In cybersecurity, where alerts are constantly flooding in, it can be overwhelming to decide where to start. This is why asset classification and risk prioritization are key steps in the remediation lifecycle. As we’ve previously discussed, it’s a good idea to structure them around business impact.
How this approach is taken will vary significantly between industries, organization size, and security and risk management approaches. Let’s explore business impact analysis (BIA), the most common approach, with the goal of improving collaborative remediation efforts between security and engineers.
BIA is one of the most common methods used to understand how disruptions can affect a business's assets. Within the realm of security, it offers a systematic approach for determining which vulnerabilities pose the greatest risk to critical business assets according to their potential impact and likelihood of occurrence. This helps align remediation strategies with business objectives to ensure that security efforts and resources are directed towards assets that are most critical for maintaining business continuity and achieving organizational goals.
BIA consists of questionnaires for relevant stakeholders that can either be filled out independently or carried out as interviews. We also recommend consulting with engineers who have worked on the assets under assessment, as they can shed critical technical expertise and help facilitate the most efficient implementation of risk mitigating efforts.
There are many online examples of BIA questionnaires for those who don’t wish to build their own from scratch. Before issuing them, we would still recommend approaching your organization’s leaders and anyone who works directly with the assets that will be assessed for feedback. They can provide important insight to help optimize the relevance and coverage of the questionnaires
Ultimately your goal is to obtain a ranked list of assets according to criticality. Of course, it’s only human nature for most department heads to list their assets as the most business-critical. To avoid the inaccuracies this can produce, it is helpful to provide context within the questionnaire itself around its purpose with tips for how ratings should be given. With such guidance and knowledge about the real impact their answers will have, respondents will ideally provide more reliable rankings.
If your organization already employs risk assessments, you can rejoice in half the job being taken care of. Your responsibility instead will be to identify the BIAs with the highest impact and quickly create your own ranking.
Once your BIAs have been collected or sourced, it’s time to select the top 10-20% of business assets / applications to officially prioritize for remediation. We’d recommend running this list by both tech and business stakeholders, as well as the leaders they report to. Their “stamp” of approval represents important buy in for your process. Be prepared for this to take several meetings for a consensus to be reached.
After finalizing this list, it may be expedient to create or revisit how this top percentile of assets should be handled and treated in terms of remediation timelines, SLAs and control objectives. It may be necessary to make adjustments within your organization’s Vulnerability Management and Patching Policy for a more tailored approach to addressing security vulnerabilities based on newfound criticalities and exposure levels.
In the event that such adjustments aren’t possible, and specific provisions cannot be issued, it would be wise to set basic guidelines for the top percentile of critical assets. For example, if your current remediation SLA fails to account for criticality and business impact, consider adding a new section that specifically addresses this gap. Such an addition would require reducing SLAs for critical assets in order to align remediation efforts more closely with the level of risk they pose.
All of the effort put into prioritizing assets and establishing guidelines for them can only be effective if they are properly communicated to relevant stakeholders. It is also essential to gather data on past vulnerabilities, especially around SLA compliance, in order to realistically predict future SLA progress.
Remember to temper expectations for this process–it takes time and, even once complete, for meaningful change to manifest. The best way to track your progress is by systematically collecting relevant information and representing it in an easy-to-read dashboard. It is also important to encourage different teams to continuously identify areas for improving SLAs for the triage teams to integrate into their work with engineering. Not only does this systematic approach ensure organization, but also fosters a culture of collaboration that is essential for effective, cross-organizational remediation.
