Is implementing a Zero Trust framework on your security roadmap? For many organizations, it’s top-of-mind but understanding what is involved with adopting this mindset and corresponding initiatives can be a daunting task. There are many aspects of zero trust that are appealing to an organization and it requires a good understanding of where you are today and identifying where you want to be.
Courtney Guss is Senior Security Consultant for IBM Global Security Services. Learn more about IBM Security Risk Quantification Services
With any IT security initiative, it can be overwhelming trying to identify, prioritize and implement new security controls, processes or procedures. When I work with clients I often hear, “Where do I begin?” or “Can you recommend a roadmap for success?” The answer is yes, I can recommend a roadmap, but I need to understand where you are today and what your goals and objectives are so that we can get there together.
Risk quantification is the process and framework I use to understand current state and begin to build a strategic roadmap to meet their goals. By using risk quantification analysis, we can:
1. Understand what the current risks are and how they tie back to zero trust initiatives.
2. Use those analysis results to prioritize projects and investments and begin to build the strategic roadmap to meet your goals.
3. Once we’ve begun implementing the identified processes and improvements, we can measure the risk reduction tied to these improvements.
Learn more on using zero trust and risk quantification for building resilient organizations. Hear IBM Security General Manager Mary O’Brien’s keynote address to the 2021 FAIR Conference (FAIR Institute membership required).
Measuring the current state provides insight into the risks that may impact your organization today. This allows us to identify gaps as well as current security controls and processes that directly impact your vulnerability. By using the FAIR framework, we can begin to measure the effects of our security gaps and the impact to loss frequency. Key zero trust initiatives like least-privilege access, patching standards and endpoint security are all data points we use when measuring vulnerability in a risk quantification analysis.
A Risk-Based Approach to Prioritize Zero Trust Initiatives
By identifying and analyzing the current risks tied to your key assets and likely threats we can begin to rank and prioritize these for action. The initial risk quantification results will provide an estimated loss event frequency and magnitude that will provide insight into what risks carry the largest loss exposure for the organization. Once we’ve identified those critical risks, we can begin to map those back to the zero trust initiatives that will provide the largest risk reduction. We can also look at which zero trust initiatives might improve our security posture across multiple risks to get the largest ROI. Improvements like IAM implementation or SIEM upgrades can impact the risk exposure across multiple assets and protect against multiple threat actors.
But how can we show that what we’re doing is adding value and reducing our risk? Many of my clients are looking to show leadership that the work being done on the security team is making an improvement and worth the investment. Risk quantification can be used for this as well. The same technique that we used to measure current state can be used to measure the effectiveness of improvements and highlight the subsequent risk reduction. We can re-calibrate existing risk scenarios by adjusting the control data used as part of our frequency calculation as well as the potential reduction to the size of the event, resulting in a reduced loss magnitude. By doing this we can show that our improvements around new technology, processes and controls are effectively reducing the risk to our organization.
Because zero trust requires an organization to re-think the way to view access and security, it may take planning and consideration when looking to implement these improvements. By leveraging the improved insight into your risk that risk quantification provides, as well as the potential cost-benefit of these improvements, we can help a client achieve these goals.
Learn more about IBM Security Risk Quantification Services