3. Building a Dynamic Defence: Adopting a Risk Driven Approach

Published on: Published in: Blog

Cyber threats exploiting the latest technologies and emerging vulnerabilities can occur more quickly than organisations can implement traditional security measures. As part of the Secure by Design principles, adopting a risk driven approach ensures that your organisation’s cyber defences remain relevant and effective. With the ability to respond quickly to emerging threats, organisations can strengthen their overall security posture, protecting themselves from both known and unknown attacks.

The Importance of a Risk-Driven Approach

The Secure by Design framework emphasises the need to “adopt a risk-driven approach.” This means organisations must first establish their risk appetite—

  1. Determining how much risk they are willing to tolerate.
  2. Identifying their most valuable assets and the impact of their loss.
  3. Defining the appropriate people in the business to ultimately own risks that can’t be fully treated, terminated or transferred.

From this baseline, risks can be continuously assessed, considering defences remain relevant and robust; the impact of changes within the organisation itself; and the evolving threat landscape.

The Activities of Risk Driven Approach

To maintain a proactive defence and achieve the outcomes included in the Secure by Design principles, organisations should implement the activities outlined by CDDO, Cabinet Office:

  1. When preparing a business case, cyber security requirements must be included so the appropriate funding, resources, skills and time can be allocated to effectively manage cyber security risks.
  2. When devising a service strategy and setting objectives, it’s important to establish what level of cyber-related risk the project is willing to take on.
  3. Delivery teams and risk owners for digital services need to be aware of the cyber security obligationsthey’re required to meet.
  4. Asset owners should understand the value of the information, applications and infrastructure they’re responsible for so they can assess the impact of compromise, loss or unavailability.
  5. Service delivery teams should be aware of the potential threat actors who may try to harm your organisation as well as their motivation, intentions and capabilities.
  6. When delivering a service, you need to understand how robust it will be when faced with cyber-attack techniques which could be used to exploit vulnerabilities.
  7. When delivering a digital service, you need to identify, analyse and evaluate the potential cyber security risks. It is important to embed risk analysis and evaluation into digital delivery processes to continuously be aware of the highest priority risks.
  8. When building a digital service, you should leverage appropriate security control frameworks as a blueprint to select controls from as part of security risk management. Your organisation may already have preferred security control frameworks which should.
  9. When delivering a service, your approach to responding to security risks is based on your risk appetite. You need to decide whether to accept them or propose appropriate mitigations.
  10. When IT components within your service are no longer required, there are various security responsibilities that must be carried out. This includes decommissioning software and hardware, removal of user access, shutting down infrastructure such as domains.

The Tools of Dynamic Risk Management 

Threat Modelling: This process helps identify potential vulnerabilities by mapping out how an attacker might compromise a system. By proactively evaluating where weaknesses lie, organisations can strengthen defences before threats materialise. Threat modelling is an iterative process that must evolve as new threats emerge.

Nine23 can help to identify potential vulnerabilities within your systems and digital assets. This process maps out how an attacker might exploit weaknesses using the latest techniques such as OWAP and MITRE ATT&CK Framework, enabling you to pre-emptively strengthen your defences.

Working with clients including regulators such as FCA, FSA, Commercial Enterprise clients such as KPMG and Raytheon, and throughout the lifecycle of projects where risks to data assets and corporate reputation can vary significantly; Nine23 has first-hand experience in developing services and solutions to specific threat assessments and risk appetite.

Security Risk Assessments: A comprehensive risk assessment evaluates the likelihood and impact of cyber threats on your organisation. These assessments provide insight into the vulnerabilities in your infrastructure, helping you prioritise which areas require immediate attention. Performing regular assessments ensures that your defences are updated to reflect the latest threats and business changes.

What is the difference between an audit vs assessment? 

Unlike a Pen Test that identifies vulnerabilities within the current configuration of the infrastructure, Nine23 can work with organisations to assess the current risks to infrastructure, processes and people (culture) both current and identifying a good ‘future state’. This includes a risk assessment expressed in clear business language to inform cyber security investment decisions, and additionally deeply technical risk assessments to define keys of focus for cyber security enhancement.

Conclusion

Staying ahead of evolving threats is not a one-time effort but a continuous process that demands vigilance. Nine23 helps implement a continuous risk management process, enabling organisations to regularly review and update their security measures.

By partnering with Nine23, organisations can implement a dynamic, risk-driven cyber security strategy that continuously adapts to the evolving threat landscape. Through ongoing risk assessments, threat modelling, and proactive monitoring, Nine23 empowers your organisation to stay ahead of cyber threats and build long-term resilience.

Image by freepik

Leave a comment