Today, we thought we would have a little fun talking about security frameworks and how cyber risk quantification is the missing ingredient you need to cook up more mature security models.
Security frameworks are similar to cookbooks with progressively more complex recipes to help security leaders entertain more discerning guests. In addition to calling out key ingredients, these ‘cookbooks’ help security teams know how to get started toward securing their enterprise. They point out any gaps in security controls and offer ways to benchmark their efforts against industry norms. Most of all, they get security teams up and cooking so they can continually meet the security needs of their company.
Security frameworks are the go-to source for ideas and best practices when looking to upgrade security controls to out-match threat actor capabilities. Depending on the set-up of the organization’s security controls, security professionals often need to refer to multiple security control frameworks to get the right ‘recipe’ for the situation.
Problems often arise when the security staff is overwhelmed and there are too many discerning guests to prioritize. One guest might be the equivalent of a top food critic, while another might be a dine-and-dasher. This is where cookbooks and security frameworks fall short. They can’t give you the financial quantification that you need to prioritize top guests, the best ingredients, or help you explain the financial impact of choosing one recipe above another.
Lack of financial quantification leads to security teams looking for ways to enrich their security frameworks with relevance and context. They need that icing on the cake that cyber risk quantification brings to the table so they can tell the business in monetary terms the reality of loss exposure and reputation damage if they don’t prioritize who should get served first and what to cook up next.
With ThreatConnect Risk Quantifier 5.2 you have native support for all the significant security cookbooks out there, including NIST CSF, ISO 27001, CIS Top 20, and more. Native support means the control inputs are already built into RQ so it cuts out the manual prep work of gathering and inputting data. RQ automatically applies these frameworks to your business so you save time, resources and avoid tedious manual work; like chopping onions. It puts you in the position of being able to critique rather than create when it comes to maturing your security controls so you are not always starting from scratch.