In the first of the “Threat Based Security Model” series, I will explore the problem with our current approach to security and explore potential solutions.

Catastrophic cyber failure occurs when a single vulnerability leads to the breach of an entire organization. This has become a regular occurrence today; but what’s more troubling is that catastrophic cyber failures are seen in organizations with large security teams and multi-million dollar budgets.

Here’s a paradox worth noting: the more an organization implements a “by the book” security strategy, the more vulnerable they seem to be.  Why?

Every organization faces different threats and should focus on vulnerabilities specific to them. But that is not what’s happening today.  The prevailing security trend is buying a box for addressing every threat—irrespective of whether the threat is relevant or not to the company.  Subsequently security teams spend their time and money working through endless lists of “to do’s,” overlooking gaps in risk reduction.  To stop catastrophic cyber failures, we must move away from today’s static compliance model to a security framework that is threat-driven.  We need an adaptive cyber threat model.

The adaptive cyber threat model (ACT) is a simple threat-based security model for organizations to ensure cyber risks are identified and addressed. Unlike prescriptive compliance-driven security models, ACT is a recursive algorithm that breaks the complex task of identifying, planning, acting and evaluating cyber threats into four steps:

Step 1: Identify cyber threats specific to an individual organization; sort threats into groups (i.e., threats facing infrastructure, threats facing executives, etc.)

Step 2: Create policies and procedures to mitigate the identified threats in each group (e.g., limiting critical data access to only a few individuals from a specific location)

Step 3: Determine the appropriate access control, data encryption, and process isolation to support desired policy goals for each threat group. Note the focus here is finding configuration changes to meet goals, vs buying a product.  If a new security product is necessary, then it is purchased but only after the capabilities of existing products are considered

Step 4: Evaluate the products’ security capabilities against threats to determine which cyber risks are mitigated (and which are not).  Feed this data back into the initial cyber threat model—this process is iterative and continually improving

The goal of ACT is to provide organizations a way to avoid a catastrophic cyber failure by highlighting critical vulnerabilities based on a threat model.  As threats change, ACT allows IT/Security professionals to evaluate if they need to tweak existing systems, or escalate for one or more groups. IT/Security personnel iterate on the ACT model until they achieve a point of “acceptable” cyber risk.

ACT shifts the focus away from buying boxes to managing cyber risk on a day to day basis.   ACT also demonstrates the use of a threat-based cyber security strategy needn’t be complex.

Organizations can mitigate the risk of a catastrophic cyber failure by simple manipulations that will make them more secure – if they ACT.

In the next blog post, we’ll look at developing a cyber threat model to help guide an organization’s activities.