Executive Cyber Education: Mission-Oriented Risk Management & Defense Strategy
In our increasingly interconnected world, where access to timely and relevant information can significantly enhance decision-making, managing cyber risks becomes a critical business discipline. A Chief Information Security Officer (CISO) must transition from a purely technological role to a leadership position focused on enabling the business. This shift is essential to transforming the cybersecurity team into a valuable asset for the organization.
Safeguarding the Mission Objectives
The CISO and their team must ensure that systems and solutions can operate effectively in today’s challenging cyber environment by minimizing risks to the organization’s mission objectives. Mission-based risk management, or mission-based cybersecurity, centers on this principle. Key focus areas include:
- Continuously identifying the business’s evolving needs.
- Understanding and prioritizing what the business values, rather than what cybersecurity deems important.
- Concentrating on the top three threats to business objectives, rather than attempting to protect against everything.
- Transitioning from a technology-centric to a business-centric or people-centric approach.
The Role of Security Tools in Achieving Great Results
Possessing advanced cybersecurity tools does not automatically equate to a strong cybersecurity program. A CISO with a business-driven approach will assess whether their management team truly understands the organization’s needs and customers. This includes identifying the critical systems that support the organization’s mission, vision, and services to customers and stakeholders.
To achieve this, the CISO and their management team must:
- Define “mission-based risk management” with clear financial and non-financial goals, timelines, and acceptable risk levels.
- Align the entire organization’s plans and activities toward mission-based risk management.
- Stay vigilant to changes, such as new technologies, that might require strategic adjustments.
Mission-Based Risk Management and Cybersecurity Program
Mission-based risk management involves analyzing the organization’s mission, potential cyber threats, and the IT systems that support the mission to address four key questions:
- What would be the impact on the organization’s mission objectives if a threat occurred?
- How much effort would it take for a threat actor to carry out a given threat?
- What mitigation steps are necessary to protect high-impact systems and prevent attacks?
- What are the associated costs of these mitigation measures?
When addressing critical infrastructure or operational technology (OT) systems, the CISO must consider their close connection to the mission, tailoring mitigation actions to minimize mission impact.
Defense Strategy
Given the vast number of known vulnerabilities (over 186,000 in the Common Vulnerability and Exposure (CVE) database) and documented attack patterns (555 in the Common Attack Patterns Enumerations and Classification (CAPEC) list), how can you protect mission-critical systems?
One effective approach is to focus on the effects of incidents rather than trying to address every vulnerability. According to Mussman & Turner (2018), the DIMFUI taxonomy allows for concentrating on the consequences of incidents. Each vulnerability leads to one or more of six possible outcomes, categorized as follows:
Attack Category
- Effect on Process
- Effect on Information
- Degradation
- Process speed is slowed
- Information delivery rate or quality is decreased
- Interruption
- Process is unavailable until recovery
- Information is unavailable for a period
- Modification
- Process characteristics altered, affecting output
- Altered information may cause processes to fail
- False mission inserted, interfering with real missions
- False information entered into the system
- Interception
- Process captured by attacker
- Information captured by an attacker
- Unauthorized Use
- Potential for unexpected process outcomes
- Potential for unexpected information effects
Conclusion
By focusing on mission-critical systems and addressing the potential outcomes of cyber-attacks, a CISO can implement a mission-based risk management program that adds organizational value while remaining financially prudent and effective.
