Removing Fear by Moving to Risk-Based Security Programs

Written by

Cyber-attacks can cost companies millions of pounds with the potential to shut down operations in the blink of an eye. Despite this, security teams do a poor job of prioritizing risk and sometimes do not even understand risk management. 

This may seem counterintuitive – security teams avoiding the adoption of strategic risk management when risk has never been more important. Since GDPR has risen privacy in the public eye, we have seen organizations behave differently. A greater investment in modern security infrastructure and processes has followed.

However, despite it being clear that data breaches can cause significant business damage, the likelihood of a truly catastrophic breach still seems too far removed for people to consider it seriously. Additionally, the cloud, while introducing some new challenges, has solved some persistent old issues like inventory and logging.

What’s holding security teams back?  
Most cybersecurity organizations are dealing with both a skills shortage and an overwhelming tool stack. This has caused many organizations to employ a “keep the lights on” attitude. Historically that results in being overridden by endless alerts, updates and mandates that keep the already stretched security workforce stuck in a constant state of fending off threats. 

The inability for the security team to communicate in the language of business is hindering the funding and ability to solve problem. To remedy this, organizations should look to take a step back, evaluate enterprise risk and cybersecurity risks within the same lens. Only then can a holistic implementation of a security strategy be undertaken.

It's clear that IT or cyber-risk can no longer be a secondary consideration – it needs to become the focal point of enterprise security strategy. The motivations behind risk management must evolve from fear of fines and reputational damage, instead to mitigating risk and driving, if not aligning to, business value.

Working toward continuous risk-centric programs
Making IT risk management a continuous process, part of daily activities, is often overlooked by organizations. Instead, they might conduct penetration tests every now again, failing to make it routine.

The reality is, cyber attackers are constantly probing defenses and looking for opportunities to compromise. Implementing continuous risk monitoring with programs such as continuous penetration testing, is paramount to enable enterprise security teams to succeed. 

The first step to implementing risk-centric IT is to evaluate what is most important and valuable to the organization and build a program around those findings. Unfortunately, what is most often the case is that organizations will assess their programs against industry standards and assumed best practices to identify gaps. While that kind of assessment can provide insight and help an organization “check the boxes” to achieve compliance, basing security on compliance does not necessarily improve a company’s risk profile and can still leave critical data assets under-protected.

Instead of allowing a compliance checklist to drive security strategy, organizations need to adopt a culture of risk transformation, where every item on that checklist is surrounded by control, planning and continuous risk monitoring.

This requirement for risk transformation is becoming increasingly profound with the adoption of new IT resources and paradigms that are dramatically expanding enterprise attack surfaces, such as digital transformation, SensorNet, cloud, DevOps, etc.

Fundamentally, risk transformation changes security strategy from an outside-in perspective, where external threats and regulations drive strategy, to an inside-out perspective, where organization-specific business risk dictates security strategy and spend. The days of buying yet another tool to combat yet another threat are over – there aren’t enough people to run the infrastructure glut that results from that strategy.

Lastly, the “serious” threat in the media could actually only pose a minimal threat to certain organizations. Money and manpower should not be wasted on combatting it, unless the risk measurement has occurred. 

How can you communicate value?
Traditionally it’s been left to the CISO to figure out the security while the rest of the organization remains fixed on traditional risks such as lawsuits, supply chain disruption and product recalls. This objectively needs to change. Implementing a risk-centric security strategy not only reduces the likelihood of serious cybersecurity incidents, but also makes it easier to communicate the value of IT operations to the board.

For example, protecting the company from a £2 million-per-day system outage holds more weight with an executive than telling them that 600 network intrusions are being investigated. Once CISOs can move away from the outside-in “fear and avoidance” approach to a strong “inside-out” approach to risk management, only then can businesses utilize a risk IT framework and communicate in value terms.

What’s hot on Infosecurity Magazine?