At Wednesday's sessions of InfoSec World, eSentire vice president of cyber risk advisory and solutions architecture Tia Hopkins argued that the key to risk-based security models was keeping the end goal in mind.
"It's kind of like when we go to plan a trip, and we want to go to the beach in Miami. But we start to look at flights and rental cars and hotels, and by the time we're done, we're going skiing in Colorado because we got wrapped around the axle of the details," she said.
Risk-based approaches to cybersecurity offer some distinct advantages over compliance models (check-marking minimum standards) or maturity models (improving the security stack on all fronts simultaneously). By focusing on the most important risks, whether they are specific vulnerabilities on the network or specific activities of likely attackers, organizations can better manage their use of resources. It's cheaper, faster and more agile to focus on the most significant problems than to focus on everything.
But risk modeling places a lot of emphasis on getting the framing right. It's easy to think your way into a knot, said Hopkins.
"I've seen all too often that teams get wrapped around the axle in terms of process or technology or feature functionality. And they end up somewhere entirely different from where they initially intended," she said.
The solution is to begin with the end in mind, said Hopkins. Your goal should be easily articulable in terms of an easy to communicate metric — for example, the dollar value of the risk reduction over time or cost. Simple framing isn't just good for communicating goals and progress with executives whose eyes glaze over with discussion of technical details. It's a way to prevent hyperfocus on minutia from taking over projects.
"Quantifying cyber risk should not require a degree in mathematics," she said. "It really shouldn't."