The Only Constant is Change. Can You Keep Up? — RockCyber

Last week, we wrapped the first leading principle of Coso, which is management and culture. Just a quick review – Coso has 5 leading principles:

1. Management and culture

2. Strategy and objective determination

3. Implementation

4. Review and review

5. Information, communication and reporting

This week we are moving to the 2nd leading principle of Strategy and objective determinationS

The strategy and objective determination work together within the framework of your risk management program. Organizational risk tolerance is defined and aligned with the strategy. Business goals reflect risk tolerance and strategy, placing the basis for identifying, evaluating and treating risk.

Equalizing your Cybersecurity Risk Management Program in the same way helps you bring tolerance to cyber risk to organizational risk tolerance. This allows your company to manage the risk of an enterprise easier to evaluate cyber risk in the context of the common risks that the organization faces. The four COSO points for a strategy and objective determination are:

1. Analyzes the business context

2. Determines the risk appetite

3. Evaluates alternative strategies

4. Formulates business goals

Let’s dive right with the first point of Analyzes the business contextS

Things are changing. Constantly. The technology is evolving. Internal and external factors change (Covid-19, someone?) A replacement product or service can enter the market for less expenses and be offered to your customers for less money, which forces your organization to rotate and change your strategy quickly.

Briefly, Change of strategyS Risk management of the enterprise and in general, cyber risk management should be up to date. As the strategy and business goals change, they must also take into account IT applications, networks, systems, data, etc. that are necessary to support current and future goals.

Your organization in Crunch mode is where its main goal is to survive in the market drop or is your organization in a high growth phase during a thriving economy?

Business objectives to achieve these strategies may require successful technologies and information that will probably introduce new vulnerabilities. Given this with the changing landscape of a cyber threat, it means that your organization introduces new and changing cyber risks.

Staying forward, or at least on the side of changing business goals, is much easier to say than to do. You may have heard the terms “changed left” or “design security”, where the goal is to engage security early and often in the life cycle of software or systems. The ability to do this leads to reduced costs by eliminating a security problem at the beginning of the life cycle.

Since the displacement of the left sounds like such a non-brain (oh but not), let’s look at five key activities that you can take to start applying these concepts in your organization.

1. Work with project managers to ensure that a cybersecurity representative is engaged at the beginning of each project.

   a a. The cybersecurity champions program allows you to scale to answer this search.

   b Early commitment provides certain requirements for security and controls at the beginning of development to reduce the risk as effectively.

   c. Include testing to validate cybersecurity during certain phases of development.

2. Awareness.

   a a. Create an awareness campaign or even specialized training for developers and system administrators around the general types of threats and vulnerabilities for the software and the systems they are developing.

   b One idea is to host a series of lunch and learn about the Open Web Applications (OWASP) security frame for developers or perhaps Nist Cybersecurity Framework, aimed more at system administrators.

3. Automation.

   a a. The more you can automate security validation, the better.

   b Try to provide real-time feedback to the developer or system administrator and with the most enriched context as possible. A dump from your vulnerability or code scanner is just that … a dump.

4. The transfer of the left also helps to deal with confidentiality problems early.

   a a. Privacy has become increasingly in the past few years, with legislators adopting rules such as GDPR from the European Union and the California Consumer Privacy Act.

5. Continuous improvement.

   a a. Invent the applications and systems that your organization has developed and prioritized in terms of risk, as you may need to return to evaluate them.

   b Keep in mind that security stand is only good to the next code or system update.

Next week we will move on to the 2nd point on the principle of the COSO management of the strategy and goals that is Determining the risk appetiteS I get many questions about this.

As always, I love your comments and if you want to have a direct conversation, please shoot me a message and we will set up something. Have a nice week.