Contemporary cyber security risk management practices are largely driven by compliance requirements, which force organizations to focus on security controls and vulnerabilities. Risk management considers multiple facets – including assets, threats, vulnerabilities and controls – which are jointly evaluated with the variables of probability and impact. Threats cause damage to information systems. Threats utilize vulnerabilities to enact this damage, and security controls are implemented to attempt to prevent or mitigate attacks executed by threat actors. The unbalanced focus on controls and vulnerabilities prevents organizations from combating the most critical element in risk management: the threats. This unbalanced condition is manifested as incident response processes rather than threat intelligence management in the analyst realm, adherence to predefined standards and policies in security architecture and engineering practices, and compliance verification in the operational domain.
A functionally integrated cyber security organization is structured to place threats at the forefront of strategic, tactical and operational practices. Architects, engineers and analysts adhere to a common methodology that incorporates threat analysis and threat intelligence across systems development and operational processes. This ensures security controls are implemented, evaluated and adjusted over time per the most impactful threats and attack vectors. The resultant risk management practices are enhanced due to a higher fidelity of information regarding current state security postures. This drives improved resource allocation and spending, and produces an agile and resilient cyber security practice. When this threat-driven approach is implemented along with tailored compliance processes, organizations can produce information systems that are both compliant and more secure.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program