Today’s Cyber Risk Methodology Starts with the Ability to Measure IoT

By Curtis Blount, CSO

For more details on InsightCyber’s maturity model and risk methodology, read our white paper: InsightCyber IoT Risk Methodology.

To truly measure, implement, and improve on IoT cybersecurity, ICS organizations must continually evolve and mature. As Peter Drucker, the father of modern management, is often quoted as saying; “If you can’t measure it, you can’t improve it.” But many organizations don’t have a clear sense of where they are today, or how to improve for tomorrow.

Our IoT Maturity Model

InsightCyber understands this. That’s why we’ve developed a hybrid risk and maturity model to assess and rate IoT cybersecurity, combining the National Institute of Standards and Technology Cyber Security Framework (NIST CSF) and the Department of Energy Cybersecurity Capability Maturity Model (C2M2) – plus, some additions of our own. This unique model makes up a comprehensive growth plan that covers everything cybersecurity, through an organization’s entire lifecycle.

The C2M2 assesses the capability and progression in a discipline. We have adopted its use to measure the maturity of cybersecurity capabilities within IoT. The model consists of 10 Domains and provides a measurement for each, identifying areas of weakness, strength and status as it relates to Industry peers.

For more details on InsightCyber’s maturity model and risk methodology, read our white paper: InsightCyber IoT Risk Methodology.

The NIST CSF differs from the C2M2 in that it assesses against industry standards and best practices. Instead of ten domains, the NIST CSF represents five cybersecurity functions. However, NIST CSF does denote a progression expressed as tiers. Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk informed. In other words, the tiers are an indication of the maturity level.

Our approach doesn’t stop at the combination of those two frameworks. We know that with IoT cybersecurity we must also take into consideration the internal IoT Operations and IoT Controls. IoT Operations outline the “how” operations are done, and IoT Controls outline the “why.”

IoT Risk Methodology

The best of each of these approaches are combined in the InsightCyber Risk Methodology™. InsightCyber IoT risk assessments use an underlying risk methodology that focuses on specific controls that access critical assets, infrastructure, IoT controls, IoT operations, and connectivity. We do this by reviewing the existing IoT posture.

Our methodology also emphasizes operational best practices for each Control area, as well as the organizational effectiveness and maturity of internal policies and procedures.

For more details on InsightCyber’s maturity model and risk methodology, read our white paper: InsightCyber IoT Risk Methodology.

There are three types of risk assessments performed by InsightCyber depending upon where the ICS/OT organization is currently on the IoT Maturity Curve: Rapid Assess, Security & Risk Assess, and IoT Lifecycle.

Rapid Assess. The IoT Rapid Assess service tell you what assets you have, what they’re doing, who is talking to whom, how they are communicating and whether they are vulnerable to cyberattacks. This service is for an ICS organization is at the very beginning stages of understanding IoT cybersecurity. Rapid Assess also provides fully actionable, context-enriched reporting, visualization and events, and detects rogue devices, unauthorized applications and services and cyber infiltrations that are already running in the ICS environment.

Security & Risk Assess. This service is used when an ICS organization is at the point where executive by-in for developing an IoT cybersecurity program has been achieved. It is a comprehensive ICS cyber risk assessment, assessing all aspects of an organization’s ICS environment. The service aims to be as efficient as possible. We assess people, processes, controls, connectivity, technologies and safety conditions. We will get deep into the weeds and gauge the effectiveness of existing controls, cyber exposure, risks to operations, revenue, and corporate impact.

IoT Lifecycle. Finally, the ICS organization has achieved a high level of maturity. There is an established ICS cybersecurity program and risk management process in place. The board has established budget for the program. At this stage the question becomes “how valid is the cybersecurity ad risk program?” The InsightCyber IoT Lifecycle service is that validation assessment. It is designed to assess the operational IoT cybersecurity & risk management operations and processes. With the IoT Lifecycle, we take a deep dive into the ‘process of running and managing IoT cybersecurity activities.

Curtis Blount is the Chief Security Officer of InsightCyber. For more details on InsightCyber’s maturity model and risk methodology, read our white paper, InsightCyber IoT Risk Methodology.

11 views0 comments
  • Twitter
  • Linkedin

Copyright © 2018-2020, Insight Cyber Group, Inc. All rights reserved.

The following are trademarks of Insight Cyber Group:
The Insight logo, the Insight logo jewel mark, NetRadar™, NetRadar Express™, Managed IoT Security™,
Better Analytics. Better Insight™, Monitoring and Incident Response for the IoT™, Spherical Awareness™,
Decision Supremacy™, InsightCyber CISO-as-a-Service™, InsightCyber OT SOC™, InsightCyber Rapid Assess™,
InsightCyber Security & Risk Assess™, InsightCyber IoT Monitor™, InsightCyber OT SOC™, and InsightCyber  Lifecycle™.

Privacy Policy | Contact | About