1] Source: Identity Theft Resource Center (ITRC), 2021

Use your security program resources where they make the biggest difference

Many organizations either have only minimally considered information security or try to defend every part of their system equally. In reality, there are always parts of a system that should have more or less resources put towards protecting them.

The way you approach building your information security program depends on the potential encountered threats, the sensitivity and attractiveness of your system’s data, and your organization’s tolerance for risk. The best-fitting solution will vary between specific organizations.

A good security program will consider people, process, and technology as its key components.

A risk-based approach helps focus your security work

A risk-based approach to security planning creates a foundation of knowledge that you can use to inform future planning and decisions. It becomes a roadmap to building an effective information security program that aligns with your organization’s unique needs.

Taking a risk-based approach to security planning results in a solid security program

A risk-based approach to information security classifies which threats pose the highest risk to a specific organization and its systems.

The approach follows these steps:

1

Understand the threats and risks to your organization
2

Evaluate and prioritize your risks
3

Mitigate your risks in order of priority
4

Monitor your program's progress, taking into consideration any changes to your organization’s risks and risk tolerance.

Applying a risk-based approach to information security planning helps you assess, create, manage, and report on your information security program.

Benefits of a risk-based approach
Prove the value of your information security program security program

Gain the information to confidently communicate how security investments are performing to stakeholders in risk-reducing terms.

Genuinely understand how much risk your program carries

Know which threats are likely to happen and have the most impact on your organization. Strategize early to avoid having an emergency dictate your plans.

Provide clear leadership

Navigate what to work on with your team based on risk prioritization. Addressing a higher-risk threat becomes a higher-priority initiative.

Use resources efficiently

Distribute available resources where they are most impactful and understand what that impact is.

Monitor program strength

Quantify your risk level to track the strength and effectiveness of your initiatives and program as a whole over time.

Your organization’s security program will be unique

Assess your organization’s needs and traits to implement an impactful risk-based information security program.

A good security program will consider people, process, and technology as its key components.

A risk-based approach helps focus your security work

A risk-based approach to security planning creates a foundation of knowledge that you can use to inform future planning and decisions. It becomes a roadmap to building an effective information security program that aligns with your organization’s unique needs.

Step 1: What are you protecting?
Understand and document your organization’s structure and value.

Step 2: What potential weaknesses do you have in your system
Understand the attack surface areas in your organization’s system.

Step 3: How much harm could threats that exploit these weaknesses pose for you?
Identify your risk tolerance and prioritize what matters most for your organization.

Keep reading to learn how to evolve your information security program by gathering information, defining attack surface areas, and evaluating risk.

Defend Like a CISO – Understand What You’re Protecting

Understand what you’re protecting

Knowing how all the parts of your systems work together in your organization is integral to protecting them.

Most organizations have similar parts, executed differently

Knowing how all the parts of your systems work together in your organization is integral to protecting them.

These parts are:

  • Valuable Assets
    The information and systems you need to protect.

  • Threat
    A person or piece of software that puts your valuable assets in danger.

  • Infrastructure
    The various software, hardware, and network components used to run an organization.

  • Supply Chain
    The vendors that connect, have access to, or provide parts of your infrastructure.

  • Employees
    The people authorized to interact with your infrastructure.

As you evaluate your system, aim to answer:

  • How does my organization map to the categories in this diagram?

  • What parts of my organization are connected to valuable information?

  • Have I segregated my corporate IT infrastructure from my production environment and data?

  • Have I made security requirements part of our engineering process and culture?

Recommended action:

Create a diagram outlining how all of these parts, processes, and people working at your organization are connected.

Think Like a Hacker

Evaluate your system’s weaknesses

Don’t get caught up worrying about numerous threat types individually. Instead, focus on proactively understanding the areas of hackable attack surface that exist in your organization.

Evaluate your system’s weaknesses

Review these four attack surface areas based on the diagram outline you created in the previous step. Document potential weaknesses an outsider could use to get past these areas, potentially causing harm to your organization.

Attack surface areas Type of attack Types of questions to ask Examples
Systems Infrastructure
  • Is my DNS infrastructure secure?

  • Is my registrar secure?

  • Am I using all of the security features enabled by the registrar?

  • Am I managing valuable passwords securely (e.g. Amazon, registrar, etc.)?

  • Am I managing configurations?

  • DNS/DoS
  • Man-in-the-middle (MITM)
  • Trojan horses
Vendors Supply chain
  • Are my vendors vetted and secure?
  • Have I done a legal review?
  • Am I regularly reviewing my vendors as our use of their service evolves?
  • Do I confidently keep track of what vendors have access to?
  • Password attack
  • Season hijacking
  • Eavesdropping attacks
Software Ransomeware/other malware
  • Am I backing up all of my critical data and systems?
  • Do I have a plan to restore my systems from backup? Have I tested it?
  • Am I patching my software regularly?
  • Ransomware
  • Keyloggers
  • Password attack
Employees Social Engineering
  • Do I have policies and procedures in place to minimize insider threats?
  • Are my employees trained to recognize fake communications like phishing emails and vishing calls?
  • Phishing attacks
  • Inside threats

Securing these attack surface areas protects your organization against many subcategories of cyber threats. Deciding where to start and how to prioritize can be challenging.

Next, you will put these learnings together to determine which risks and threats warrant extra attention in your information security program.

Put the learnings together

Prioritize your risks

You identified what you’re protecting and which parts of your system have weak points. Now it’s time to evaluate your risk and prioritize accordingly, taking into consideration your organization’s available resources and risk tolerance. These findings set the goals for your information security program.

Most systems are hackable if enough resources are put towards the challenge. However, not all parts of your system will be equally  desirable to outsiders or carry the same level of risk to your organization.

What does risk mean for your organization?

A single attack can carry multiple risks to your organization. Here are the common types of business risks to consider as you build your information security program.

  • Legal and regulatory fines
  • Loss of reputation
  • Direct loss of cash or cash-equivalents
  • Indirect loss of time, productivity, focus, etc.

While planning and prioritizing each identified risk, consider the sensitivity and attractiveness of that part of your system, the likelihood an attack will occur, and the subsequent impact on your organization.

To help with this process, ask yourself the following questions:

  • How much of my time, energy, and money is it worth?
  • How much harm do these types of threats pose for my organization?
  • How hard do I want or need to make it for someone to break in?
  • How attractive is our data to the outside world?

Evaluate and prioritize your organization’s unique risks by assigning a risk score

It’s common to evaluate risk by using a 5×5 diagram that compares sensitivity against attractiveness. The value assigned to each axis represents varying degrees of risk.

  1. Very Low
  2. Low
  3. Medium
  4. High
  5. Very High

Assign a risk score by multiplying the axis values.

Example

Recommended action:

Evaluate and score each risk. Prioritize the resources you put towards each risk based on which would be most likely to happen and which would have the biggest impact to your organization.

Use a 5×5 matrix to assess each risk individually or use an assessment product like ZeroWall to elevate and expedite your evaluation and planning.

Use risk evaluation and prioritization to inform task planning and actions

Higher-risk threats—those most likely to happen and with the biggest impact—carry more urgency. Lower-risk threats are still important but may need fewer resources put towards defending them.

To gain an even deeper understanding of your risks and confidently decide the best next steps to protect your organization, consider using a security program assessment tool like ZeroWall’s Survey to save time and add a layer of expert advice.

Summary

Your information security program will keep advancing

While cyber threats will inevitably change, evolve, and multiply, protecting your organization against these threats doesn’t have to be daunting when you apply a risk-based approach.

Implementing a risk-based approach requires you to think about what you’re protecting, how outsiders may try to gain entry, and which parts of your organization are the most attractive and sensitive. Your information security program will take the shape of your organization’s specific needs and nature.

You may feel overwhelmed when you’re at the beginning of building your security program, but remember that taking any step towards evolving your security program is better than doing nothing. Start by thinking about these concepts and making notes to document your systems. Eventually, you’ll have a security program you can test and learn from. Your program will evolve over time as long as you continue to take action.

Regularly check in on the amount of risk your security program carries

Continue to review and understand how your information security program performs over time. Schedule time to evaluate potential changes in your organization’s systems, desirability, areas of your attack surface, available resources, and risk tolerance. Adjust risk prioritization and the work that supports it accordingly.

If a new threat or piece of information comes to your attention, remember to think:

  • If you were a hacker, how could you gain access to your systems?
  • If you were a CISO, how would you make those systems difficult to enter?

Knowledge is power

Gathering and organizing information about how your systems work gives you the knowledge you need to confidently identify, evaluate, prioritize, and reduce the risks of threats to your organization–even as threats evolve in the future. You’ve got this!

Author

Joan D. Pepin

 

Joan D. Pepin is a security pioneer and the Founder and CEO of ZeroWall, an AI company that empowers small to midsize organizations to assess and evolve their information security programs with confidence. Joan’s entrepreneurial drive gave her momentum to bring this service to life after her experience leading security initiatives as a CISO or BISO for several successful, high-growth organizations over the last two decades, including Auth0, Nike, and SumoLogic. She is a well-recognized thought leader who often challenges the status quo and has shared her learnings and perspective on cloud security and compliance at many events, including RSA. In addition to her work disrupting the security industry, she prioritizes community support, including angel investing, advising startups, and serving on the board of directors for Bradley Angle, a non-profit domestic violence shelter and advocacy organization.