Mobirise
  • MODELLING - elementary modelling through to sophisticated statistical analysis.

By modelling I mean building an analytical tool that will help you take a more structured approach to dealing with your threats, vulnerabilities, controls and risks.

JLIS

THREATS: I can show you how to build a threat model that will give you a structured way to identify a wide range of possible security threats, rate each one according to its potential to cause harm within your technical environment, and determine which threats are the ones that warrant particular attention. 

A threat model gives you a way to get your technical subject matter experts working together to agree which are your top threats. You get a consistent, comprehensive and structured view of all your significant threats.  You get a rating scheme that is transparent so everyone can agree what it is that makes some threats more important for you than others.  And you get results that you can use to structure and orient your other risk management activities.  And, as your threat environment changes, which it will do all the time, it is simple to update your model.  That will automatically refresh your list of top threats so you can stay focussed on the ones that matter the most.

BUSINESS RISKS: I can show you how to build a business risk model that will give you a methodical way to expose the pathways by which security breaches impact your business operations and cause your business harm.
 

JLIS

Do you ever feel there is a disconnect between what your security function is doing and what your business leaders want? A business risk model will let you map security breaches to business operations and business operations to harm in a way that will allow you to connect those two ends.  It exposes each pathway and gives you a rating scheme so you can see the significance of each pathway for your business systems and operations. That lets you identify which security breaches have the potential or are most likely to cause your business the most harm, and you can use that for setting the Security function’s protection priorities.  It also makes it easier for business leaders to see what they get in return for the support they give to the security team.

JLIS

RISK POSTURE: I can build you a simple risk posture model that will give you the ability to assess the technical and non-technical controls protecting your business-critical systems and develop a dashboard view of your risk posture.

Compliance results are fine but on their own they don’t motivate. Show what the numbers mean by showing each system’s risk posture compared to your business’ stated risk appetites. The controls used in your Risk Posture model can be whichever you need them to be. For example, your internal security policies and standards, a recognised external standard (such as ISO/IEC 27001 or the CSA’s CCM), or your technical and non-technical internal controls relating to GDPR. The dashboard presentation ensures everyone concerned can see immediately if a system's risk posture is acceptable or not. Just how worried should you be about that system's compliance shortfall? How imperfect can compliance be but still be good enough? Are those systems that have fallen outside the green zone just a little way out of line or are they a reason to get seriously worried? You can devise action plans and show the effect each action plan would have on the system's risk posture so you can choose the plan that will bring the system into acceptable compliance most cost-effectively. Multiple systems can be shown on the same display to show senior stakeholders the risk posture for their business line or division, and to ensure top management attention gets directed to where it is most needed.

HOW YOU MIGHT USE SUCH MODELS - A few suggestions:

  • Brian Krebs said recently "The barriers to entry have never been lower, and the low-hanging fruit has never been more abundant.  It's no wonder that cyber crime is such a fast-growing industry." Make sure you are not part of the low-hanging fruit by getting the basics right. Take a structured approach that focuses on the basics and provides transparency and drill-down.
  • If you have inherited a long-in-the-tooth internal security baseline or set of standards and don't know what they are worth, map those controls against the threats that worry you today so you can update them to make them more contemporary and relevant. Show where current security arrangements lack depth or breadth.  Expose how well or how poorly security protection is currently being provided and uncover security gaps that have lain hidden for ages.
  • An expert's opinion about where your security problems lie is an informed guess but it is nonetheless still a guess. As any expert in the art should agree, we have difficulty getting within even orders of magnitude on many of our risk guesses. A threat model and business risk model, especially if used together, can give you a meaningful and transparent view of where your security attention really ought to be focussed.  They are tailored to your technology estate and business model so they provide results that are particular to you rather than generic.
  • Long gone are the days when cyber attacks were just an annoying daily nuisance perpetrated by skilled but wayward individuals.  Nowadays, cyber skirmishes are an accepted part of the way international tensions are played out. Any company of any significance has to expect it will, at some stage, become a collateral victim in someone else’s cyber skirmishes.  Doing everything to defend against every conceivable attack is just not practicable. The best way to defend yourself in this challenging environment is to identify your top half a dozen or so threats, map your essential controls against those threats, and make sure you have the core strength and depth to be properly protected.

If you would like to take a more structured approach to the way you deal with threats and controls within your company, then please get in touch using the contact details at the top of this page.

© Copyright 2018 JLIS Ltd - All Rights Reserved