- Adaptive Enterprise
In a previous blog on cybersecurity, I wrote about the essential steps to keep your organization safe in an increasingly dangerous digital environment:
In this blog, I’d like to zoom in on which instruments to use to help you achieve cybersecurity -- in particular for Steps 3 and 4.
It won’t surprise you that we advocate a model-based approach to analyzing and mitigating cyber risks. Clear, formalized descriptions of your enterprise will help you gain the understanding necessary to provide optimal security solutions. Of course, absolute security cannot be achieved; rather, you should focus on where you need to invest from the perspective of 1) the value of the assets you want to protect and 2) the vulnerabilities associated with these assets.
Our approach to enterprise risk and security management is based on several open standards, most notably the ArchiMate standard for enterprise architecture modeling, as well as the Open FAIR standard for information risk management. More details are described in The Open Group’s white paper on modeling enterprise risk management and security.
The figure above shows the main steps of our approach, which are built into BiZZdesign Enterprise Studio’s Governance, Risk & Compliance functionality. At the bottom of this figure, you’ll see the assets you want to protect from cyber risks, while at the top we see the policies, principles and objectives that direct the organization. In between are the steps that connect these; on the left side (in red), you’ll see the analysis of cyber risk in your organization, and on the right side (in green) you’ll see the implementation of controls to improve your security. These are the steps of risk and security management:
Calculate risk. Based on potential threats and the value of your assets, you can assess the risks your enterprise actually faces. In a simple formula, risk = value x probability, the higher the risk, the more you will want to invest in mitigating against it. The figure below shows an example of such an analysis, gradually built up in these first four steps.
The lower, yellow part of the model shows the business process and the asset to be protected (‘Customer information’). The upper part shows, from left to right:
The traffic lights show various parameters, such as the asset value, vulnerability level and the resulting risk level. All these are interconnected and our risk analysis algorithm calculates the results, e.g. increasing the risk level if you increase the asset value or threat capability.
5. Create policies. To deal proactively with potential cyber risks, you should define appropriate security policies and principles that are in line with your business strategy and also follow applicable regulations. This may, for example, include principles such as security-by-design, separation of duties, restricted access to personal data and other common policies. Regulatory frameworks like the GDPR require solid data protection policies, with hefty fines for non-compliance and even personal liability of responsible management. This, in turn, influences the value of the assets you want to protect. It’s not just their intrinsic value at stake; fines, reputational damage and other side effects should also be taken into account.
6. Define control objectives. Based on the policies you created in the last step, you should now define appropriate control objectives. One standard approach, for example, is to classify the confidentiality, integrity, availability, privacy-sensitivity and other attributes of your data, according to common use cases you have. For example, data on your website will need low confidentiality but high availability, whereas customer data will have much higher privacy and confidentiality requirements, while availability might be less of a concern.
7. Create control measures. These control objectives are then translated into applicable control measures, which tell you what to do to reach these objectives. Relevant standards, such as ISO/IEC 27001, NIST 800-53, CSA and others may help by providing a predefined and well-organized set of control measures. Below, you see a small excerpt from a model of the ISO/IEC 27001 standard, showing one specific control objective and a number of related control measures, expressed in the risk and security overlay of ArchiMate that is defined in the Open Group whitepaper mentioned above.
The strength of these control measures can also be used as input in the risk calculations shown in the previous figure. The stronger your controls, the lower your vulnerabilities, and, therefore, the lower risks you run.
8. Implementation. The final step is to design the implementation of these control measures as part of your own architecture, processes and systems. For example, you’ll need to figure out how you perform user registration (the first measure from the previous figure). The cost of implementing these measures can be compared with the risks you run. Are they really worth it, or are you protecting low-value assets with overly expensive controls?
The analysis shown above is, of course, something to be done by modeling and risk assessment experts, and may look complicated to the uninitiated. The outcomes, however, can be presented in user-friendly heatmaps like the one below.
The heatmap above shows how high capability of threats (e.g. smart hackers) combined with low strength of controls results in a very high vulnerability level. The other two vulnerabilities in this heatmap are probably less urgent.
This analysis helps management prioritize investments in improving security like, in this example, implementing rules on password length or instituting multi-factor authentication. Thus, your organization has room in its budget to invest where it really counts.
Risk management is a continuous, iterative process. The process outlined above should be run regularly to assess new vulnerabilities and threats and to keep your policies, principles and controls updated with your organization’s strategy and applicable regulatory demands. Moreover, the fact that you have such a risk management process is, in itself, demanded by various regulatory frameworks.
Embedding this within your regular architecture and design processes provides you with a security-by-design approach -- a much more effective way to improve your organization’s resilience than simply tacking on some security measures after a cybersecurity event.
There is no guarantee that nothing will ever go wrong. Nevertheless, having such a model-based approach to risk analysis and mitigation will prove to be a great investment in your organization’s cybersecurity, business continuity and resilience where (and when) it really counts.
Interested in learning more? Contact one of our experts for a demonstration!