However, the development of a risk culture — including appetite, tolerance and profile — within the scope of the management program is essential to provide real visibility into ongoing risks, how they are being perceived and mitigated, and to leverage the organization’s ability to improve its security posture. Consequently, the company begins to deliver reliable products to customers, secure its reputation and build a secure image to achieve a competitive advantage and brand recognition.
If the company already has a mature risk culture
The implementation of a cybersecurity management project becomes more flexible. Since my goal is to share the mechanics to achieve success in a cybersecurity program, I emphasize below some components of this ‘recipe’ to consider:
- Understand the dynamics and scope of the business, mapping stakeholders, processes and critical systems of the organization, categorizing applications and classifying data to determine the appropriate set of controls (guardrails).
- Understand the choice and application of a framework such as NIST CSF 2.0, linked with ISO 27001, COBIT, CMM, NIST 800-53, SABSA, TOGAF, MITRE ATT&CK, OWASP, among others.
- Start with defining vision, goals, strategies and objectives, considering what the “Govern” section of the NIST CSF defines as GRC strategy. Example: “Expand a threat-driven approach across the organization and a cybersecurity GRC program aligned with business and market compliance standards.” For each goal, objectives must be defined, such as “Improve cyber risk management capabilities, update the structure to NIST CSF and also adopt the use of FAIR.”
- Within the program for measuring continuous maturity, it is necessary to define indicators by combining KPIs and KRIs. For example, a critical control: “Patch application: average number of days to remediate a critical/high vulnerability in Internet-facing and critical systems.” This way, the program persuades stakeholders and application owners to resolve security issues, raising program maturity and providing transparency for executives.
- At this stage, it is recommended to conduct an assessment of the threats and common attack methods to which the organization is exposed and vulnerable. In this context, all information should be aggregated to make the process robust, such as defining a list of threats, risks, preventive and detective controls, and business risks (e.g., exposure, reputation, financial loss). Controls can be defined based on the organization’s scenario, with frameworks like PCI-DSS, COBIT, NIST 800-53, CIS, NIST CSF, CRI, CMM and ISO 27001 serving as references.
- This is the critical part of the program: understanding the business-critical assets. Map applications, obtain a big picture with results from gap analyses, risk assessments, pen tests and even the latest audit results to support this phase. As stated earlier, mapping applications and supporting with business impact analysis (BIA) to align with business requirements is essential. Here, governance also plays a role, defining policies, standards and procedures for the cyber management program.
- At this point, it is necessary to incorporate a framework model. Personally, I favor a combination of ISO 27001, NIST CSF, NIST 800-30, 39 and RMF. In the US financial sector, the Cyber Risk Institute (CRI) also provides excellent material to effectively implement a program. Moreover, as many companies are already in the cloud, CIS Controls and the Cloud Security Alliance (CSA) CMM are other strong contributors. This phase can be defined as the heart of the project, given its delicacy. It is where the organization’s risk appetite and tolerance are defined, aligned with business objectives. Therefore, stakeholder engagement is critical at this stage to foster a risk culture that will determine project success. The CISO’s organizational structure in relation to cybersecurity domains—which is essential to the program—must also be present, considering the Identify, Protect, Detect, Respond and Recover steps of the NIST CSF. I also highlight that the first phase, Govern, was addressed earlier, where I pointed out other crucial aspects of the program.
- Another important factor to be developed in parallel with raising risk culture is the continuous Information security awareness process. This action should include all employees, especially those involved in Incident Management and cyber Resilience. For this group, I recommend tabletop exercises simulating disaster scenarios such as Ransomware, Phishing, AI attacks, sensitive data leakage, etc. This helps prepare the organization to be more resilient in times of crisis. I also highlight the importance of training software developers in secure development best practices, since today everything is defined in code (APIs, containers, serverless, etc.), requiring attention to processes such as SAST, DAST, SCA, RASP, Threat Modeling, Pen Testing, among others.
- From a technical standpoint, it is important to select and implement appropriate controls from the NIST CSF stages: Identify, Protect, Detect, Respond and Recover. However, the selection of each control for building guardrails will depend on the overall cybersecurity big picture and market best practices. For each identified issue, the corresponding control must be determined, each monitored by the three lines of defense (IT and cybersecurity, risk Management and Audit).
I can’t detail the full list of appropriate controls for each scenario in this article, but I suggest consulting frameworks such as NIST CSF, AI RMF, CIS Controls, CCM, CRI, PCI-DSS, OWASP and ISO 27001/27002, which specify each type of control. Example: “Threat Intelligence to identify and evaluate new cyber threat scenarios that can help the organization mitigate impacts.”
