Begin with Security Risks Assessments to be Risk Resilient 

In a highly digitized and connected world, advancements in cybersecurity technologies are constantly trying to keep pace with the evolution of sophisticated and complex cyberattacks. There is a well-acknowledged theory in the industry that every organization has been breached by a cyberattack, while some may not have discovered it yet. Multiple security tools and technologies can certainly deter and protect from attacks but cannot guarantee a foolproof cyber risk-free organization. 

The National Institute of Standard and Technologies (NIST’s) cybersecurity framework (CSF) has established five core functions of “Identify, Detect, Protect, Respond, and Recover”. The CSF 2.0 has appended the function – “Govern” to the existing five core functions. Today’s reality is that the fifth NIST CSF core function of “Recover” has become the nucleus of cybersecurity systems around which the other functions revolve. Organizations have learned cyber resilience is far more critical than cyber protection or prevention from a business continuity perspective. An organization’s cyber resilience is gauged by its ability to bounce back quickly from a cyberattack and resume its digital-led business operations. 

To make any organization cyber resilient, the first step is to work on the CSF core function of “Identify”. As per the NIST, the identify function helps develop the organization’s understanding of how to deal with cybersecurity risks stemming from various aspects – systems, people, assets, and data. An organization must have a good understanding of the business context and the related cybersecurity risks to ensure cybersecurity efforts align with how the organization wants to manage its risks and business needs. 

Regular planned security risk assessments are recommended as this helps in making sure that cybersecurity initiatives are built around a policy and procedural framework that serves them well – if any of the organization’s information, systems, or assets were to come under attack, they are not caught off-guard but able to pull through faster. These periodic evaluations and reviews go a long way in consistently strengthening the overall cybersecurity approach, readiness, and resilience of the organization. 

A security risks management program must focus on identifying: 

• The physical and software assets in an enterprise to manage them effectively. 
• The business environment and the role of the organization in the supply chain and critical infrastructure sector. 
• Enterprise cybersecurity policies and systems to define a robust governance framework. 

• Legal and regulatory requirements concerning the cybersecurity landscape of the organization. 
• Vulnerabilities and potential threats to organizational resources and risk response activities. 
• And assess the risk management strategy keeping in mind the risk tolerance capacity of the organization. 

Security risk assessments can help companies become cyber resilient by identifying security gaps, evaluating their ability to recover quickly from any cyberattacks, and preparing the roadmap for remediation plans. 

A cybersecurity assessment may have multiple dimensions and is not limited to the below steps. However, these fundamental steps serve well as a starting point. 

• Use a threat modeling approach to find out the risks and threats (e.g., ransomware) that could lead to potential cyberattacks and identify the organizational systems and assets that need protection.  
• Assess the current organizational approach to responding to attacks and mark out what is in place from systemic, technology, policy, and procedural standpoints. 
• Evaluate to check if the cybersecurity systems are robust enough to protect existing IT assets and resources. 

• Run scans to find vulnerabilities and threats. These include regular forensic evaluations such as penetration tests to pinpoint areas of weaknesses. 
• Examine the cyber plans and procedures to ensure they are effective in alleviating the effects of a cyberattack. 
• Conduct cybersecurity training to ensure teams are aware of how to deal with cyber threat situations and use cybersecurity systems and tools. 
• Conduct cybersecurity awareness sessions for employees and senior management so that everyone understands their responsibilities. 
• Conduct post-cyberattack drills and document activities that worked as per expectation. Investigate activities that did not produce desired outcomes. Identify the gaps in policies, procedures, systems, and technology and design a roadmap and remediation steps for the future. 

Security assessment reveals gaps in an organization's ability to counter a cyberattack and manage the disturbance caused by it, which makes it cyber resilient. Every organization must make it part of its security protocol. 

 Authored by Shambhulingayya Aralelemath, Associate Vice President and Global Delivery Head, Cybersecurity, Infosys