Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/3/2013
01:16 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Doing More Than Paying Risk Management Lip Service

How well does your organization execute on its 'commitment' to guiding security practices through risk management?

While the majority of CISOs may profess a commitment to managing security based on risk management principles, the truth about how they execute on those principles may be a lot more imperfect. The unfortunate reality, say experts, is that many organizations simply pay risk management lip service, but aren't really making security decisions based on risk management metrics.

"It's easy to commit to concepts, but execution depends on something more concrete," says Tim Erlin, director of IT risk and security strategy for Tripwire. "While the idea of managing information security in alignment with business risks is attractive, there's not a lot of guidance or best practice information to inform execution."

A study out last week sponsored by Tripwire and conducted by the Ponemon institute found that while 81 percent of security and risk professionals in the U.S. said their organizations have a significant commitment to risk-based security management, less than 30 percent actually have a formal security risk management strategy that is applied consistently across the enterprise.

[Looking for more first steps in moving beyond risk management lip service? See Data Classification Can Boost Risk Management.]

As things stand, organizations could bear more self-examination to start better executing on risk management principles, says Chris Triolo, vice president of professional services for HP's enterprise security products division. He points to the quote from ancient Chinese warrior Sun Tzu as good advice for security pros: "If you know the enemy and know yourself, you need not fear the result of a hundred battles." Unfortunately, most enterprises today focus on the first part of the equation, the adversary, without really understanding their own capabilities.

"Many organizations we talk to don't know themselves," Triolo says. "In other words, what are their critical assets? Where is there sensitive information? What are they trying to protect? These simple questions -- and the answers -- are the first fundamental step in building a risk management program."

However, Triolo says in his work with enterprises he has found that many firms don't know what their critical assets are or where they reside. They often don't have data classification schemes in place to determine the criticality of assets. And even when they do attempt to keep track of assets, they're also dependent on incomplete lists of servers and resources that are kept on out-of-date spreadsheets that need to be updated manually, he says.

"If organizations haven't addressed these fundamental aspects, then they are probably paying lip service to risk management because how could you do so otherwise?" he says.

Many organizations that have a hard time doing more than simply paying lip service to risk management could be experiencing two of the most common gaps of IT security, says Erlin: a measurement gap and a comprehension gap. These two gaps do a lot to prevent organizations from managing security based on business risk, he says.

"Between the CISO and the rest of the business, there's a comprehension gap; security doesn't speak in terms that the business understands," Erlin says. "The CISO, while trying to bridge this gap, can't actually measure what matters within information security. That measurement gap prevents the CISO from delivering real reporting on the performance of his organization."

Even between the info sec team and the rest of IT operations is room for misunderstanding of risk appetite when there's no formal system established to measure risk and frame it around prioritization of security activities.

"A common issue in many organizations that I have seen is where the infosec team runs a vulnerability or Web application scan and reports the items requiring remediation, but the team responsible for remediation argues that the CVSS score is inaccurate, the vulnerability is not a factor in their system, etc.," says Larry Slobodzian, senior solutions engineer for LockPath. "The infosec team then has to either prove that the vulnerability is exploitable, fight a political battle to convince management, or simply ignore a vulnerability that may or may not pose a threat."

So where can organizations start in order to mature their risk management practices beyond lip service? A key first step is by defining risk and the organization's appetite for risk.

"With any vulnerability where risk acceptance is recommended, there is a policy written by a collaboration of the infosec team and managers responsible for remediation, and signed by executive leadership, defining the process and parameters for accepting risk," says Slobodzian, who recommends potentially developing a policy that requires vulnerabilities be analyzed using something like the DREAD (damage, reproducibility, exploitability, affected users, and discoverability) analysis methodology, finding a way to measure the full effect of a particular risk on the organization.

Additionally, says Torsten George, vice president of worldwide marketing, products, and support for Agiliance, organizations should also consider creating a common risk nomenclature or risk catalogs to integrate IT security risk into the overall enterprise risk management schema. The team in charge of creating such a catalog should include risk managers, security managers, and business unit executives. From there organizations should be looking to harmonize tools so that risk management and security management tools are working better together.

"Risk management problems often arise because business operations and IT teams have access to different information and tools," George says.

In fact, this tools mismatch could well be a symptom of greater problems -- namely, that risk is defined simply in terms of compliance and security posture, but not according to the business criticality of the asset at risk. No matter what system the organization uses to define risk, it should be considering the asset at play, George says.

"Without a clear understanding of the business criticality that an asset represents to an organization, an organization is unable to prioritize remediation efforts," he says. "A risk-driven approach addresses compliance and security posture as well as business impact to increase operational efficiency, improve assessment accuracy, reduce attack surfaces, and improve investment decision-making."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15129
PUBLISHED: 2019-08-18
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_n...
CVE-2019-15130
PUBLISHED: 2019-08-18
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to upload any file type to a candidate's profile picture folder via a crafted recruitment_online/personalData/act_personaltab.cfm multiple-part POST request with a predictable WRC01_USERID parame...
CVE-2019-15135
PUBLISHED: 2019-08-18
The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability informa...
CVE-2019-15136
PUBLISHED: 2019-08-18
The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition.
CVE-2019-15137
PUBLISHED: 2019-08-18
The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network.