As our world becomes increasingly interconnected and reliant on digital technologies, the importance of cybersecurity cannot be overstated. Cyberattacks are becoming more sophisticated and frequent, and organizations must proactively defend themselves against these threats. One critical aspect of cybersecurity that is often overlooked is context.
Context refers to an organization’s unique characteristics and needs, including its business operations, infrastructure, and risk appetite.
Security governance is an essential component of any cybersecurity program. It provides a framework for managing security risks and ensuring security measures align with business objectives. However, many organizations make the mistake of relying too heavily on policy frameworks without considering their context. Policy frameworks provide guidelines for developing security policies but do not account for an organization’s specific needs and circumstances.
Founder and CEO of cybersecurity consulting firm VerSprite, Tony UcedaVelez, has identified the underlying problem of security governance and the use of policy frameworks. He argues that policies should be developed with a contextual approach that considers an organization’s unique capabilities, controls, and processes. A one-size-fits-all approach to policy development is unlikely to be effective or counterproductive.
“Context is king when it comes to cybersecurity,” Tony UV states on his company’s blog. “Policies must be tailored to an organization’s specific needs and circumstances to be effective. This means a security strategy must take into account factors such as the organization’s business model, technology stack, outsourcing model, and inherent threats. A set of policies solely inspired by a framework, without considering these contextual factors, is unlikely to be effective.”
Tailored policy development is crucial for building effective security governance. Policies should be developed with a focus on protecting the organization’s assets and ensuring business continuity. They should be designed to foster a security culture across the organization and should be regularly reviewed and updated to reflect changes in the organization’s context. Policies should also be developed with flexibility in mind, as they may need to be modified and expanded over time.
It is important to note that aligning policies to a reputable framework can be beneficial, but there should be other focuses of policy development. Frameworks can provide a useful starting point for policy development, but they should not be followed blindly. Policies must be developed with a contextual approach that considers the unique needs and circumstances of the organization.
In addition to policy development, context is critical in other cybersecurity areas. For example, threat intelligence should be contextualized to be effective. Threat intelligence refers to the information gathered about potential threats to an organization’s security. This information must be relevant and actionable to be useful. Contextualizing threat intelligence means considering the organization’s specific risks and vulnerabilities and tailoring the information to address these threats.
Context is also crucial in incident response. When a security incident occurs, it is essential to understand the context of the incident to respond to it effectively. This means understanding the organization’s infrastructure, data, and applications and the potential impact of the incident on these assets. This context is necessary for incident response efforts to be effective and may even exacerbate the damage caused by the incident.
In all its operations, VerSprite incorporates PASTA, a threat modeling methodology co-authored by Tony UV, which approaches cybersecurity comprehensively and considers threats in the context of business and its objectives. This allowed VerSPrite to develop evidence-based effective cybersecurity strategies throughout its practice. You can read more about it here.
In conclusion, context is a critical component of modern cybersecurity. Security governance must be developed with a contextual approach that considers the unique characteristics and needs of an organization. Policies, threat intelligence, and incident response efforts must all be tailored to the organization’s context to be effective. Failure to consider context can lead to ineffective cybersecurity measures and leave organizations vulnerable to cyberattacks. By adopting a contextual approach, organizations can build a strong security posture that is effective in defending against modern cyber threats.