One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 6370163 |
| Date de publication | 2022-08-17 10:00:00 (vue: 2022-08-17 10:06:23) |
| Titre | A pragmatic approach to risk management & resilience |
| Texte | Cybersecurity starts with the ability to recognize your cyber risk. We will explore several topics related to taking a practical approach to managing risk and achieving cyber resilience. This is a blog series with collective thoughts from Bindu Sundaresan, Director AT&T Cybersecurity, and Nick Simmons, AVP, Cybersecurity. Cybercrime has become increasingly frequent, complex, and costly, posing a risk to all businesses regardless of size. How do you plan to respond when falling victim to a breach? Would you know who to call, how to react, or what to tell your employees, customers, and media? Could your organization absorb the potential financial and reputational impact of a lawsuit? The answer cannot be, "we store everything in the cloud, so we are good." Who owns the risk? Could your brand's image survive? What is acceptable, and how do you know your current plan will suffice? What more could your company do to understand better and manage the risk? These questions are all top of mind and need to be addressed from an overall business perspective. This blog summarizes the fundamental steps and offers suggestions to understand, manage, and respond to risk. Beyond technology, focus on risk and resilience It can be easy to deploy security technology and think you've mitigated risk to your business. Unfortunately, technology investment is no guarantee of protection against the latest threats. It is critical to take a risk-based approach to security, meaning leaders must identify and focus on specific elements of cyber risk to decrease enterprise risk. Specifically, the many components of cyber risk must be understood and prioritized for enterprise cybersecurity efforts. Organizations are increasingly aiming to shift from cybersecurity to cyber resilience, and the following recommendations can help forge this path: Understand the threats Measure the potential financial impact of cyber exposures compared to the company's risk appetite level; and Proactively manage cyber risks with clear action plans based on their capabilities and capacities to protect against cybercrime Risk-based approach Cyber resiliency requires a risk-based approach, accomplishing two critical things at once. First, it designates risk reduction as the primary goal, enabling the organization to prioritize investment, including implementation-related problem solving based squarely on a cyber program's effectiveness at reducing risk. Second, the program distills top management's risk-reduction targets into pragmatic implementation programs with precise alignment from senior executives to the front line. Following the risk-based approach, a company will no longer "build the control everywhere"; rather, the focus will be on building the appropriate controls for the worst vulnerabilities to defeat the most significant threats that target the business' most critical areas. The risk-based approach to cybersecurity is thus ultimately interactive and a dynamic tool to support strategic decision-making. Focused on business value, utilizing a common language among the interested parties, and directly linking enterprise risks to controls, the approach helps translate executive decisions about risk reduction into control implementation. The power of the risk-based approach to optimize risk reduction at any level of investment is enhanced by its flexibility, adjusting to an evolving risk-appetite strategy as needed. A risk-based approach recognizes that there are no perfect security solutions. Still, those that strategically balance security, scalability, access, usability, and cost can ultimately provide the best long-term protection against an evolving adversary. Fundamentally, risk transformation changes security strategy from an outside-in perspective, where external threats and regulations drive strategy, to an |
| Notes | |
| Envoyé | Oui |
| Condensat | “if defining the 2023 800 ability able about absorb acceptable access accident accomplishing accountability accountable achieving across action active activities actual addressed adjusting adopt adopted: adversary against aiming aligned alignment all almost along also although always among analysis and assets answer any apparent appendices appetite appliances applications approach approach appropriate are areas assess assessing assessment assessments asset assets assign associated at&t attacks audit automated available avp awareness backup backups balance based baseline basing basis because become becomes been being beneficial best better between beyond bindu blog borrow both brand breach budget build building business businesses but by nist as risk call can cannot capabilities capacities catastrophe causes change changes changing checklist choose cis claim clear clearly close cloud cmdbs cohort collective come commensurate common communication companies company compared complement complex complexity compliance components conclusion conduct conducted conducting confirm connected considered consistent continue continuous contributors control controls correlated cost costly could cover coverage crafted create critical crystalize culture current customers cyber cybercrime cybersecurity cybersecurity is data deal decision decisions decrease defeat defensive defined delimit denial deploy describe designates despite detect detection dictates difference different difficult diligence directly director directors disaster discerning discipline disruptive distills dizzying document documented does don dos down drive driven due dynamic each easy edict effective effectively effectiveness effort efforts element elements eliminate elusive email emerging employee employees enabling encrypted end endpoint enforcement engineering enhanced ensure enterprise environment essential establish estimate evaluate even event events ever every everything everywhere evolution evolves evolving example executing executive executives exercises existing expands expected explore exposed exposures external facilitate failure falling fascinating feasible filtering final financial finite first five fix flexibility focus focused follow following following: for: forge form four framework frameworks frequent from front fundamental fundamentally future gaps general getting given goal goals good governance grc guarantee guidelines harm has haunt have having hear heightened help helps hipaa hone how however idea identified identify image impact impacts imperative implement implementation implemented implementing importance important impossible inadequate incident include includes including inconvenience increased increasingly individuals inevitably information informed infrastructure inside instead insurance intelligence interactive interested internal interruption intrusion inventory investment invoking irrespective is: its john keep key know knowing landscape language last latest lawsuit leaders leading leaves level level; levels; lewis likelihood limit limited line linking long longer loss lucrative maintenance make making malware manage manageable managed management managing many maturity may meaning measure measurements measures measuring media meet members mere methodology mind minimal mistake mitigated mitigation modified monitor monitoring monitoring; month months more most must nation navigate necessary need needed network new nick nist non not now number objectives obtaining obvious occurring offer offers okay once one ones ongoing operating operation operations optimize option organization organization’s organizational organizations other out outside over overall owns part parties patch patches patching path: payouts pci penetration pentest people perceived perfect perform performing perhaps person perspective phishing phrase place plan planning plans point policies policy popular portion posing possible posture potential power practical practice practices pragmatic precise premiums |
| Tags | Ransomware Data Breach Tool Vulnerability Threat Patching Guideline |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.