In 2020, increased digital innovation is going to expand the threat landscape drastically, with the acceleration of technologies such as 5G, cloud and Internet of Things (IoT). This will lead to increased data creation, sharing and storage at a pace that is difficult for security teams to keep up with. Identifying and protecting against current and emerging cyber security threats is now harder than ever before.
Threat profiling is a way to help combat this and a necessary activity for CISO’s to understand the threats their organisation faces. However, they struggle to identify and prioritise threats, all within resources, time and budget available. So, what needs to be considered?
On a basic level, CISO’s must understand the types of threat that exist, whether they are accidental, adversarial or environmental (or all). Once each threat has been identified, there must be an understanding of the impact of that threat to the organisation and information within it. This then allows the CISO to prioritise threats and allocate budget and resources accordingly.
While this all might sound straightforward, it’s not and it doesn’t end here. Why? All organisations are different in profile – based on their size, maturity and sector – which influences which threats will be most likely impact them and how they respond. For instance, a large financial institution will be a high-profile target for criminals trying to gain access to financial records and bank accounts; compared to a retail organisation. A retail organisation will not be attacked in the same way, and they may not have the resources that a large financial institution has to defend itself from these threats.
On top of this, threat profiles are also going to change based on the partners that organisations work with and the technologies they use.
The increasing use of third parties and their associated risks should be a key factor for CISO’s when determining their organisation’s threat profile. Whether they have 1000’s of partners or 20, organisations must understand those that have access to critical information assets, and also those who are vital in the daily operations of their business. Once this is understood, they will be able to prioritise the partners which pose the most risk to the business and put the necessary steps in place to mitigate risks.
It is the same with technologies. With so many technologies and digital innovations that we have come to rely on, organisations place trust in systems that are constantly under threat from data loss, systems weakness, an attack or project failure. Again, it is important as part of threat profiling that the critical systems to the running of the business are identified and prioritised, along with those which store and process personal information.
You can see from the above that the array of potential threats are vast. Threat profiling is a technique that provides CISO’s with the best chance of reducing an attack or incident that could damage their organisation’s reputation or business performance.
Considering all of the above, where should a CISO start when defining their threat profile?
Todd Wade, Principal Consultant at CRMG said ‘meeting with senior executives to find out where their priorities lie and what keeps them up at night is a must. The biggest concern of the company is a key component to compiling a threat profile.’
Building a business-orientated threat profile that focuses on what is important and business goals, enables threats to be prioritised based on what is critical to the business.
Andrew Wilson, Principal Consultant, CRMG added ’you must also take a look at your suppliers and what contracts you have in place. It’s important to see who an organisation partners with, what you’re liable for and what risk they pose.’
Focus on what’s important
Developing a unique, detailed threat profile provides organisations with a clear illustration of the threats they face and enables them to implement proactive threat management that focuses on reducing the likelihood or impact of an attack. CISOs must understand there are many layers of threats, and factors such as technology, partners, and company profile have to be considered when developing a threat profile.
Overall, don’t try and solve everything straight away – focus energy on what really matters, and the threats that could do the most harm to the organisation’s critical assets and reputation.
To find out more about threat profiling, listen to our podcast on ‘A Pragmatic Approach to Defining your Threat Profile’ here.