B2B companies are urging their technology leaders to re-think their approach to protecting their systems and data, which raises the critical question:
Given limited resources and constantly evolving threats, how should organizations determine where to invest their resources to address their most critical risks?
The answer lies in the cyber security program’s ability to proactively assess and take ownership of risk, as well as the ability to build and maintain a cyber security workforce trained in the most current tools and techniques.
Creating an approach to proactively assess, own and mitigate technical risk
System owners and program managers should approach their cyber security programs with this reality in mind: their systems are vulnerable and cyber threats are continually emerging.
Since security resources are limited, B2Bs must implement proactive plans to identify and prioritize their cyber risks, enabling a clearer picture for how resources should be spent to mitigate them.
While Risk Management Framework (RMF) has undoubtedly introduced a higher level of security control, several factors (ie: more controls to address without more resources to address them) have led, at times, to this implementation becoming another “compliance drill” — often allowing both new and existing system vulnerabilities to remain unmitigated, or worse unidentified, exposing systems to critical risk of intrusion and compromise.
RMF also unintentionally created incentives to shift risk ownership to other organizations (ie: minimizing the number of security controls that must be addressed and tested by the system owner for a perceived, but often unrealized, cost savings).
System owners and their cyber security teams know their systems better than anyone. Therefore, system owners should look to own and manage as many of their system risks as possible, as they are best positioned to understand the impacts of vulnerabilities and develop the most effective mitigation strategies.
The introduction of RMF has also unintentionally created the requirement for unmanageable numbers of policies and…