Virtual Event Now Live: Cloud Security Summit | July 17 - Access Livestream
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

A Change in Mindset: From a Threat-based to Risk-based Approach to Security

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Bad actors find themselves at a constant advantage. They can determine when, where, and how they will attack an enterprise, using time and patience to pick the moment they want to strike.

As cybersecurity professionals, we constantly find ourselves fighting an uphill battle. The growth of cloud computing, remote employees, and Software-as-a-Service applications continues to expand the attack surface, providing bad actors with increasing opportunities. Malicious hackers have the advantage of surprise that will only grow as networks become more complex.

The threat landscape continues to expand, and security teams must change their approach from a threat-based to a risk-based mindset. This is a substantial change in how to approach security, moving away from a structure based on compliance and regulations to one that looks to reduce overall risk.

As technology leaders pivot to ask themselves, “what’s the worst thing that could happen,” the answers to that question can help guide a risk-based approach as it highlights the worst-case scenario and what it would take to recover.

Change is Happening

The shift to a risk-based methodology is already happening in many large organizations. Threat-based methods often focused on a checklist of tasks to meet unique industry requirements but overlooked the key component of security: reducing risk.

As any security professional will say, compliance itself does not equate to security. It provides an organization with benchmarks and goals and reduces culpability during a breach, but often leaves security as an afterthought.

A risk-based approach to security takes a holistic view of a company to evaluate where its critical assets are and systematically identifies and prioritizes the threats facing the organization. Instead of looking at individual security controls in isolation, the risk-based mindset gives you a clearer picture of where and how likely, you are to be breached.

Advertisement. Scroll to continue reading.

A threat-based approach looks to mitigate active and prospective threats. This could be a hacker or a piece of malware that has entered your system. Once inside, these bad actors can cause damage, and threat mitigation strategies look to identify them quickly and take decisive action.

In the current threat-based system, business processes and security needs often work in siloed environments. A risk-based approach allows technology leaders to prioritize assets, allocate resources, and create a systematic approach to mitigate high-risk areas. Technology and business leaders should work together to determine how security aligns with needed business goals.


Best Practices for Risk-Based Methods

Organizations looking to move to a more risk-based structure must consider many factors. A risk-based methodology includes performing an organization risk assessment, identifying and implementing needed controls, and more.

Let’s look at some key best practices for technology leaders:

  • Define and prioritize all assets critical to the business. Technology leaders must take stock of all their technology assets, including those on the Internet. Creating a list of assets and determining the value of each – and the inherent risks associated – provides a crucial first step.
  • Implement robust policies for defining which users and systems need access to critical assets. Organizations will focus more on user identity and access with a risk-based approach. Leverage technologies and tools that create strong authentication profiles that limit user movement.
  • Implement a zero-exception enforcement policy. Institute access controls and stick to them, even though it may prove difficult. This is critical and aligns with current popular security methods like Zero Trust.
  • Ensure that unauthorized access attempts are logged. Keeping and analyzing this information can help you understand where attack attempts come from. This also helps your organization to potentially strengthen security protocols around popular targets.
  • Conduct regular attack and user error simulations. An emergency is not the best time to learn. Conducting simulations provides invaluable experience for team members who get accustomed to stressful situations and prepares them for how to act quickly in case of an emergency.

Keep an Open Mindset

This move to a risk-based methodology is not unexpected in many ways. Technology enterprises continue to shift rapidly based on the cloud and the influx of remote workers, stretching networks in new ways. By changing mindsets, you can take a longer-term view of the threat landscape, and adjust your approach to follow larger patterns.

As security leaders, we can never sit comfortably in our protection duties. Bad actors are continually changing, and we must too. Technology leaders cannot be afraid to move away from older ideas for newer methodologies and ways of thinking.

Organizations today have a growing enterprise of technology assets that need protection. Leverage a risk-based approach and focus on tools that provide visibility, automation, and true insight into your enterprise’s operations. Look to authentication tools that improve identity and keep your team strong with regular training and simulations.

The technology world continues to change. Make sure you change with it.

Written By

Marie Hattar is chief marketing officer (CMO) at Keysight Technologies. She has more than 20 years of marketing leadership experience spanning the security, routing, switching, telecom and mobility markets. Before becoming Keysight’s CMO, Marie was CMO at Ixia and at Check Point Software Technologies. Prior to that, she was Vice President at Cisco where she led the company’s enterprise networking and security portfolio and helped drive the company’s leadership in networking. Marie also worked at Nortel Networks, Alteon WebSystems, and Shasta Networks in senior marketing and CTO positions. Marie received a master’s degree in Business Administration in Marketing from York University and a Bachelor’s degree in Electrical Engineering from the University of Toronto.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

CISA has appointed Jeff Greene as Executive Assistant Director for Cybersecurity and Trent Frazier as Assistant Director for Stakeholder Engagement.

Anirban Sengupta has been named the CTO and SVP of Engineering of cloud networking and security firm Aviatrix.

Axonius has named Nick Degnan as its first Chief Revenue Officer and Rob Casselman as its first Chief Customer Officer.

More People On The Move

Expert Insights