Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/31/2013
04:42 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Once-A-Year Risk Assessments Aren't Enough

Why experts believe most organizations aren't assessing IT risks often enough

While it may be important that security organizations employ effective methods to walking through an IT risk assessment, the frequency with which they go through that process is almost as important as the means of carrying them out. Unfortunately, even when security organizations cover all of their bases in an IT risk assessment, if they don't assess often enough they could still be keeping themselves open to a great deal of risk.

Even though many compliance mandates such as HIPAA require risk assessments only be performed annually, that's not nearly often enough for most organizations, says Gary Alterson, director of risk and advisory services for Neohapsis.

[How do you know if you've been breached? See Top 15 Indicators of Compromise.]

"Given the rapidly changing threat environment and how fast IT moves, I recommend that risk assessments be refreshed and reviewed at least quarterly, if not monthly," Alterson says.

But the reality is that most organizations today have a hard enough time keeping up with their annual risk assessments, says Jim Mapes, chief security officer at BestIT, which is why he says that organizations have to rethink the way they approach the process.

"A better approach is to make risk assessments more of a life cycle and process within the organization," he says. "Perform assessments continuously throughout the year, collecting data on new vulnerabilities, remediation of older vulnerabilities, and identification of problem areas where vulnerability could not be remediated and recording the business decision to mitigate the risk and impact to some other acceptable level."

Crucial to that evolution to a life cycle mentality is building time and resources into the IT life cycle for internal auditors, says Alterson's colleague, Nathaniel Couper-Noles, principle security consultant for NeoHapsis. According to Couper-Noles, one of the most common refrains he has heard from auditees is they're too busy for an internal audit.

"Paradoxically, a lack of reserve capacity actually justifies audit attention as this is often the case when schedules are too aggressive, when projects are in the lurch, controls may be relaxed, and uncorrected small issues lead to bigger ones," he says. "Audit early and audit often, and condition IT teams to design processes and systems so that they can be audited comprehensively, painlessly and effectively."

Part of that design should include day-to-day tracking of operational risk factors that affect the business' security posture. This is especially key for keeping track of changes in the IT environment or the threat environment that happen between assessments. While it may seem a tall task, organizations can at least get started on a more continuous assessment process by prioritizing.

"Don't try to conquer the world all at once! Focus on what matters most by identifying the proprietary, financial, and customer data that we tend to be most risk-adverse about when it comes to its protection," says Luke Klink, security consultant for Rook Consulting.

Finally, most critical is that organizations shouldn't just be assessing risks but also working on mitigating them throughout the life cycle. Leaving the same critical risks to be identified in assessment after assessment is the security equivalent to wheel-spinning and something that Eric Cabetas, managing partner of Include Security, says says organizations do all of the time.

"I've seen a company have an AppSec SDLC assessment conducted yearly, and they pay $200,000 for it just to ignore the recommendations of the consulting company year after year," he says. "The consulting company happily takes their pay and leaves until next year, not providing any value at all to the assessed company. They should have instead done an analysis of why originally identified risks are not being addressed within the client company."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Apprentice
11/1/2013 | 3:51:26 PM
re: Once-A-Year Risk Assessments Aren't Enough
I wholeheartedly agree that the threat landscape right now is changing at too fast of a pace for any organization to wait a fully year in between risk assessments.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.