Building a Cyber Program: Risk Assessment vs. Cyber Frameworks

Rick Butler

Well-known member
  • Aug 8, 2019
    2,101
    7
    3,754
    121,321
    Colorado Springs, CO
    www.intellitec.edu
    So here 's a question that came up in my head and one that I suggested to Bjoern after the session today. Worth some noodling...

    When building a cyber program do you:

    A) Get a framework? - Most times, people don't know what they don't know and they end up going out to the internet to grab some kind of checklist to "cover the bases" with respect to network security. Frameworks like NIST 800-53 and 800-171 as its checklist are great because they'll cover everything.

    But a framework has the tendency for those who use one to cover more than we need. Do we pick and choose which parts to use? Can we say that we used the NIST framework if we only use a part of it? Going through a framework can create a lot of documentation that no one will ever read.

    (kinda like all the documentation we write, but alas)

    B) Perform a Risk Assessment? - The risk assessment is the way an organization can tailor its cyber program to meet its specific needs. An organization can walk through all its assets and services and define priorities.

    However, I've always seen two things when doing a risk assessment. One, the defining the risk tends to get subjective. We can put impact to a cost scale, but probability is a little more nebulous. Say you have two incidents on a risk in year 1, none in year 2, and none in year 3. High risk? Medium risk? Or do we define it ourselves in a subjective kind of way. Sure that brings in the idea of risk appetite, so its different for everyone. The other thing I see in risk assessment is making sure we've identified everything. Seems like that's an ongoing process, like one day, you're walking by an office and notice an IoT device that's been there for an age, but we forgot about it in risk planning.

    So, what do you think about this? Chime in and let's see what you think.

    /r

    UPDATE: I might have also wrote the question a little badly - the question isn't whether we do those things - it's the approach you take first in doing a cyber program build. Some will go with the Framework first, which prescribes a risk assessment, the other will do the risk assessment first which prescribes a framework. ..
     
    Last edited:
    • Like
    Reactions: Mirko and Fanuel
    Risk Assessment is always, always, always mandatory. How are you going to structure and prioritize your efforts if you don't know your risks and have ordered them by magnitude (whether it's quantitative or qualitative risk assessment is less important here).

    Framework: Tend towards a yes because that's gonna avoid forgetting important aspects. Tayloring it to your needs definitely OK (especially if you're not chasing any certifications) and the smaller your organisation, the more limited your resources, the more you'll need to adapt to fit yur needs.

    My 2c. :)
     
    Risk Assessment is always, always, always mandatory. How are you going to structure and prioritize your efforts if you don't know your risks and have ordered them by magnitude (whether it's quantitative or qualitative risk assessment is less important here).

    Framework: Tend towards a yes because that's gonna avoid forgetting important aspects. Tayloring it to your needs definitely OK (especially if you're not chasing any certifications) and the smaller your organisation, the more limited your resources, the more you'll need to adapt to fit yur needs.

    My 2c. :)
    All valid points. I had to correct my question some to clarify a point - which does one realistically start with? We get the book answers, but I'm of the mind that folks will often start with the Framework first, while others will do the assessment first. Both need to be done, although to some complexity, it could get interesting.
     
    All valid points. I had to correct my question some to clarify a point - which does one realistically start with? We get the book answers, but I'm of the mind that folks will often start with the Framework first, while others will do the assessment first. Both need to be done, although to some complexity, it could get interesting.
    Right, gotcha.

    IMHO: Risk assessment first. You need to know the nature and size of your problems before you can think about how to tackle them.
     
    When building a cyber program, we either....
    • get a cyber consultant OR
    • follow government advice
    Either way, you'll eventually follow a framework within which, you'll start by doing some form of risk assessment.

    The ACSC body in Australia follows the NCSC in UK for which, the guidance varies on the size and type of the organization.
     
    When building a cyber program, we either....
    • get a cyber consultant OR
    • follow government advice
    Either way, you'll eventually follow a framework within which, you'll start by doing some form of risk assessment.

    The ACSC body in Australia follows the NCSC in UK for which, the guidance varies on the size and type of the organization.
    That's the other direction - coming at it from a framework perspective and doing the risk assessment as part of following that framework. Most folks have no idea how to do a risk assessment from the start and contract in an overpriced MSSP to do this work - but people pay it because they don't want to pay the price for non-compliance.

    What's funny is that these MSSPs will just write that documentation from templates that they have in their libraries...

    /r
     
    • Like
    Reactions: Jarrel