Your cyber risk problem isn’t technical – it’s architectural

However, the development of a risk culture – which includes appetite, tolerance and profile – is essential to provide real visibility of ongoing risks within the scope of the management programme, how they are being understood and mitigated, and to leverage the organisation’s ability to improve its security posture. As a result, the company begins to provide reliable products to customers, secure its reputation and build a secure image to gain competitive advantage and brand recognition.

If the company already has a mature risk culture

Cybersecurity management project implementation becomes more flexible. Since my goal is to share the mechanics for achieving success in a cyber security program, I emphasize considering a few components of this ‘recipe’:

1. Understand the dynamics and scope of the business, map stakeholders, processes and critical systems of the organization, classify applications and classify data to determine the appropriate set of controls (guardrails).
2. Understand the choice and application of frameworks such as NIST CSF 2.0 aligned to ISO 27001, COBIT, CMM, NIST 800-53, SABSA, TOGAF, MITER ATT&CK, OWASP, among others.
3. Start by defining the vision, goals, strategies, and objectives, considering what the “Governance” section of the NIST CSF defines as a GRC strategy. Example: “Expand a threat-driven approach across the organization and expand a cybersecurity GRC program that aligns with business and market compliance standards.” For each goal, objectives should be defined, such as “Improve cyber risk management capabilities, update the structure to the NIST CSF, and also adopt the use of FAIR.”
4. Within the program, it is necessary to define indicators, combining KPIs and KRIs, to continuously measure maturity. For example, a key control: “Patch Applications: Average Number of Days to Patch Critical/High Vulnerabilities in Internet-Facing and Critical Systems.” In this way, the program persuades stakeholders and application owners to resolve security issues, increases the maturity of the program, and provides transparency to the authorities.
5. At this stage, it is recommended to assess the threats and common attack methods to which the organization is exposed and vulnerable. In this context, all information should be collected to strengthen the process, such as defining the list of threats, risks, preventive and detective controls and business risks (e.g., risk, reputation, financial loss). Controls can be defined based on the organization’s landscape, with frameworks such as PCI-DSS, COBIT, NIST 800-53, CIS, NIST CSF, CRI, CMM, and ISO 27001 serving as reference.
6. This is an important part of the program: understanding business-critical assets. Map applications to support this step, getting a bigger picture with the results of gap analysis, risk assessment, pen testing and even the latest audit results. As stated earlier, it is essential to support mapping and business impact analysis (BIA) of applications to align with business requirements. Here, governance also plays a role in defining the policies, standards, and procedures for the cyber management program.
7. At this point, it is necessary to include an outline model. Personally, I support a combination of ISO 27001, NIST CSF, NIST 800-30, 39 and RMF. In the US financial sector, the Cyber ​​Risk Institute (CRI) also provides excellent materials on effectively implementing a program. Additionally, since many companies are already in the cloud, CIS Controls and Cloud Security Alliance (CSA) CMM are other strong contributors. Given its criticality, this phase can be defined as the heart of the project. This is where the organization’s risk appetite and tolerance are defined, aligned with business objectives. Therefore, stakeholder involvement at this stage is important to foster a risk culture that will determine the success of the project. The CISO’s organizational structure with respect to the cybersecurity domain – which is essential to the program – should also be in place considering the identify, protect, detect, response, and recovery phases of the NIST CSF. I also highlight that the first step, those who controlAddressed earlier, where I pointed out other important aspects of the program.
8. Another important factor to be developed in parallel with enhancing the risk culture is the continuous information security awareness process. This action should involve all employees, especially those involved in incident management and cyber resilience. For this group, I recommend tabletop exercises that simulate disaster scenarios such as ransomware, phishing, AI attacks, sensitive data leakage, etc. This helps prepare the organization to be more resilient in times of crisis. I also highlight the importance of training software developers in secure development best practices, because today everything is defined in code (APIs, containers, serverless, etc.), which requires attention to processes like SAST, DAST, SCA, RASP, threat modeling, pen testing, etc.
9. From a technical perspective, it is important to select and implement appropriate controls from the NIST CSF steps: Identify, Protect, Detect, Respond, and Recover. However, the selection of each control to build guardrails will depend on the bigger picture of overall cybersecurity and market best practices. For each identified issue, corresponding controls should be determined, each monitored by three lines of defense (IT and cybersecurity, risk management, and audit).

I cannot detail a complete list of controls appropriate for each scenario in this article, but I recommend consulting frameworks such as NIST CSF, AI RMF, CIS Controls, CCM, CRI, PCI-DSS, OWASP, and ISO 27001/27002, which specify each type of control. Example: “Threat Intelligence to identify and evaluate new cyber threat scenarios that can help mitigate impacts to the organization.”