By modelling I mean building an analytical tool that will help you take a more structured approach to dealing with your threats, vulnerabilities, controls and risks.
THREATS: I can show you how to build a threat model that will give you a structured way to identify a wide range of possible security threats, rate each one according to its potential to cause harm within your technical environment, and determine which threats are the ones that warrant particular attention.
A threat model gives you a way to get your technical subject matter experts working together to agree which are your top threats. You get a consistent, comprehensive and structured view of all your significant threats. You get a rating scheme that is transparent so everyone can agree what it is that makes some threats more important for you than others. And you get results that you can use to structure and orient your other risk management activities. And, as your threat environment changes, which it will do all the time, it is simple to update your model. That will automatically refresh your list of top threats so you can stay focussed on the ones that matter the most.
Do you ever feel there is a disconnect between what your security function is doing and what your business leaders want? A business risk model will let you map security breaches to business operations and business operations to harm in a way that will allow you to connect those two ends. It exposes each pathway and gives you a rating scheme so you can see the significance of each pathway for your business systems and operations. That lets you identify which security breaches have the potential or are most likely to cause your business the most harm, and you can use that for setting the Security function’s protection priorities. It also makes it easier for business leaders to see what they get in return for the support they give to the security team.
Compliance results are fine but on their own they don’t motivate. Show what the numbers mean by showing each system’s risk posture compared to your business’ stated risk appetites. The controls used in your Risk Posture model can be whichever you need them to be. For example, your internal security policies and standards, a recognised external standard (such as ISO/IEC 27001 or the CSA’s CCM), or your technical and non-technical internal controls relating to GDPR. The dashboard presentation ensures everyone concerned can see immediately if a system's risk posture is acceptable or not. Just how worried should you be about that system's compliance shortfall? How imperfect can compliance be but still be good enough? Are those systems that have fallen outside the green zone just a little way out of line or are they a reason to get seriously worried? You can devise action plans and show the effect each action plan would have on the system's risk posture so you can choose the plan that will bring the system into acceptable compliance most cost-effectively. Multiple systems can be shown on the same display to show senior stakeholders the risk posture for their business line or division, and to ensure top management attention gets directed to where it is most needed.
HOW YOU MIGHT USE SUCH MODELS - A few suggestions:
If you would like to take a more structured approach to the way you deal with threats and controls within your company, then please get in touch using the contact details at the top of this page.