The creation of an ongoing cyber risk management process, aligned with the governance of the information security management process, is a premise that ensures the survival of the organization. Here, I want to present a practical and strategic view on how to align security architecture, risk governance and organizational culture to build effective cybersecurity programs.
Following the domain model suggested by ISC2 from the perspective of a security architecture, I have become convinced of how essential it is for a cyber program. This is especially true in a scenario of emerging technologies such as generative AI, which particularly requires a high level of processing in a cloud environment hosted on robust data centers.
In addition to high energy demand, these innovations bring challenges with access and identity management, guardrails in network infrastructure to protect workloads, and require a strong architectural modeling approach, including governance, risk and compliance (GRC) projects.
In my view, the creation of a cyber risk management process, combined with the governance of the information security management process, is a premise that ensures the organization’s survival.
If I were asked in an interview what my strategy would be to implement an information security management process, I would say it’s important to consider the organization’s scenario, its context and, finally, the maturity level of risk culture among stakeholders.
If the company does not yet have a risk-oriented mindset disseminated among stakeholders and employees
It becomes more difficult to sell and implement a cybersecurity program. It is necessary to work intensively, with strong articulation and facilitation alongside business line executives, since pointing out flaws at the start can generate long-term challenges. I’ve had personal experiences where I faced barriers and had to step back.
However, the development of a risk culture — including appetite, tolerance and profile — within the scope of the management program is essential to provide real visibility into ongoing risks, how they are being perceived and mitigated, and to leverage the organization’s ability to improve its security posture. Consequently, the company begins to deliver reliable products to customers, secure its reputation and build a secure image to achieve a competitive advantage and brand recognition.
If the company already has a mature risk culture
The implementation of a cybersecurity management project becomes more flexible. Since my goal is to share the mechanics to achieve success in a cybersecurity program, I emphasize below some components of this ‘recipe’ to consider:
Understand the dynamics and scope of the business, mapping stakeholders, processes and critical systems of the organization, categorizing applications and classifying data to determine the appropriate set of controls (guardrails).
Understand the choice and application of a framework such as NIST CSF 2.0, linked with ISO 27001, COBIT, CMM, NIST 800-53, SABSA, TOGAF, MITRE ATT&CK, OWASP, among others.
Start with defining vision, goals, strategies and objectives, considering what the “Govern” section of the NIST CSF defines as GRC strategy. Example: “Expand a threat-driven approach across the organization and a cybersecurity GRC program aligned with business and market compliance standards.” For each goal, objectives must be defined, such as “Improve cyber risk management capabilities, update the structure to NIST CSF and also adopt the use of FAIR.”
Within the program for measuring continuous maturity, it is necessary to define indicators by combining KPIs and KRIs. For example, a critical control: “Patch application: average number of days to remediate a critical/high vulnerability in Internet-facing and critical systems.” This way, the program persuades stakeholders and application owners to resolve security issues, raising program maturity and providing transparency for executives.
At this stage, it is recommended to conduct an assessment of the threats and common attack methods to which the organization is exposed and vulnerable. In this context, all information should be aggregated to make the process robust, such as defining a list of threats, risks, preventive and detective controls, and business risks (e.g., exposure, reputation, financial loss). Controls can be defined based on the organization’s scenario, with frameworks like PCI-DSS, COBIT, NIST 800-53, CIS, NIST CSF, CRI, CMM and ISO 27001 serving as references.
This is the critical part of the program: understanding the business-critical assets. Map applications, obtain a big picture with results from gap analyses, risk assessments, pen tests and even the latest audit results to support this phase. As stated earlier, mapping applications and supporting with business impact analysis (BIA) to align with business requirements is essential. Here, governance also plays a role, defining policies, standards and procedures for the cyber management program.
At this point, it is necessary to incorporate a framework model. Personally, I favor a combination of ISO 27001, NIST CSF, NIST 800-30, 39 and RMF. In the US financial sector, the Cyber Risk Institute (CRI) also provides excellent material to effectively implement a program. Moreover, as many companies are already in the cloud, CIS Controls and the Cloud Security Alliance (CSA) CMM are other strong contributors. This phase can be defined as the heart of the project, given its delicacy. It is where the organization’s risk appetite and tolerance are defined, aligned with business objectives. Therefore, stakeholder engagement is critical at this stage to foster a risk culture that will determine project success. The CISO’s organizational structure in relation to cybersecurity domains—which is essential to the program—must also be present, considering the Identify, Protect, Detect, Respond and Recover steps of the NIST CSF. I also highlight that the first phase, Govern, was addressed earlier, where I pointed out other crucial aspects of the program.
Another important factor to be developed in parallel with raising risk culture is the continuous Information security awareness process. This action should include all employees, especially those involved in Incident Management and cyber Resilience. For this group, I recommend tabletop exercises simulating disaster scenarios such as Ransomware, Phishing, AI attacks, sensitive data leakage, etc. This helps prepare the organization to be more resilient in times of crisis. I also highlight the importance of training software developers in secure development best practices, since today everything is defined in code (APIs, containers, serverless, etc.), requiring attention to processes such as SAST, DAST, SCA, RASP, Threat Modeling, Pen Testing, among others.
From a technical standpoint, it is important to select and implement appropriate controls from the NIST CSF stages: Identify, Protect, Detect, Respond and Recover. However, the selection of each control for building guardrails will depend on the overall cybersecurity big picture and market best practices. For each identified issue, the corresponding control must be determined, each monitored by the three lines of defense (IT and cybersecurity, risk Management and Audit).
I can’t detail the full list of appropriate controls for each scenario in this article, but I suggest consulting frameworks such as NIST CSF, AI RMF, CIS Controls, CCM, CRI, PCI-DSS, OWASP and ISO 27001/27002, which specify each type of control. Example: “Threat Intelligence to identify and evaluate new cyber threat scenarios that can help the organization mitigate impacts.”
Finally, the cyber management program must also consider legal, regulatory and regional requirements, including privacy and cybersecurity laws. This covers LGPD, CCPA, GDPR, FFEIC, Central Bank regulations, etc., to understand the consequences of non-compliance, which can pose serious issues for the organization.
Phew… I hope I have managed to provide a brief overview of architecture and how to build a cyber risk management program aligned with business requirements in a simplified way.
Remember that this is a suggested path I have used and proposed to leaders of organizations I’ve worked with. In general, the relevance of a well-designed and implemented architecture underpins the entire program, being essential to its success. I reiterate that the alignment between architecture, GRC and the CISO’s role has the potential to determine how much the organization can elevate its capacity against threats and improve its cybersecurity posture.
As a well-known proverb says: “I was with him as your architect; day after day I was his delight, rejoicing always in his presence.” May this knowledge contribute to the success of your cybersecurity program. Retain what is good!
Note on sources: I wrote this column based on my experience in my job. In other words, real life inside the organization. Last year I finished my short course about cyber risk management at Harvard, and I had to develop a cyber risk plan. This article was based on this project as well as my experience in cyber risk working for various organizations. Sources used include NIST CSF, CRI and the Cloud Security Alliance. For mentions of ISC2, I’m an instructor for CCSP and CGRC certifications, and ISC2 provides some materials for the GRC perspective.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses