The Chertoff Group Cyber Security Risk Management

Cyber effectiveness The last decade has seen major increases in cyber regulation and investment, and yet cyber risk has only grown. 2017 occasioned some of the most costly and disruptive cyber attacks in history. Executives across sectors are asking, how do we know if we have an effective cyber security program?

• Apply an offense-informed defense analysis to assess technology environments from the mindset of an adversary
• Approach prioritizes preventive measures based on risk.
• Design-in the changing nature of inherent risk into program oversight, and our methodology also accounts for implementation risks so organizations avoid trip-ups as they build their programs
• Ensure programs address inherited risk from third-party dependencies
• Stress the importance of testing and continuous monitoring of mitigation measures to demonstrate security performance

Who The Chertoff Group do it for

• Organizations needing a comprehensive evaluation of a security program with technical validation
• Executives who need quick-turn program evaluation or critical third party review
• Organizations needing a comprehensive program build, designed for effectiveness

How they do it

Approach is grounded in the belief that effective security is not an end-state so much as it is a continuing process – founded in a cycle of activity to assess, mitigate and monitor security risk. Team works continuously to incorporate insights they learn from client projects, discussions with government stakeholders and interactions with solution providers into the security risk management framework.

Risk Assessment

Compliance mandates are a “necessary but not sufficient” – planning must reflect changing business, technology, customer, regulatory and threat drivers. Countermeasures must be aligned to reasonably foreseeable threat tactics, techniques and procedures.

Risk Mitigation

Constrain rapid spread and enable security operations to quickly and authoritatively identify, contain and recover from a compromise. Anticipate implementation risks.

Risk Monitoring

Build in meaningful opportunities to measure program advancement through multiple lenses (risk-based countermeasures, operational performance, testing, etc.).

Solutions

Cyber Risk Management Program Build Governance Assessment: DEEP-DIVE RISK ASSESSMENT plus…

• Security strategy document
• Review of policies / standards library
• Implementation planning guidance

Countermeasure Design: DEEP-DIVE RISK ASSESSMENT plus…

• Security Planning, Implementation & Reporting, informed by lessons-learned from testing, managed services, incident response and exercises
• Security Tool Optimization
• Managed Services as an option
• Incident Response Services as an option
• Exercises

Testing & Validation: DEEP-DIVE RISK ASSESSMENT plus…

• Program metrics
• Ongoing measurement & interpretation

Deep Dive Risk Assessment Governance Assessment: PRELIMINARY RISK ASSESSMENT plus…

• Evaluation of inherent risk factors
• Consideration of key implementation risks

Countermeasure Assessment: PRELIMINARY RISK ASSESSMENT plus…

• Full controls assessment mapped to authoritative framework
• TTP/threat pathway analysis based on MITRE ATT&CK model
• Insights from technical testing

Testing & Validation: PRELIMINARY RISK ASSESSMENT plus…

• Vulnerability assessment
• Internal and external pen testing
• Tool optimization analysis

Preliminary Risk Assessment    Governance Assessment: Review of core governance functions (oversight, risk management, training, third party risk, policies)
Countermeasure Assessment: Focus on most risk-reducing controls. As an option, weighted score range based on level of implementation and perceived risk reduction
Testing & Validation: Analyze results from external risk scoring vendor as an option