The CRIF - Cyber Risk & Privacy Framework
Protect and Detect Phases
The traditional phases of Protect and Detect are where organisations outsource their security requirements to a managed security provider, build an in-house team, or have a trusted independent IT guy they can call if the worst happens. Each of these approaches needs to be cognizant of the changes to the threat actors, their motivation and techniques and how social technology has rapidly altered the attack surface for cyber.
The challenge business owners, risk managers or security managers have in this phase is identifying how best to spend their traditional security budgets e.g. do I keep buying more security technology to tackle the expanding cyber threats or do I look at culture, awareness and training in parallel.
UK Government has issued some good guidance in this regard through the BIS Top 10 and the CPNI Top 20, but are these simply viewed as controls and measures of ‘what does good look like’ or do they actually map to business value and recognised benefits e.g. do X and you will benefit with Y.
Security standards and the wider organisational standards approach to cyber is gaining momentum but they need to be applied where applicable. For example a typical SME will not entertain the lifecycle journey that is ISO27001 but neither should they ignore the threat of cyber to their business. Any standard when applied in principle or taken through to accreditation does help you identify what your security gaps are and the controls that need to be applied to bring you up to ‘good standing’.
Attaining a standard can sometimes give an organisation a false sense of security because it doesn’t make you bullet-proof. In fact, keeping the standard and maintaining good security practice is where the real work starts. By assessing your cyber risks and the overall level of maturity against the various published cyber controls, there is an ability to understand your posture and understand what can be done to combat cyber, what investment is needed and where the real gaps lie in people, process, technology and partner. This is what we call the ‘realisation point’, and we find that this crossover between ‘keep doing the same, but more of it’, against ‘do things differently and re-invest your security budget for cyber’ is what adds the most value to an organisation. The realisation point is typically between Detect and Respond phases.