{"id":14927,"date":"2025-10-09T11:06:27","date_gmt":"2025-10-09T11:06:27","guid":{"rendered":"https:\/\/newestek.com\/?p=14927"},"modified":"2025-10-09T11:06:27","modified_gmt":"2025-10-09T11:06:27","slug":"your-cyber-risk-problem-isnt-tech-its-architecture","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14927","title":{"rendered":"Your cyber risk problem isn\u2019t tech \u2014 it\u2019s architecture"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

The creation of an ongoing cyber risk management process, aligned with the governance of the information security management process, is a premise that ensures the survival of the organization. Here, I want to present a practical and strategic view on how to align security architecture, risk governance and organizational culture to build effective cybersecurity programs.<\/p>\n

Following the domain model suggested by ISC2 from the perspective of a security architecture, I have become convinced of how essential it is for a cyber program. This is especially true in a scenario of emerging technologies such as generative AI, which particularly requires a high level of processing in a cloud environment hosted on robust data centers.<\/p>\n

In addition to high energy demand, these innovations bring challenges with access and identity management, guardrails in network infrastructure to protect workloads, and require a strong architectural modeling approach, including governance, risk and compliance (GRC) projects.<\/p>\n

In my view, the creation of a cyber risk management process, combined with the governance of the information security management process, is a premise that ensures the organization\u2019s survival.<\/p>\n

If I were asked in an interview what my strategy would be to implement an information security management process, I would say it\u2019s important to consider the organization\u2019s scenario, its context and, finally, the maturity level of risk culture among stakeholders.<\/p>\n

If the company does not yet have a risk-oriented mindset disseminated among stakeholders and employees<\/h2>\n

It becomes more difficult to sell and implement a cybersecurity program. It is necessary to work intensively, with strong articulation and facilitation alongside business line executives, since pointing out flaws at the start can generate long-term challenges. I\u2019ve had personal experiences where I faced barriers and had to step back.<\/p>\n

However, the development of a risk culture \u2014 including appetite, tolerance and profile \u2014 within the scope of the management program is essential to provide real visibility into ongoing risks, how they are being perceived and mitigated, and to leverage the organization\u2019s ability to improve its security posture. Consequently, the company begins to deliver reliable products to customers, secure its reputation and build a secure image to achieve a competitive advantage and brand recognition.<\/p>\n

If the company already has a mature risk culture<\/h2>\n

The implementation of a cybersecurity management project becomes more flexible. Since my goal is to share the mechanics to achieve success in a cybersecurity program, I emphasize below some components of this \u2018recipe\u2019 to consider:<\/p>\n

    \n
  1. Understand the dynamics and scope of the business, mapping stakeholders, processes and critical systems of the organization, categorizing applications and classifying data to determine the appropriate set of controls (guardrails).<\/li>\n
  2. Understand the choice and application of a framework such as NIST CSF 2.0, linked with ISO 27001, COBIT, CMM, NIST 800-53, SABSA, TOGAF, MITRE ATT&CK, OWASP, among others.<\/li>\n
  3. Start with defining vision, goals, strategies and objectives, considering what the \u201cGovern\u201d section of the NIST CSF defines as GRC strategy. Example:\u00a0\u201cExpand a threat-driven approach across the organization and a cybersecurity GRC program aligned with business and market compliance standards.\u201d<\/em>\u00a0For each goal, objectives must be defined, such as\u00a0\u201cImprove cyber risk management capabilities, update the structure to NIST CSF and also adopt the use of FAIR.\u201d<\/em><\/li>\n
  4. Within the program for measuring continuous maturity, it is necessary to define indicators by combining KPIs and KRIs. For example, a critical control:\u00a0\u201cPatch application: average number of days to remediate a critical\/high vulnerability in Internet-facing and critical systems.\u201d<\/em>\u00a0This way, the program persuades stakeholders and application owners to resolve security issues, raising program maturity and providing transparency for executives.<\/li>\n
  5. At this stage, it is recommended to conduct an assessment of the threats and common attack methods to which the organization is exposed and vulnerable. In this context, all information should be aggregated to make the process robust, such as defining a list of threats, risks, preventive and detective controls, and business risks (e.g., exposure, reputation, financial loss). Controls can be defined based on the organization\u2019s scenario, with frameworks like PCI-DSS, COBIT, NIST 800-53, CIS, NIST CSF, CRI, CMM and ISO 27001 serving as references.<\/li>\n
  6. This is the critical part of the program: understanding the business-critical assets. Map applications, obtain a big picture with results from gap analyses, risk assessments, pen tests and even the latest audit results to support this phase. As stated earlier, mapping applications and supporting with business impact analysis (BIA) to align with business requirements is essential. Here, governance also plays a role, defining policies, standards and procedures for the cyber management program.<\/li>\n
  7. At this point, it is necessary to incorporate a framework model. Personally, I favor a combination of ISO 27001, NIST CSF, NIST 800-30, 39 and RMF. In the US financial sector, the Cyber Risk Institute (CRI) also provides excellent material to effectively implement a program. Moreover, as many companies are already in the cloud, CIS Controls and the Cloud Security Alliance (CSA) CMM are other strong contributors. This phase can be defined as the heart of the project, given its delicacy. It is where the organization\u2019s risk appetite and tolerance are defined, aligned with business objectives. Therefore, stakeholder engagement is critical at this stage to foster a risk culture that will determine project success. The CISO\u2019s organizational structure in relation to cybersecurity domains\u2014which is essential to the program\u2014must also be present, considering the Identify, Protect, Detect, Respond and Recover steps of the NIST CSF. I also highlight that the first phase,\u00a0Govern<\/em>, was addressed earlier, where I pointed out other crucial aspects of the program.<\/li>\n
  8. Another important factor to be developed in parallel with raising risk culture is the continuous Information security awareness process. This action should include all employees, especially those involved in Incident Management and cyber Resilience. For this group, I recommend tabletop exercises simulating disaster scenarios such as Ransomware, Phishing, AI attacks, sensitive data leakage, etc. This helps prepare the organization to be more resilient in times of crisis. I also highlight the importance of training software developers in secure development best practices, since today everything is defined in code (APIs, containers, serverless, etc.), requiring attention to processes such as SAST, DAST, SCA, RASP, Threat Modeling, Pen Testing, among others.<\/li>\n
  9. From a technical standpoint, it is important to select and implement appropriate controls from the NIST CSF stages: Identify, Protect, Detect, Respond and Recover. However, the selection of each control for building guardrails will depend on the overall cybersecurity big picture and market best practices. For each identified issue, the corresponding control must be determined, each monitored by the three lines of defense (IT and cybersecurity, risk Management and Audit).<\/li>\n<\/ol>\n

    I can\u2019t detail the full list of appropriate controls for each scenario in this article, but I suggest consulting frameworks such as NIST CSF, AI RMF, CIS Controls, CCM, CRI, PCI-DSS, OWASP and ISO 27001\/27002, which specify each type of control. Example:\u00a0\u201cThreat Intelligence to identify and evaluate new cyber threat scenarios that can help the organization mitigate impacts.\u201d<\/em><\/p>\n

    Finally, the cyber management program must also consider legal, regulatory and regional requirements, including privacy and cybersecurity laws. This covers LGPD, CCPA, GDPR, FFEIC, Central Bank regulations, etc., to understand the consequences of non-compliance, which can pose serious issues for the organization.<\/p>\n

    Phew\u2026 I hope I have managed to provide a brief overview of architecture and how to build a cyber risk management program aligned with business requirements in a simplified way.<\/p>\n

    Remember that this is a suggested path I have used and proposed to leaders of organizations I\u2019ve worked with. In general, the relevance of a well-designed and implemented architecture underpins the entire program, being essential to its success. I reiterate that the alignment between architecture, GRC and the CISO\u2019s role has the potential to determine how much the organization can elevate its capacity against threats and improve its cybersecurity posture.<\/p>\n

    As a well-known proverb says:\u00a0\u201cI was with him as your architect; day after day I was his delight, rejoicing always in his presence.\u201d<\/em>\u00a0May this knowledge contribute to the success of your cybersecurity program. Retain what is good!<\/p>\n

    Note on sources: I wrote this column based on\u00a0my experience in my job. In other\u00a0words, real life\u00a0inside the organization. Last year I finished my short course about cyber risk management at Harvard, and I had to develop\u00a0a cyber risk plan. This article was based on this project as well as my experience in\u00a0cyber risk working for various organizations. Sources used include NIST CSF<\/a>, CRI<\/a> and the Cloud Security Alliance<\/a>. For mentions of ISC2, I\u2019m an instructor for CCSP and CGRC certifications, and ISC2 provides some materials for the GRC perspective.<\/em><\/p>\n

    This article is published as part of the Foundry Expert Contributor Network.
    <\/strong>    Want to join?<\/strong><\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

    The creation of an ongoing cyber risk management process, aligned with the governance of the information security management process, is a premise that ensures the survival of the organization. Here, I want to present a practical and strategic view on how to align security architecture, risk governance and organizational culture to build effective cybersecurity programs. Following the domain model suggested by ISC2 from the perspective… <\/p>\n

    Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14927","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14927","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14927"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14927\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14927"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14927"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14927"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}