Aligning Cybersecurity Policies With Evidence-Based Practices

The OWASP® Foundation Threat and Safeguard Matrix (TaSM) is designed to provide a structured, action-oriented approach to cybersecurity planning. This work on the OWASP website by Ross Young explains how to use the OWASP TaSM and as it relates to GenAI risks: https://lnkd.in/g3ZRypWw These new risks require organizations to think beyond traditional cybersecurity threats and focus on new vulnerabilities specific to AI systems. * * * How to use the TaSM in general: 1) Identify Major Threats - Begin by listing your organization’s key risks. Include common threats like web application attacks, phishing, third-party data breaches, supply chain attacks, and DoS attacks and unique threats, such as insider risks or fraud. - Use frameworks like STRIDE-LM or NIST 800-30 to explore detailed scenarios. 2) Map Threats to NIST Cybersecurity Functions Align each threat with the NIST functions: Identify, Protect, Detect, Respond, and Recover. 3) Define Safeguards Mitigate threats by implementing safeguards in 3 areas: - People: Training and awareness programs. - Processes: Policies and operational procedures. - Technology: Tools like firewalls, encryption, and antivirus. 4) Add Metrics to Track Progress - Attach measurable goals to safeguards. - Summarize metrics into a report for leadership. Include KPIs to show successes, challenges, and next steps. 5) Monitor and Adjust Regularly review metrics, identify gaps, and adjust strategies. Use trends to prioritize improvements and investments. 6) Communicate Results Present a concise summary of progress, gaps, and actionable next steps to leadership, ensuring alignment with organizational goals. * * * The TaSM can be expanded for Risk Committees by adding a column to list each department’s top 3-5 threats. This allows the committee to evaluate risks across the company and ensure they are mitigated in a collaborative way. E.g., Cyber can work with HR to train employees and with Legal to ensure compliance when addressing phishing attacks that harm the brand. * * * How the TaSM connects to GenAI risks: The TaSM can be used to address AI-related risks by systematically mapping specific GenAI threats - such as sensitive data leaks, malicious AI supply chains, hallucinated promises, data overexposure, AI misuse, unethical recommendations, and bias-fueled liability - to appropriate safeguards. Focus on the top 3-4 AI threats most critical to your business and use the TaSM to outline safeguards for these high-priority risks, e.g.: - Identify: Audit systems and data usage to understand vulnerabilities. - Protect: Enforce policies, restrict access, and train employees on safe AI usage. - Detect: Monitor for unauthorized data uploads or unusual AI behavior. - Respond: Define incident response plans for managing AI-related breaches or misuse. - Recover: Develop plans to retrain models, address bias, or mitigate legal fallout.

Working at the intersection of AI governance and security, I found CSET’s issue brief Harmonizing AI Guidance: Distilling Voluntary Standards and Best Practices into a Unified Framework both rigorous and practical. It turns an overwhelming landscape of recommendations into a unified structure that organizations can actually apply. What the paper outlines • That vast landscape was distilled into 258 actionable recommendations organized into 5 categories and 34 topic areas • Without harmonization, matching the same scope would require about 900+ recommendations drawn from seven major frameworks, showing how fragmented today’s guidance has become • The study used a blend of data-driven and expert methods, combining text embeddings, clustering, and qualitative coding to align overlapping content • Human reviewers achieved a Fuzzy Kappa agreement of 0.616, considered substantial, confirming consistency across interpretations • The resulting framework connects Governance, Safety, Security, Privacy, and Detection and Response into one coherent system Why this matters • The AI guidance landscape is crowded and inconsistent, creating confusion about where to start • A harmonized framework makes it easier to align AI practices with existing cybersecurity, privacy, and risk management processes • It helps organizations identify overlaps, clarify priorities, and focus resources where they have the greatest impact Key practices highlighted • Governance – develop organization-wide strategies, integrate AI risk management, and maintain inventories and audits • Safety – conduct impact assessments, ensure transparency and fairness, and monitor model behavior throughout its lifecycle • Security – apply secure design, threat modeling, identity management, and vulnerability control • Privacy – manage data responsibly across collection, use, and retention • Detection and Response – build audit logging, monitoring, and recovery processes with continuous improvement Who should act • Risk and security leaders integrating AI into enterprise controls • Product, data, and engineering teams applying consistent practices across the lifecycle • Governance and compliance teams aligning policy and oversight with harmonized frameworks Action items • Use the harmonized framework as a baseline across the five categories • Apply the crosswalk to trace recommendations back to source documents for deeper context • Build continuous feedback loops linking governance, safety, security, privacy, and response Bottom line: CSET’s harmonized framework condenses a vast body of AI guidance into a coherent structure organizations can use. It turns complexity into clarity, helping teams align safety, security, and governance without losing breadth or depth.

Interesting new paper on the effectiveness of security controls that touches on policy guidance: Evidence-based cybersecurity policy? A meta-review of security control effectiveness. Daniel W. Woods & Sezaneh Seymour https://lnkd.in/eU-7j2bt (h/t Sasha Romanosky) Cybersecurity policy should guide firms towards implementing the most effective security controls and procedures. However, there is no authority that collects evidence and ranks cybersecurity controls by efficacy. The evidence needed by policymakers is distributed across academic studies and industry white papers. To address this gap, we conduct a meta-review of studies that empirically evaluate the efficacy of cybersecurity interventions. Attack surface management and patch cadence were consistently the first and second most effective interventions. Reduced cyber insurance claims frequency was associated with migrating to cloud email and avoiding specific VPN providers. Multi-factor authentication was effective in protecting individual accounts, although inconsistent MFA-implementation undermines efficacy when rolled out across an organisation. The evidence suggests effectiveness is driven by how a control is implemented more than by a binary yes-no regarding whether it is implemented. Thus, policy measures that mandate specific controls are unlikely to result in risk reduction. Instead, policymakers should aim to support organisations in administering security controls and making risk-based decisions. Successful examples can be seen in policy measures that improve the efficiency of patch management, such as funding for the US National Vulnerability Database, CERT/CC, and the Known Exploited Vulnerabilities catalog.

What if your entire organization crumbled... because one unchecked access point went unnoticed? Tech frameworks exist for a reason. Cyber threats evolve daily. Here's the  comprehensive cybersecurity framework every leader needs - summarized for action. → 𝐈𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 • Review user access permissions regularly. • Implement data masking for sensitive records. • Enforce secure protocols for information transfer. • Conduct periodic data integrity audits. → 𝐍𝐞𝐭𝐰𝐨𝐫𝐤 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 • Monitor network traffic for unusual activity. • Update firewall and IDS software regularly. • Segment network to isolate critical assets. • Use VPN for remote network access. → 𝐂𝐥𝐨𝐮𝐝 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 • Enable multi-factor authentication for cloud accounts. • Encrypt stored cloud data automatically. • Monitor unauthorized access in cloud resources. • Audit third-party integrations with cloud services. → 𝐀𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 • Perform regular scans for application vulnerabilities. • Follow secure coding standards and practices. • Deploy web application firewalls for traffic. • Run periodic penetration testing on applications. → 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 • Test and update business continuity plans. • Train staff on security best practices. • Assign security responsibilities to specific roles. • Conduct regular policy compliance assessments. → 𝐈𝐧𝐜𝐢𝐝𝐞𝐧𝐭 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 • Maintain updated incident response playbook. • Run incident response tabletop exercises annually. • Define and communicate incident escalation steps. • Log and store incident evidence securely. → 𝐏𝐫𝐨𝐛𝐥𝐞𝐦 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 • Track root causes of recurring issues. • Review historical trends for problem patterns. • Formalize workflows for issue resolution consistently. • Coordinate fixes with vendors as needed. Implement this framework systematically. Security transforms from burden to competitive advantage. Follow Vijay Banda for more insights

𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐦𝐚𝐭𝐮𝐫𝐢𝐭𝐲 𝐢𝐬 𝐧𝐨𝐭 𝐝𝐞𝐟𝐢𝐧𝐞𝐝 𝐛𝐲 𝐭𝐨𝐨𝐥𝐬. It is defined by documentation, discipline, and execution. In most enterprises, security incidents don’t escalate because controls don’t exist. They escalate because processes are undocumented, inconsistent, or untested. For tech leaders, cybersecurity at scale is less about buying another product and more about operational readiness. 𝐓𝐡𝐢𝐬 𝐟𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤 𝐡𝐢𝐠𝐡𝐥𝐢𝐠𝐡𝐭𝐬 𝐭𝐡𝐞 𝐝𝐨𝐜𝐮𝐦𝐞𝐧𝐭𝐬 𝐚𝐧𝐝 𝐭𝐞𝐦𝐩𝐥𝐚𝐭𝐞𝐬 𝐭𝐡𝐚𝐭 𝐚𝐜𝐭𝐮𝐚𝐥𝐥𝐲 𝐤𝐞𝐞𝐩 𝐞𝐧𝐭𝐞𝐫𝐩𝐫𝐢𝐬𝐞𝐬 𝐬𝐞𝐜𝐮𝐫𝐞: 𝐈𝐧𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 Breach logs, DLP incident tracking, retention policies, and key management records create accountability and audit readiness. 𝐍𝐞𝐭𝐰𝐨𝐫𝐤 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 DDoS response plans, risk mitigation reports, patch schedules, and event correlation trackers ensure predictable network defense. 𝐂𝐥𝐨𝐮𝐝 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 Access control matrices, backup and recovery testing, incident logs, and configuration baselines are essential for governing dynamic cloud environments. 𝐀𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 Data handling, encryption practices, and retention policies prevent security gaps from entering the SDLC. 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 Clear policies for information transfer, classification, disposal, and recovery define ownership across teams. 𝐈𝐧𝐜𝐢𝐝𝐞𝐧𝐭 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 Structured reporting and incident management processes turn chaos into controlled response. The real question is not “Are we secure?” It is “Can we prove, repeat, and scale our security practices?” Strong security programs are built on clarity, not assumptions. And clarity always starts with documentation. ♻️ Repost to align security and platform leadership teams. ➕ Follow Jaswindder for more enterprise insights on cloud, security, and technology governance.

Industrial cyber governance is at a tipping point as legacy models have largely been unable to keep pace with converging IT, #OT, cloud, and AI-driven control systems. Treating cybersecurity as a compliance discipline is an impractical approach anymore in a world where cyber incidents lead to safety incidents, production loss, and a rolling #supplychain disruption. IBM’s 2024 Cost of a Data Breach Report highlights breaches involving critical infrastructure as some of the most costly, further highlighting the importance of governance models that anticipate operational risk, rather than audit readiness. As industrial organizations continue to innovate, Industrial Cyber reached out to industrial cybersecurity experts to throw light on how #cybergovernance architectures should evolve to bring #cybersecurity, operational safety, and business risk together within a unified decision-making framework over the next 12 to 18 months. “Governance should shift to a unified IT/OT risk council where safety engineers and CISOs share a common language of operational impact,” ⁂ Paul Shaver ⁂ , global practice leader at Mandiant (part of Google Cloud)’s Industrial Control Systems/Operational Technology Security Consulting practice, said. “Organizations should integrate OT-specific safety metrics into the standard IT risk framework to ensure cybersecurity decisions are made with production uptime in mind. This evolution requires aligning IT’s data confidentiality goals with OT’s requirement for high availability and human safety." Peter Jackson, a principal industrial consultant at Dragos, Inc., said that #industrialcyber governance should be addressed through enterprise-wide #riskmanagement disciplines with appropriate domain specificity. “Boards and senior leadership should treat #industrialcybersecurity as a standing element of GRC, recognizing that operations are often the core business and that cyber risk carries safety, environmental, and financial consequences,” Jackson highlighted. Organizations need to move from siloed governance to a risk-first model that prioritizes the most critical threats, whether cyber or operational, and updates policies dynamically based on risk assessments, Jacob Marzloff, president and co-founder at Armexa, said. “A shared risk matrix across teams enables consistent trade-offs for safety and cybersecurity. Oversight should be centralized through a cross-functional Risk Committee rather than a single leader, ensuring expertise from IT, engineering, and operations." Patrick C Miller, president and CEO at AMPYX CYBER, said to elevate cybersecurity for all critical technologies (both OT and IT) to the risk register at the board level. “It’s time organizations recognize the potential for crippling loss from a cyber event,” he said.