Moving to a Zero Trust Approach? Risk Management Can Help
Getting ready to implement Zero Trust (ZT) isn’t quite as simple as some vendors would have you believe. If someone excludes the program development aspect of ZT, that’s a sign you should be careful. While many point solutions for specific problems exist, there is no out-of-the-box, end-to-end solution that will write policies, align business needs and socialize your ZT program. There isn’t even a vendor with a multi-vendor Policy Decision Point as outlined in the NIST 800-207 Zero Trust Architecture.
There is, however, a method that you can implement to assist you with making decisions about ZT and, most importantly, reduce risk.
Risk reduction is the at the heart of all we do as security professionals and it’s why we’re always looking for a new security approach to protect our assets. If left undetected, risk can leave an organization exposed and prone to compromise. Risk management helps us get there by documenting, discovering, calculating, evaluating, measuring and communicating risk. It also drives compliance and creates a need for remediation solutions. Applying Zero Trust principles makes all this happen in real time.
Risk management is an excellent method for knowing exactly where your problems are and what solutions (technical or administrative) will help you reduce risk exposure to acceptable levels. If you don’t track or understand your biggest risks, you’re fumbling in the dark and likely implementing solutions to close gaps while still unaware if you have the right priorities – “firefighting.”
Ultimately, risk management will improve your ZT implementation through risk discovery and measurement. We’ll start with the socialization of risk management and Zero Trust within your organization and end with some ideas on how risk management can help you be successful with designing and implementing a ZT program.
Business Alignment and Senior Leadership Buy-In
Have you ever presented something to your leadership team and seen vacant stares, yawns or a generally uninterested audience? This was your chance to discuss Zero Trust concepts, and it fell flat. Or you might have a board member who’s “technical” and assumes they already know everything you have to say. Let’s flip the script. Wouldn’t a discussion about how the implementation of processes and technology will reduce risk, close policy and compliance exceptions, speed up audit preparation and protect legacy systems be better? In addition, the proposal improves the client (employee) experience and allows them to have the flexibility to leverage the platform of their choice from anywhere at any time.
Risk management is a balance, and while increasing flexibility may reduce organizational risk related to recruiting and retaining top talent, it may increase the chance of compromise. We see major shifts that support this prediction, with COVID-19 driving organizations to figure out how to be flexible and still keep risk tolerance within assigned limits. A Zero Trust approach enables flexibility while reducing risk.
Identifying and communicating risk is a very important aspect of our jobs. Providing vague or ineffective communications can lead to marginalization and possible reputational damage. Documenting and measuring things like insider threats, risks from operational technology (OT) or the internet of things (IoT), third parties, application vulnerabilities, etc., and how a ZT approach can help will greatly reduce those risks and assist with getting the company-wide cybersecurity risk level within tolerable limits. Risk management is complex, and there are multiple ways to approach it. If it was easy, you’d be doing it already (and so would everyone else).
Optiv Maturity Scale
Risk management is a foundational control, but unfortunately, it’s also one of the lowest maturity-rated capabilities that we see when delivering our security strategy assessments (SSA). The average on a five-point maturity scale is barely in the “limited” range, meaning that the risk program is partially formalized, reactive and just getting started, as shown in Figure 1.
The lowest observed 15 capabilities as defined by Optiv’s SSA are listed below in Figure 2. Risk management comes in at lucky number 13. Several other poor-performing capabilities in this chart would also benefit from a Zero Trust approach.
There are many documented risk management approaches and methodologies and each of them have their strengths. Choosing the right one is part of the journey, but one thing to remember above all else: be transparent. The consumers of the information you collect regarding risks will want to be aware of a few things and should also agree to the chosen approach.
The last thing you want is to forge ahead with a great risk management approach only to have a senior leader reject an assigned risk or question some aspect of the risk calculation process used. Here are a few tips for establishing a risk management approach:
- Be transparent (mentioned above) in how the risks are evaluated. It is very important for leaders to be involved in the decision to approve the risk management approach.
- Document cyber risks. These should be candidates for the enterprise risk management (ERM) process but specific to the cyber security program.
- Each risk should have a business owner – unassigned risk means nothing will get done. Eliminate the notion that all cyber risk is owned by the CISO.
- Establish a risk exception process, however, guard against approving every request. Ensure there is a business case, mitigating factors are considered and dates are assigned for remediation. If budget is needed to remediate the risk, confirm the budget request is submitted and approved. Unapproved budget for remediation should lead you to reevaluate the risk and look for compensating controls.
- Formulate acceptable risk tolerance levels. This can be a complex formula, but the average of all policy and risk exceptions approved could be a starting point.
- A governance, risk and compliance (GRC) system has multiple benefits. Mapping risks to policy requirements and applying remediation within the tool is better than managing it in spreadsheets. It’s also helpful to understand the other risks already associated with the systems and applications being evaluated – context is invaluable when understanding risk.
As risks are identified and mitigation is being designed, be sure to build in NIST core tenants of ZT as outlined in Figure 3.
The core tenants of ZT provide a way to think about access and controls to help guide the design of the controls assigned. Well-defined controls begin with policies and framework alignment. This helps establish the “how” you will need to create sound and effective organizational controls. Risk identification and treatment will help you institute mitigation actions, and those efforts will easily fall into your overall ZT strategy.
A GRC program with a risk management component and workflows will make life much easier than trying to do everything in spreadsheets. In addition, your review of new business approaches and applications should include ZT-related requirements and show how the initial risk can be reduced by ensuring new business projects are implementing ZT-compatible systems and applications.
Your third-party risk management (TPRM) approach should include ZT “enablers” or requirements that drive the core tenants of ZT and ensure third party solutions (people, processes and technology) align with your strategy. Figure 4 shows how risk managers view business solutions through a ZT lens when assessing system designs.
Risk management complements a ZT strategy and vice versa. Remember to keep stakeholders engaged in the process, as there should be no surprises. In Figure 5, the benefits of a ZT approach are highlighted in red. But as mentioned previously, a balance must be maintained, and having a cyber risk management approach will enable you to articulate how and why risk was reduced.
Gloss