Integrating MITRE With COBIT: Goals Cascading From the Strategic to Tactical Levels (

Protecting enterprises from malicious code and software requires that governance and cybersecurity practitioners take a comprehensive approach. Many people believe that governance, risk and compliance (GRC) is a path to cybersecurity. Others believe that GRC is a part of cybersecurity. However, based on 56 years of scientific research in audit, expertise theory, schema theory, judgment and decision-making (JDM), and human capital theory, it is clear that governance professionals should leverage design factors such as enterprise strategy, enterprise goals, risk profile and current IT issues (pain points) to determine which cybersecurity practices and controls are necessary rather than aligning governance to cybersecurity practices that might not be warranted. In other words, without inherent risk, there is no need for cybersecurity practices, frameworks or tools.

Cybersecurity efforts must be commensurate with an enterprise’s risk appetite and tolerance levels. So, the question is, how can a practitioner assess and articulate risk from the board level to the code level using industry models such as the COBIT®1 and MITRE ATT&CK frameworks?