Lately, I've been engaged in various discussions about what should drive our security efforts: risk or threats. It's an interesting debate, and today I want to explore it with you in a more engaging and enjoyable way.
Let's start with the risk-based approach. Ideally, this is the way to go. It involves identifying the key assets and evaluating the likelihood and potential impact of negative events to them. We often refer to these key assets as the "Crown Jewels." By understanding the likelihood and impact of those bad events, we can allocate appropriate resources to protect them effectively.
On the other hand, there's the threat-oriented perspective. Here, the focus is less on identifying the potential impact and likelihood of events and more on pinpointing threat activity that is likely to target our organization. For instance, organizations adopting a threat-oriented view would identify the most common malware families affecting similar organizations and implement controls to prevent, detect, and respond to them.
Big parenthesis here; talking about threat vs risk doesn’t make much sense from a purist point of view, as threat is part of risk. But for simplification purposes, I’d say that the “risk oriented” view is focused on key assets, while “threat oriented” is focused on threats.
So, while risk-based efforts revolve around safeguarding high-impact assets, threat-based efforts emphasize countering prevalent threats. The typical security operations professionals tend to prefer the threat-based approach. They observe a direct correlation between the perceived threats and incidents, leading them to concentrate on malware prevention, threat intelligence acquisition, and detection techniques.
Conversely, data security professionals, security architects, and risk managers are usually more inclined toward the risk-based approach. They want to first identify what truly matters and needs protection and then design controls around those assets. This approach helps optimize efforts by focusing resources on mitigating risks instead of wasting them on prevalent but relatively harmless threats.
The "threat team" argues that it makes sense to protect against the activity they observe, regardless of the nature and location of the key assets. For them, the effort of identifying key assets takes too long and is never accurate enough to be useful.
Both teams aim to optimize efforts, but they take different approaches. So, why the disparity?
The choice between risk and threat orientation depends on several variables, such as the type and size of the business, the potential classes of impact, and even the profile of the security team. Asking a team with a background in security operations to work in a risk-based manner might not yield the best results, just as asking data security or risk managers to operate in a threat-oriented fashion might not be as effective.
Adopting a risk-based mindset helps us avoid the trap of pursuing absolute security or overspending on protection. On the other hand, threat orientation ensures that our security measures align with real-world threat activity observed in other organizations.
Striking a balance is crucial. This debate can only yield a wrong answer when it tries to find a definitive, one-sided solution.
From my personal perspective, the threat-based approach has always appeared more pragmatic. However, there are many edge cases where it may result in unnecessary efforts or misguided focus. If I had to provide a single answer, I would suggest:
"Do it in a threat-based manner, but always conduct a sanity check considering your key processes and assets."
Now, I'd love to hear your thoughts. How would you approach this challenge?