A HIMSS 2018 survey of healthcare IT CIOs and CISOs suggests that the health sector is beginning to treat information security as general risk management.
Increasingly, risk managers assess the threat of a potential “cyber” event much like the threat of an earthquake or active shooter.
First, they quantify the loss expectancy using existing systems in terms of impact to the organization. The next step is to assess if additional actions can be taken to minimize the impact.
At the same time, risk management programs are recognizing that the impact is expanded by regulatory oversight, such as the HIPAA security rule. In fact, risk management is becoming the lingua franca of the C-Suite in the boardroom.
Network environments deploy a variety of information security controls; an average portfolio of these controls is shown below. These controls are aligned with the goals of the NIST cybersecurity framework to support the functions of Prevent, Detect, and Respond.
Prevent |
Detect |
Respond |
Firewall |
Intrusion Detection System |
Alert |
Intrusion Prevention System |
Log Aggregation and Review |
Triage |
Email security |
Security Information/Event Management |
Investigate/Confirm |
URL filtering |
Quarantine |
|
Anti-Virus/Endpoint Security |
Remediate |
These security controls directly affect the mathematics of risk management.
An expression for quantifying risk is:
R = P(Tv) * I
That is, Risk equals the product of the Probability of a Threat being realized (usually as a result of some vulnerability being exploited) and the Impact of that Threat being realized.
Interestingly, preventive controls reduce the Probability, or likelihood, that the threat will be realized at all.
In other words, your preventive controls are in place to avoid the compromise of computing assets in our environments. However, today it’s a poor assumption that these controls will be perfect. Therefore, the probability of a compromise remains non-zero, and, in fact, is material.
Detection and response functions, on the other hand, can affect the Impact, or consequence, of the threat being realized. Identifying a compromised asset on a network and immediately quarantining and remediating turns a potential existential event into a desktop cleanup — a huge difference in the consequence. Minimizing that impact should be a key performance indicator in risk management.
When prevention fails, accurate detection and effective response can minimize the impact.
Detection and response are the most critical keys organizations need to ensure a backyard fire does not burn down the forest.
Here are 5 questions to consider if you want to minimize the impact an IT security incident:
The metrics that are most important to minimize are:
There is a straight line between minimizing these and reducing the impact term of the risk expression. Hence, this can be reportable to the C-Suite and Board of Directors as a success.
Critical Insight provides fully auditable event aggregation, analysis, alerting, investigation, 100% confirmation, quarantine, and incident action plans for IT security events. SSAE-18 examination report and HIPAA business associate agreement are available on request. Contact us to connect with one of our expert cybersecurity consultants.