Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/23/2019
03:55 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Rethinking Risk Management

Where most organizations fall short in risk management tools, technologies, and talent, and how they can improve.

It's time for organizations to reevaluate their approach to risk management and consider new, more effective techniques and strategies, Jack Jones, chairman of the FAIR Institute and executive vice president of R&D at RiskLens, told attendees this week at the FAIR Conference.

Modern businesses are increasingly aware of risk management's importance; however, many fail to implement the right approach for their specific needs, Jones explained in an interview with Dark Reading ahead of this year's show, taking place this week in Washington, DC.

"Over the last several years, the conversation around risk quantification and risk analysis has evolved from 'can it be done' to 'should we do it,' and now, 'how do we do it,'" he said. The "how" is a problem for many risk professionals who try to implement change and are challenged by organizational and industry inertia that pushes back against them, Jones said.

Some of the pushback they normally hear: "We already do risk management," "What we've been doing works; why change?" and "What you're proposing is not yet 'best practice.'"

Jones' focus today is on the value proposition of risk management programs. "Part of what we expect to provide to this conference is helping people have those conversations and helping them describe the value proposition for change," he said. There are multiple paths to risk quantification and risk management; Jones wants people to understand which is best for them.

One of the major holes in modern programs is they aren't actually managing risk. "What's they're doing is controls management," said Jones, explaining how this approach is more checklist-based than compliance-based. "That's superficial from a risk perspective because they're not applying any rigor to measuring how those controlled instances matter," he added.

Compounding the problem are tools and technologies the industry relies on. He pointed to the Common Vulnerability Scoring System (CVSS) as an example. "It's great at characterizing certain aspects of technical deficiencies, but it's not a risk measurement," Jones explained.

If an organization has two systems with the same deficiency – for example, a SQL injection flaw – CVSS would call that critical. But if one of those systems is Internet-facing, doesn't hold sensitive data, and doesn't provide a path to other systems, it may not be as critical as it seems.

When something like CVSS labels "a tremendous number of things" critical when they may not be, it can generate a lot of noise for a business. "It's a losing battle," said Jones. "You have to have better metrics than that to be cost-effective in risk management."

Tips for Better Risk Management

There are four components to determine how well an organization can manage the risk landscape: models, the data applied to those models, skills of people doing the work, and the tools they use. Oftentimes, risk analysis is performed by anyone in the business who happens to be assigned to the work, Jones noted, and many companies lack risk measurement tools.

The first step should be training people assigned to risk analysis. "Training accomplishes two things: it normalizes mental models around what risk is and how to measure it, and it also teaches them how to make estimates and use data effectively," he said. Regardless of whether the organization is a Fortune 100 company or smaller, and regardless of the path they want to take or how far they plan to take risk analysis, "having that sort of clarity is huge," Jones added.

How to know if a risk management program is actually working? "I would argue noise reduction," he said. As an example, he describes the "risk register," or one of the biggest sources of noise in most risk management programs. This might be a spreadsheet or governance, risk, and compliance (GRC) tool where a business lists top worries and concerns.

The risk register should not be a "dumping ground" for things you're worried about, Jones said. It should contain risk factors, and if you're going to measure and manage something you must be sure what you're measuring and managing against. "What we're actually trying to manage is the frequency and magnitude of loss events," said Jones. If you stuff things into a risk register that aren't risks but are measured as risk, it messes with the ability to effectively prioritize.

One of the first things organizations are encouraged to do is reconcile the risk register. Businesses often list hundreds of "risks" that aren't risks, said Jones. Reconciling the risk register can help them cut down on noise and prioritize risks that matter most to the company.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The 20 Worst Metrics in Cybersecurity."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...