Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

A Change in Mindset: From a Threat-based to Risk-based Approach to Security

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Bad actors find themselves at a constant advantage. They can determine when, where, and how they will attack an enterprise, using time and patience to pick the moment they want to strike.

As cybersecurity professionals, we constantly find ourselves fighting an uphill battle. The growth of cloud computing, remote employees, and Software-as-a-Service applications continues to expand the attack surface, providing bad actors with increasing opportunities. Malicious hackers have the advantage of surprise that will only grow as networks become more complex.

The threat landscape continues to expand, and security teams must change their approach from a threat-based to a risk-based mindset. This is a substantial change in how to approach security, moving away from a structure based on compliance and regulations to one that looks to reduce overall risk.

As technology leaders pivot to ask themselves, “what’s the worst thing that could happen,” the answers to that question can help guide a risk-based approach as it highlights the worst-case scenario and what it would take to recover.

Change is Happening

The shift to a risk-based methodology is already happening in many large organizations. Threat-based methods often focused on a checklist of tasks to meet unique industry requirements but overlooked the key component of security: reducing risk.

As any security professional will say, compliance itself does not equate to security. It provides an organization with benchmarks and goals and reduces culpability during a breach, but often leaves security as an afterthought.

A risk-based approach to security takes a holistic view of a company to evaluate where its critical assets are and systematically identifies and prioritizes the threats facing the organization. Instead of looking at individual security controls in isolation, the risk-based mindset gives you a clearer picture of where and how likely, you are to be breached.

Advertisement. Scroll to continue reading.

A threat-based approach looks to mitigate active and prospective threats. This could be a hacker or a piece of malware that has entered your system. Once inside, these bad actors can cause damage, and threat mitigation strategies look to identify them quickly and take decisive action.

In the current threat-based system, business processes and security needs often work in siloed environments. A risk-based approach allows technology leaders to prioritize assets, allocate resources, and create a systematic approach to mitigate high-risk areas. Technology and business leaders should work together to determine how security aligns with needed business goals.


Best Practices for Risk-Based Methods

Organizations looking to move to a more risk-based structure must consider many factors. A risk-based methodology includes performing an organization risk assessment, identifying and implementing needed controls, and more.

Let’s look at some key best practices for technology leaders:

  • Define and prioritize all assets critical to the business. Technology leaders must take stock of all their technology assets, including those on the Internet. Creating a list of assets and determining the value of each – and the inherent risks associated – provides a crucial first step.
  • Implement robust policies for defining which users and systems need access to critical assets. Organizations will focus more on user identity and access with a risk-based approach. Leverage technologies and tools that create strong authentication profiles that limit user movement.
  • Implement a zero-exception enforcement policy. Institute access controls and stick to them, even though it may prove difficult. This is critical and aligns with current popular security methods like Zero Trust.
  • Ensure that unauthorized access attempts are logged. Keeping and analyzing this information can help you understand where attack attempts come from. This also helps your organization to potentially strengthen security protocols around popular targets.
  • Conduct regular attack and user error simulations. An emergency is not the best time to learn. Conducting simulations provides invaluable experience for team members who get accustomed to stressful situations and prepares them for how to act quickly in case of an emergency.

Keep an Open Mindset

This move to a risk-based methodology is not unexpected in many ways. Technology enterprises continue to shift rapidly based on the cloud and the influx of remote workers, stretching networks in new ways. By changing mindsets, you can take a longer-term view of the threat landscape, and adjust your approach to follow larger patterns.

As security leaders, we can never sit comfortably in our protection duties. Bad actors are continually changing, and we must too. Technology leaders cannot be afraid to move away from older ideas for newer methodologies and ways of thinking.

Organizations today have a growing enterprise of technology assets that need protection. Leverage a risk-based approach and focus on tools that provide visibility, automation, and true insight into your enterprise’s operations. Look to authentication tools that improve identity and keep your team strong with regular training and simulations.

The technology world continues to change. Make sure you change with it.

Written By

Marie Hattar is chief marketing officer (CMO) at Keysight Technologies. She has more than 20 years of marketing leadership experience spanning the security, routing, switching, telecom and mobility markets. Before becoming Keysight’s CMO, Marie was CMO at Ixia and at Check Point Software Technologies. Prior to that, she was Vice President at Cisco where she led the company’s enterprise networking and security portfolio and helped drive the company’s leadership in networking. Marie also worked at Nortel Networks, Alteon WebSystems, and Shasta Networks in senior marketing and CTO positions. Marie received a master’s degree in Business Administration in Marketing from York University and a Bachelor’s degree in Electrical Engineering from the University of Toronto.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...