A Change in Mindset: From a Threat-based to Risk-based Approach to Security
Bad actors find themselves at a constant advantage. They can determine when, where, and how they will attack an enterprise, using time and patience to pick the moment they want to strike.
As cybersecurity professionals, we constantly find ourselves fighting an uphill battle. The growth of cloud computing, remote employees, and Software-as-a-Service applications continues to expand the attack surface, providing bad actors with increasing opportunities. Malicious hackers have the advantage of surprise that will only grow as networks become more complex.
The threat landscape continues to expand, and security teams must change their approach from a threat-based to a risk-based mindset. This is a substantial change in how to approach security, moving away from a structure based on compliance and regulations to one that looks to reduce overall risk.
As technology leaders pivot to ask themselves, “what’s the worst thing that could happen,” the answers to that question can help guide a risk-based approach as it highlights the worst-case scenario and what it would take to recover.
Change is Happening
The shift to a risk-based methodology is already happening in many large organizations. Threat-based methods often focused on a checklist of tasks to meet unique industry requirements but overlooked the key component of security: reducing risk.
As any security professional will say, compliance itself does not equate to security. It provides an organization with benchmarks and goals and reduces culpability during a breach, but often leaves security as an afterthought.
A risk-based approach to security takes a holistic view of a company to evaluate where its critical assets are and systematically identifies and prioritizes the threats facing the organization. Instead of looking at individual security controls in isolation, the risk-based mindset gives you a clearer picture of where and how likely, you are to be breached.
A threat-based approach looks to mitigate active and prospective threats. This could be a hacker or a piece of malware that has entered your system. Once inside, these bad actors can cause damage, and threat mitigation strategies look to identify them quickly and take decisive action.
In the current threat-based system, business processes and security needs often work in siloed environments. A risk-based approach allows technology leaders to prioritize assets, allocate resources, and create a systematic approach to mitigate high-risk areas. Technology and business leaders should work together to determine how security aligns with needed business goals.
Best Practices for Risk-Based Methods
Organizations looking to move to a more risk-based structure must consider many factors. A risk-based methodology includes performing an organization risk assessment, identifying and implementing needed controls, and more.
Let’s look at some key best practices for technology leaders:
• Define and prioritize all assets critical to the business. Technology leaders must take stock of all their technology assets, including those on the Internet. Creating a list of assets and determining the value of each – and the inherent risks associated – provides a crucial first step.
• Implement robust policies for defining which users and systems need access to critical assets. Organizations will focus more on user identity and access with a risk-based approach. Leverage technologies and tools that create strong authentication profiles that limit user movement.
• Implement a zero-exception enforcement policy. Institute access controls and stick to them, even though it may prove difficult. This is critical and aligns with current popular security methods like Zero Trust.
• Ensure that unauthorized access attempts are logged. Keeping and analyzing this information can help you understand where attack attempts come from. This also helps your organization to potentially strengthen security protocols around popular targets.
• Conduct regular attack and user error simulations. An emergency is not the best time to learn. Conducting simulations provides invaluable experience for team members who get accustomed to stressful situations and prepares them for how to act quickly in case of an emergency.
Keep an Open Mindset
This move to a risk-based methodology is not unexpected in many ways. Technology enterprises continue to shift rapidly based on the cloud and the influx of remote workers, stretching networks in new ways. By changing mindsets, you can take a longer-term view of the threat landscape, and adjust your approach to follow larger patterns.
As security leaders, we can never sit comfortably in our protection duties. Bad actors are continually changing, and we must too. Technology leaders cannot be afraid to move away from older ideas for newer methodologies and ways of thinking.
Organizations today have a growing enterprise of technology assets that need protection. Leverage a risk-based approach and focus on tools that provide visibility, automation, and true insight into your enterprise’s operations. Look to authentication tools that improve identity and keep your team strong with regular training and simulations.
The technology world continues to change. Make sure you change with it.
https://www.securityweek.com/change-mindset-threat-based-risk-based-approach-security