Cynthia Brumfield is a veteran communications and technology expert based in Washington, DC, currently focused on cybersecurity.

She writes regular columns for CSO Online, a cybersecurity news destination site, consults with companies through her firm, GCT Associates, and is the author of a book published by Wiley, Cybersecurity Risk Management: Mastering the Fundamentals Using the NIST Cybersecurity Framework

In a recent Wiley webinar, Cynthia shed some light on the challenges faced in cybersecurity risk management and answered the following questions:

What is cybersecurity risk planning and management?

It's a comprehensive process: you frame the risk and determine how much risk your organization is willing to take, given constraints.

These are the four key points:

• Determine the importance of various assets and know which need to be most protected and the degree to which these assets are vulnerable
• Once determined, come up with a plan of action for responding to risk
• Monitor risk on an ongoing basis and check risk plans to ensure that you have implemented them
• Update plans as situations change, based on ongoing monitoring.

The most fundamental is asset management – and it's not necessarily one that organizations have widely adopted. I've talked to many organizations about this and am concerned that while it may seem the most boring job in cybersecurity, it is also the most essential.

How many organizations do asset management properly?

Zero. I would say very few know what assets they have - and if you don't know what you have, you can't protect it.

There are many categories to consider:  traditional IT, desktops, laptops, mobile devices, servers, and Internet of Things devices, and there are industry-specific or company-specific assets, depending on what your organization does. All of these things need to be put into an inventory that is continuously updated. If a cyber incident strikes you, you will then know where to check for problems, and you’ll know what software and assets you have that might be vulnerable.

Everything can't be nailed down as secure all the time. There's only so much money available to protect digital and software assets, so you must perform some threat likelihood calculations.

Some of the ways to think about this:

• How important is the asset in terms of its value?
• What did it cost you to buy it?
• Is there a high likelihood that the asset might be targeted by malicious actors or a low likelihood that it would be hit by malware or some other problem?
• Is the asset of low value?

If it's low value and has a low likelihood of being targeted by malicious actors, then you don't need to worry about it as much as you do an asset with high value.

Then there are essential steps to benefit an organization's network infrastructure protection: improved asset management, access control; awareness training; data security protection policies, maintenance procedures, and automated protection processes.

It’s a lot!  A whole basket of risk management activities is central to protecting your organization.

If you could recommend one thing, what would it be?

Always be aware of who has access to which system, for how long, and from where the access is granted. This is critical.

It’s something we’ve all known for a long time, but it's surprising how organizations grapple with understanding who has access. Or they may have granted access to a contractor six months ago and then forgotten to take that access away. That’s an unnecessary risk.

Another thing to consider regarding access management is ensuring users have the least authority possible.

Third-party risk is endemic within cybersecurity. A lot of that stems from the fact that organizations don't apply the level of security they require for themselves to their outside contractors.

You really want to ensure that your contractors and outside third parties follow adequate cybersecurity procedures.

Then it’s crucial to develop a continuity of operations to help deal with incidents once they occur.

Developing an executable response plan and understanding the importance of communications and incident response are critical.  It would help if you prepared for corporate-wide involvement during a cybersecurity attack, which means having a detailed plan of who you will call first.

• Are you going to call legal?
• Who is going to call the head of the IT Department?
• Who needs to know what, when, how, and who gets contacted in the event of an incident?

And a critical component of this is establishing processes for handling vulnerability.

To err is human. I think people are incredible, especially in our ability to design systems. All the amazing things we do make the internet what it is. But we're also not perfect. So, this idea of vulnerability is being created in that process. Traditionally, organizations have operated on a principle that could be called Ostrich Risk Management. Let’s pretend that we're not vulnerable! Acknowledging vulnerabilities and establishing procedures for handling them is crucial.

Why is cybersecurity risk management so challenging?

It is a constant challenge. Everything has to be updated. It's a very dynamic environment, and it is continuous work to ensure vendors are resilient during a supply disruption. You have a lot of moving parts. Vendors themselves have suppliers who need to deal with risks the same way you have to deal with them.

My book is helpful because you have it all broken down into a language you can communicate to your constituents, whether that be your executives, employees, or vendors. It's just beneficial advice overall.

How often should risk management or asset management assessments be conducted?

Continuously. If you think about your life, for example, and trying to care for your children, you don't just decide one day, well, this is how we're going to protect them from threats outside of our home. It's something that you just continuously do and monitor, and it's the same thing with cybersecurity risks.

Something can happen today. Something can happen tomorrow. Some new vulnerability can be discovered where suddenly everything is implicated, and everything needs to be revamped. Or your organization needs to rethink different things, so it's not one and done.

Based on the current challenges of cybersecurity and internet costs in Africa, how can organizations be secure from such risks as these?

That's a vast topic: familiarizing yourself with the risk management process. How you think about it, how you begin to prepare for incidents and how you deal with incidents once they occur. The NIST framework tries to encompass this all under a broad umbrella, and our book also touches on it.

I think the first thing to do is to become familiar with cybersecurity practices, educate yourself on the most important things you do, go to conferences, and read the news. Connect with a lot of organizations.

There are also a lot of free resources available. The Cybersecurity and Infrastructure Security Agency, a new arm of the Department of Homeland Security and the Department of Commerce, has a wealth of resources for any organization, wherever you are in the world, to get up to speed on cybersecurity matters.

And from there, you can navigate reports and alerts, and they have specialized portals that deal with ransomware and other topics, such as industrial control security threats that cropped up at the end of last year. NIST is well respected internationally and is an excellent place to start for some of this information. I don’t have any specific insight on issues in Africa.

Thinking about the Solorigate incident from early 2021 and how the APT threat actor compromised SolarWinds CI/CD system. With the benefit of hindsight, could SW or their customers have done anything differently to have prevented such an attack based on NIST’s CSF?

The SolarWinds attack really sparked all the supply chain focus NIST is trying to get to grips with.

My answer to your question is: yes. Had every organization involved in the SolarWinds supply chain attack practiced perfect cybersecurity risk management, there would not have been the kind of widespread implications that we experienced.  

That's the problem - the perfection element of risk management. It is a real challenge.

Having said that, there was a nation-state actor involved in that incident. If a nation-state actor is interested in contaminating your systems, your updates, or your software with malware, there’s very little that the private sector can do other than work closely with intelligence agencies and with Cisco. Sophisticated adversaries are going to find a way to get it.

But if you do everything right, you will minimize the damage when they do.

For more information, watch the full webinar here.