Asset management is most commonly associated with cybersecurity hygiene, which is associated with patching, anti-virus, access control, and other asset-specific protections. However, there are three NIST CSF sub-categories that I want to bring to your attention and how they align with a mission-based cybersecurity risk program.

ID.AM-1: Physical devices and systems within the organization are inventoried.
ID.AM-2: Software platforms and applications within the organization are inventoried.
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.

These three sub-categories are the foundation of your organization's cybersecurity program, specifically, your cybersecurity risk program.
Some factors to keep in mind when developing a priority methodology:

• The role the asset plays in generating revenue
• The asset's importance to ongoing operations
• The asset's cost to replace or protect
• ...

When measuring risk in your organization, you’ll typically discover two challenges: First, top key risk measures that do not have supporting data (aspirational). Second, you’ll be developing middle to low measures with supporting data that do not entirely address the risk. 

The lack of data to calculate a particular measure is no reason not to measure the risk; these are your aspirational measures; setting an organizational ambition or goal for your cybersecurity program to report over time is a good strategy; allow your cybersecurity program mature.

To calculate the percentage of assets identified as critical will require two data points, first, the total number of assets, and second, the total number of critical assets; if you don’t have these numbers, you can start by collecting secondary data and establishing secondary measures that will drive towards the aspirational goal of calculating the percentage of assets identified as critical.

========

• Blog: ...

There are many stakeholders in cybersecurity, and it makes sense to outline roles and responsibilities in terms of how each role impacts cyber resiliency.

1. The board of directors
   1. February 21, 2018, SEC guidance requires board oversight in terms of cyber (https://www.sec.gov/rules/interp/2018/33-10459.pdf).
2. Chief Information Security Officer (CISO)
   1. There are two types of CISOs; a governance CISO and an Operational CISO.
3. Data Privacy Officer (DPO)
   1. General Data Protection Regulation (GDPR) requires that organizations process privacy data to have a DPO.
4. Compliance Manager or Officer
   1. This is an individual with the responsibility to ensure the company complies with its outside regulatory obligations and internal policies.
5. Auditors
   1. Auditors are responsible for developing, planning, and executing IT audit programs based on risk assessments.
6. Legal team
   1. The legal team will be involved in cyber when a breach occurs and most likely will review all external communications before...

What to Focus on FIRST Mission-based cybersecurity

• Systems supporting the mission, vision, and services
• Regulatory systems - PCI, HIPAA, SOX, GDPR

Prioritizing remediation is based on quantifying the three primary financial impacts:

1. Business interruption cost
2. Data exfiltration cost
3. Regulatory cost

Linkedin: https://www.linkedin.com/company/exce... 

Twitter: https://twitter.com/DrBillSouza 

Instagram: https://www.instagram.com/drbillsouza/ 

Training: https://www.execcybered.com/store  

Author: Dr. Bill Souza | Jun 27, 2022 

There are some simple rules that you can start today to ensure improvements to your cyber risk program.

1. Define the problem
2. Define risk
3. Define critical
4. Identify and inventory critical assets or systems
5. Identify risks

These rules apply to small, medium, and large businesses with corresponding difficulty levels.

Author: Dr. Bill Souza | Jun 25, 2022 

Before even discussing cyber risks to the organization, you need to have identified the systems supporting the mission, vision, and services your organization provides (a.k.a. revenue streams).
This step will allow you to establish "value," so when you discuss cyber risks, you'll confidently be able to discern which risks you'll be able to accept, mitigate, or transfer.
The ISO 27001, specifically clause 4.1, starts with you identifying the organization's objectives; NIST Cybersecurity Framework (NIST CSF) starts with ID.AM-1 & ID.AM-2 starts with identifying and inventorying physical devices and software platforms.
Skipping this critical step will only drive your cybersecurity strategy from an operational to a tactical realm, making it difficult to connect your approach (investment and strategy) to what is important to the organization.

Author: Dr. Bill Souza | Jun 11, 2022 

Cybersecurity has changed more in the last five years than it has in the ten years preceding it. Cyberattacks are constantly changing and evolving, but cybersecurity professionals must have structure and strategy; without structure and a plan, cybersecurity professionals will continue aimlessly in their pursuit of protecting the organizations they serve.

All this change is chaos and disorder, a new form of fear, uncertainty, and doubt (FUD), one, although backed by facts, fails to have direction or a documented strategy.

If it is so difficult for us to document our cyber assets and identify those assets that have an impact on our organization's revenue, how in the world are we going to do anything about the threats we face?

We can’t, it’s that simple. And any CISO call to arms that suggest we can is a stopgap measure, a call to disillusionment and ultimate disaster because our stopgaps are not solutions. 

Fortunately, there are tools to assist us with strategy...

With laws and regulations increasingly requiring organizations to demonstrate that mission or business-critical information systems and IT infrastructures are protected; the challenge becomes, with over 164,000 known vulnerabilities in the Common Vulnerability Exposure (CVE) database and 546 attack patterns, so far identified and documented by Common Attack Patterns Enumeration and Classification (CAPEC), where do you start?

In a study that became known as the “Jam Experiment,” Iyengar and Lepper (2000) were the first to demonstrate the choice overload effect, referring that large choice sets attract people. Still, at the same time, these wide choice sets increase the choice difficulties. As we draw a parallel, cybersecurity professionals face many vulnerabilities (>164,000) and many assets to protect against, leading to unsatisfactory solutions. 

Most guidance offered to Subject Matter Experts (SMEs) or organizations for that matter, lead them to identify the...

President Biden’s Statement on National Cybersecurity

President Biden stated, “If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year. You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely.”

However, the real question is, are organizations ready to implement cyber defenses? The basis for this rhetorical question is that with the speed of change, IT transformations, new mandates, and the great resignation, among others, organizations may be challenged to implement cybersecurity strategically. There’s no lack of guidance for Critical Infrastructure or Corporate Infrastructure, with standards and frameworks, such as:

• ISO/IEC 27001
• ISO/IEC 27032 on cybersecurity 
• the multipart ISO/IEC 27033 on network...

Five challenges 

First, the objective of improving cybersecurity is vague and broad. Sometimes organizations struggle on how to measure any improvements to their cybersecurity posture or post-investment. What is even worst, it’s that you may be measuring the wrong thing. In 2015, the Global Information Security Workforce Study (GISWS) conducted a survey of more than 14,000 security professionals, of which 1,800 were federal employees. The survey concluded that we are not just getting better, but we are going backward.  

Although it seems pessimistic, it is supported by facts; in 2014, one billion records were compromised the year before the survey, which triggered Forbes magazine to refer to 2014 as “the year of the data breach.” If you jump forward to 2021 and benefit from hindsight, we can confirm that the GISWS survey’s conclusion that we are going...