A well-known mantra in the cybersecurity industry is “compliance does not equal security.” However, despite this pragmatic conviction, many organizations still choose to build their cybersecurity based on compliance requirements alone.
On the surface, this approach provides a direction for a cybersecurity program and checks the right boxes from a risk management perspective. However, as many organizations learned the hard way, managing risk without considering real threats leads to a false sense of security.
This blog explains why you need to take a threat-driven approach to cybersecurity if your organization is serious about threat defense.
Challenges with Compliance-Driven Approaches
Compliance focuses on security concepts, principles, and requirements set by frameworks and regulations. Some compliance requirements are externally mandated, such as PCI DSS and HIPAA, whereas others may be undertaken voluntarily. For example, an organization may choose to build a security program based on the NIST SP 800-53 control framework or achieve a certification against ISO 27001.
Outside heavily regulated industries, most of the time, organizations build cybersecurity programs to minimize the risk of successful cyberattacks and manage their impact. For this reason, an excessive focus on compliance and checklist requirements misses a critical component in the risk management process: threats. Putting compliance before threat intelligence is the proverbial cart before the horse.
An unbalanced focus on compliances introduces the following issues:
Standards and regulations are often high-level, open to interpretation, and lead to a controls-first mindset. Furthermore, they change slowly, and their requirements do not keep up with the threat landscape which is dynamic and constantly evolves.
Redirecting resources away from combating threats toward implementing and adhering to checklist requirements.
Wasting organizational resources on controls that might provide little to no value from a defense perspective.
A system development lifecycle lacks a formal threat analysis and modeling, often leading to poor security implementation and increased post-implementation security costs.
Adapting a “deploy and forget” mindset that leads to static controls that are not updated and regularly validated against probable threat scenarios.
Combined, the issues highlighted above lead to a false sense of security, waste of organizational resources, and can expose an organization to significant risks.
How Can a Threat-Driven Approach Help?
According to Lockheed Martin, a threat-driven cybersecurity constitutes methodologies, practices, and tools to enable a functionally integrated cybersecurity operations.
In practical terms, this means that as part of a risk management process, organizations must understand how threat actors organize their capabilities, conduct their operations, and execute their attacks from the initial compromise to data theft and malware deployment. Equipped with this knowledge, organizations can select and deploy the necessary controls at the system, business process, and organizational levels. Without understanding threats, it is challenging to understand risks and deploy controls that mitigate them.
A threat-driven approach is not new and has been used in military operations for centuries. Before conducting an operation, military commanders go through a planning process. The process involves understanding the enemy and the environment in which the enemy operates. This understanding then informs the strategy and tactics the commanders will employ as part of their mission.
Actionable threat intelligence is critical to this process. Nothing is static in the battlefield and military planners must be able to adapt capabilities and demonstrate flexibility to accommodate to a threat environment.
The concept of a threat-driven cybersecurity is not new to cybersecurity either. Lockheed Martin created the Cyber Kill Chain over a decade ago and threat modeling is becoming an important part of the SDLC. However, in my experience, many organizations follow the opposite approach and assume a controls-first approach driven by checklist requirements. The argument I often hear is defense-in-depth. However, in my experience, a checklist approach leads to expense-in-depth without clear business outcomes or quantifiable risk reduction.
Effective cybersecurity requires focus and prioritization, especially that most organizations have a limited budget and resources. For this reason, threat intelligence must be at the forefront of the risk management process and provide direction to cybersecurity strategy, architecture, deployment, and operations.
Enabling Threat-Driven Cybersecurity
In my experience, shifting to a threat-driven cybersecurity is a journey, not a project, and there are several ways to get started. The following list provides some ideas you can leverage if you are at the beginning of the journey:
Collect threat intelligence from reputable sources, categorize threats, and determine the most likely threat scenarios applicable to your organization
Identify impact levels (operational, financial, data privacy, and reputational)
Identify the surfaces and key assets you are trying to protect.
Include threat modeling in your SDLC.
Perform regular threat assessments – an assessment can focus on a specific application, system, environment, or network.
Regularly validate controls through adversary simulation and Red Team exercises.
Based on my personal experience, the following principles will help get started on the right foot:
Start small, allow yourself to fail, and learn from the failure. A threat-driven approach requires a paradigm shift. By demonstrating success in small areas, you can gradually expand the scope and get buy-in from key stakeholders.
Ensure you have the fundamentals in place, including mature asset management, an ability to enforce and audit policy and configurations across your environments, and a good handle on your access control. A threat-driven approach helps you focus and prioritize resources, but it does not replace fundamental security hygiene practices.
Focus on the largest threats first. You want to invest your energy and resources to mitigate the most probable threat scenario with the highest impact to your organization.
Educate and enable key stakeholders but avoid preaching. A threat-driven approach requires a mindset shift, especially among those who come from an audit or compliance background. This takes time and requires patience.
Fusing Compliance with Threat-Driven Cybersecurity
The purpose of this blog is not to discredit compliance and paint a doom and gloom picture of cybersecurity. Compliance is still relevant and, in some cases, necessary to drive funding and resources in organizations that have an immature security culture.
Earlier in this blog, I purposefully used the term “unbalanced” to emphasize a compliance-driven cybersecurity program that focuses on checklist requirements while ignoring an essential component in the risk management process: threats. However, checklist requirements have their place.
Leveraging frameworks, such as NIST 800-53 or ISO 27001 helps to organize cybersecurity capabilities and provides a foundational set of practices that every organization must consider. As mentioned before, mature asset management, access control, and malware defense are examples of foundational cybersecurity domains every organization should focus on regardless of its threat exposure.
It all boils down to risk. Frameworks are excellent for organization and standardization. From a maturity perspective, they can also help you measure how well your capabilities are integrated into operations. Threat intelligence, on the other hand, provides direction, focus, and helps to prioritize resources to ensure they mitigate real risks.
Threat-driven cybersecurity and compliance are complementary. As a security leader, you need to strive for the right balance between them to ensure your security program leads to best possible outcomes from a risk reduction perspective.
Many organizations build their cybersecurity based on compliance requirements. However, in the age of prolific cyberattacks, this approach alone is insufficient and exposes organizations to significant risks. To address this problem, we need to augment traditional cybersecurity approaches with threat intelligence and ensure threat considerations are at the forefront of the risk management process.
By finding the right balance between compliance and a threat-driven approach, your organization can direct resources to mitigate the highest risk areas while complying with laws and regulations, leading to a positive ROI on cybersecurity.