Risk
11/28/2012
01:12 AM
Connect Directly
RSS
E-Mail
50%
50%

7 Risk Management Priorities For 2013

CISOs seek more discipline in measuring and mitigating risk in the coming year

As CISOs and risk management pros gear up for a new year, they'll be tasked with sheltering their organizations from a highly dynamic threat environment through a renewed sense of discipline as regulators, executives, and shareholders increasingly turn the microscope on their IT security practices. In order to improve and coalesce security practices, it'll take work to line them up with maturing risk management philosophies. According to risk management experts, consultants, and practitioners, enterprises are likely to turn to the following risk management priorities in 2013 to achieve their security objectives.

1. Getting Quantitative
First and foremost, risk management professionals are going to be asked to better measure the performance of their work in the coming year.

"The 2013 trend will be to shift away from risk management implementation and toward the measurement of the performance of those programs," says Tim Erlin, director of IT security and risk strategy for nCircle. "More organizations are losing their security innocence, and they will begin targeting the good, rather than the perfect. Performance management will allow faster, more practical evolution of risk strategies.

According to Doug Landoll, CEO of Assero Security and author of "The Security Risk Assessment Handbook," organizations have got to do a better job getting their hands around the slippery task of quantitative analysis.

"Too many risk assessments, gap assessments, surveys, and other 'measurements' of a security program are based on shaky methods and flawed data gathering," he says.

Landoll suggests that organizations take a balanced approach to measurement through what he calls the Review, Interview, Inspect, Observe, and Test (RIIOT) method. This includes the review of documents about security rules, configurations and controls, interviews of key personnel, inspection of security controls, observation of personnel behavior, and testing of security controls.

[Find out where your privacy risk posture stands. See Free Risk Indexing Tool Offers Start For Assessments.]

2. Using GRC To Improve Business And IT Processes
Not only will security professionals be looking to prove the mettle of their risk management programs through measurable security performance metrics -- they'll also add even more value by finding ways to use those investments to help improve IT and business processes.

"Further evolution of GRC processes, such as data mining and modeling, could transform a company's risk management program into one that drives action," says Steve Schlarman, eGRC solutions architect for RSA, "facilitating process improvement and re-engineering, ultimately resulting in performance gains."

3. Supply Chain Risk Management
As we move into 2013, Bryan Fite, security and mobility portfolio manager for the U.S and Canada at BT, says to expect more disclosures and discoveries around major supply chain channels. This will put pressure on IT to better assess and manage the risks before they cost the organization.

"Whether it's compromised business partners, Trojaned chips, backdoored embedded systems, broken business processes, rogue humans, or crafty nation-states -- next year we'll see a renewed interest in the subject," Fite says.

4. Human Risks
As more organizations take a cold, hard look at how much human risk factors cost them in IT security incidents compared to any other factor, they'll be looking for better ways to mitigate the risks their people pose.

"Human-risk factors are becoming a key focus thanks to the combination of readily accessible cloud services, BYOD policies that officially sanction data exfiltration, and the increasingly apparent need to reassert a culture of accountability," says Ben Tomhave, senior consultant for LockPath.

How this will affect awareness program implementation is still in the air, but Scott Gréaux, vice president of product management and services for PhishMe, believes it will require a better measurement of how well training is getting through to employees.

"Risk management teams need to stop measuring awareness in page views and number of minutes a user has been in training, and start to focus on critical output metrics, such as user susceptibility and user reported incidents," he says.

5. Continuous Monitoring
A longtime brass ring for which IT security professionals have been reaching, continuous monitoring is likely to be a big priority for many organizations again in 2013.

"This would include everything from near real-time regulatory compliance checking to near real-time vulnerability detection," says Dan Sherman, director of information security for Telos Corp. "You cannot defend a network without knowing what is happening on it."

Dr. Mike Lloyd says to expect continuous monitoring initiatives to move beyond FISMA and NIST origins.

"Continuous monitoring will be taken up by [or required of] anyone doing business with the U.S. government, and will end the year closer to being a standard 'best practice' for all organizations," says Lloyd, CTO of Red Seal Networks

6. Speaking The Language
Penetration testing reports, SIEM outputs, and gap assessment action items might be essential to a CISO in advancing risk management maturity, but they won't translate themselves, Landoll says.

"In 2013, CISOs will finally be required to learn the language of the boardroom and need to speak SWOT, ROI, IRR, due diligence, payback period, and other MBA terms," he says. "Your security strategy will need to be mapped to business objectives with clear metrics for tracking progress and tactics for managing success."

7. Incident Preparedness
Increasingly, IT risk managers are learning that they not only need to mitigate risks that lead to a security incident to occur, but also to control the risks following an event. According to Chip Tsantes, incident preparedness will be a top priority in the coming year.

"Companies must be thinking about how to react as a firm, not as a security team. To prepare, they should identify the right contacts, establish appropriate contracts, and define a communication plan and procedures to save valuable time during an attack," says Tsantes, a consultant with Ernst & Young's Information Security Advisory Services.

According to Gréaux, most organizations today are "woefully unprepared" and use outdated and underdeveloped response plans. Not only do they need to work on those, but they also need to put in place detection mechanisms that allow them to find and isolate problems as quickly as possible.

"Making real-time decisions may be ineffective or cause additional damage. Although many organizations employ SIEMs and other 'big data' solutions to help them identify incidents, most have not properly tuned their solutions to properly alert on probable incidents," he says, explaining that many organizations will look to outsource the work to incident detection and response service providers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.