Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/14/2016
10:30 AM
Jim Bandanza and Mike D. Kail
Jim Bandanza and Mike D. Kail
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Risk Management Best Practices For CISOs

What's your company's risk appetite? Our list of best practices can help you better understand a difficult topic.

CISOs tend to be extremely risk averse when it comes to managing their security infrastructure and its ongoing assessment. One key reason is that in the past, CISOs were overly focused on being technical experts without developing an understanding of the business’s “risk appetite”—that is, the level of risk it’s willing to accept—and not communicating effectively with peers, the CEO, and the board. This results in a culture of fear in which engineers aren’t empowered to make strategic choices about security infrastructure. There is also the challenge of having enough resources to both handle current issues and strategically plan for future initiatives. The well-known shortage of cybersecurity engineers combined with the lack of automated tools and platforms is a key contributor to this problem.

Below is our list of best practices for effective risk management for CISOs.

Cultural Challenges
The risk-averse mindset creates a culture of fear in which engineers hesitate to take a transformational approach to cybersecurity resiliency. It also results in a schism between the developers and operations (DevOps) team and the CISO/security team by not taking an innovative, collaborative approach to improving the organization’s security posture. If the security team is always behind, it can get labeled as inefficient or ineffective.

Measuring Resiliency
Without a close working relationship with the DevOps team, CISOs can’t initially determine a baseline measurement of their security resiliency or lack thereof. Without confirming that baseline, it’s impossible to determine if initiatives are actually improving resiliency. “It won’t happen to us” is not the correct approach to cybersecurity and increasing resilience. Not integrating and collaborating with the DevOps team results in security being an afterthought or a periodic manual, nonrepeatable process.

Improving Resiliency
There are a few basic steps that CISOs should take after establishing their resiliency baseline in order to start improving it. We suggest that CISOs perform a value-chain mapping exercise, which will result in a much more detailed pictorial view of the security landscape. The X-axis of this map is “Evolution of Resiliency” and the Y-axis is the “Invisible to Visible Value Chain”—meaning, what solutions currently exist and what can be implemented over the evolution timeline to increase the visibility of security, which has a direct positive effect on resiliency. This exercise will also flesh out any duplicative efforts, which decrease efficiency. After the initial map has been created, it can be used as part of a continuous resiliency improvement process.

Defense In Depth
In addition to the security map, we suggest that you also create risk profiles that are associated with various components of your network, server infrastructure, and application landscape. This is the next level of insight as part of the classic defense-in-depth approach to security, meaning that you should build coordinated layers of security controls and eliminate any single points of failure within your security architecture.

Base Strategy
Creating the security map and set of risk profiles gives the CISO an initial “floor” of their strategy to mitigate risk. They help the CISO prioritize areas of focus, instead of trying to fix every problem at once. It also allows the CISO to share the progress of resiliency with the rest of the company to increase overall security awareness. This starts building a culture where security isn’t viewed as “scary” or “mysterious,” and also helps build a better overall relationship between the CISO/security team and the rest of the company. The “fear, uncertainty, and doubt” approach has proven to not be effective, and in fact, is quite the opposite.

Culture Joins Strategy For Lunch
In order to combine the strategic initiatives with culture, we recommend embracing two of the core tenets of the DevOps culture, collaboration and sharing. Collaborate with all of the application and infrastructure stakeholders to build an inventory of applications, data, and assets. Once you have that inventory, you can then start mapping out your risk matrix, and, while doing so, continually share with the stakeholders to make sure they have insight and awareness during the entire strategy creation process. That should also help during the strategy implementation phase, because none of the plans will be a surprise to anyone. 

A Continuous Approach
In closing, we’d stress that this is an ongoing, continuous process. CISOs can’t just put a strategy in place and ignore input and metrics. Much like with application development, there needs to be a continuous security integration and delivery approach that is constantly be iterated and improved upon.

Related Content:

 

Jim Bandanza is a trusted advisor to top security companies and CISOs worldwide, Jim Bandanza has over 20 years of cybersecurity and software experience. During his career, he has served as executive vice president of field operations and chief operating officer for several ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...