When I started working in security I was taught, like most of us, to adopt a risk management control framework such as NIST, ISO, PCI, etc. and measure the alignment of security practices with control standards, procedures, and policies from the framework.
The organization’s control maturity consistent with the framework was the ultimate measure of enterprise resiliency, and changes to the business, architecture, and/or control standards were thought to represent risk to the security posture. Today we can look in the rearview mirror and see that the security industry’s evolution of practices for determining control maturity and resiliency evolved from the principle notion that the risk framework, whichever was chosen, was the foundation of all enterprise security programs. Simplistically, the framework itself helped determined risks to the business.
Jump forward to the modern enterprise: The most effective way of managing enterprise resiliency today, taking into account the risks, adversary profiles, and growing threat landscape that all enterprises manage on a daily—if not hourly—basis, has fundamentally changed. No longer can we consider compliance to a risk control framework sufficient; what’s more, the continual adoption of unconventional controls is core to influencing enterprise resiliency. The most mature enterprise security programs today adjust controls based on the evolution of threat actor tactics or the threat landscape without waiting for updates and changes from authoritative sources and control frameworks. In fact, my enterprise, Aetna, is changing control procedures—on average—once per day, allowing us to keep pace actual business risk.
The new method of determining enterprise resiliency is not measured by the infrequency of changes to the controls. In fact, it is just the opposite; frequent changes to controls based on the frequent changes in threats and threat actor tactics is required for today’s enterprise. It’s time for the industry to recognize the implications of the shift and evolve better measures for enterprise resiliency and benchmarking. One of the components of a resilient enterprise program is the allocation of the organization’s talent, tools, and techniques. Organizations must apply innovation to cyber control design and consider the relationship between cybersecurity and privacy before they will be able to run a truly risk-driven security program.
We will dig into this topic in depth during my keynote address, The Three T’s of Cyber Security, at InfoSec World 2017. We’ve all long heard about how the combination of tools, techniques, and talent can drive your security program; you’ll now see how to transform your program into a modern-day, risk-aware, resilient organization.