Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/14/2016
10:30 AM
Jim Bandanza and Mike D. Kail
Jim Bandanza and Mike D. Kail
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Risk Management Best Practices For CISOs

What's your company's risk appetite? Our list of best practices can help you better understand a difficult topic.

CISOs tend to be extremely risk averse when it comes to managing their security infrastructure and its ongoing assessment. One key reason is that in the past, CISOs were overly focused on being technical experts without developing an understanding of the business’s “risk appetite”—that is, the level of risk it’s willing to accept—and not communicating effectively with peers, the CEO, and the board. This results in a culture of fear in which engineers aren’t empowered to make strategic choices about security infrastructure. There is also the challenge of having enough resources to both handle current issues and strategically plan for future initiatives. The well-known shortage of cybersecurity engineers combined with the lack of automated tools and platforms is a key contributor to this problem.

Below is our list of best practices for effective risk management for CISOs.

Cultural Challenges
The risk-averse mindset creates a culture of fear in which engineers hesitate to take a transformational approach to cybersecurity resiliency. It also results in a schism between the developers and operations (DevOps) team and the CISO/security team by not taking an innovative, collaborative approach to improving the organization’s security posture. If the security team is always behind, it can get labeled as inefficient or ineffective.

Measuring Resiliency
Without a close working relationship with the DevOps team, CISOs can’t initially determine a baseline measurement of their security resiliency or lack thereof. Without confirming that baseline, it’s impossible to determine if initiatives are actually improving resiliency. “It won’t happen to us” is not the correct approach to cybersecurity and increasing resilience. Not integrating and collaborating with the DevOps team results in security being an afterthought or a periodic manual, nonrepeatable process.

Improving Resiliency
There are a few basic steps that CISOs should take after establishing their resiliency baseline in order to start improving it. We suggest that CISOs perform a value-chain mapping exercise, which will result in a much more detailed pictorial view of the security landscape. The X-axis of this map is “Evolution of Resiliency” and the Y-axis is the “Invisible to Visible Value Chain”—meaning, what solutions currently exist and what can be implemented over the evolution timeline to increase the visibility of security, which has a direct positive effect on resiliency. This exercise will also flesh out any duplicative efforts, which decrease efficiency. After the initial map has been created, it can be used as part of a continuous resiliency improvement process.

Defense In Depth
In addition to the security map, we suggest that you also create risk profiles that are associated with various components of your network, server infrastructure, and application landscape. This is the next level of insight as part of the classic defense-in-depth approach to security, meaning that you should build coordinated layers of security controls and eliminate any single points of failure within your security architecture.

Base Strategy
Creating the security map and set of risk profiles gives the CISO an initial “floor” of their strategy to mitigate risk. They help the CISO prioritize areas of focus, instead of trying to fix every problem at once. It also allows the CISO to share the progress of resiliency with the rest of the company to increase overall security awareness. This starts building a culture where security isn’t viewed as “scary” or “mysterious,” and also helps build a better overall relationship between the CISO/security team and the rest of the company. The “fear, uncertainty, and doubt” approach has proven to not be effective, and in fact, is quite the opposite.

Culture Joins Strategy For Lunch
In order to combine the strategic initiatives with culture, we recommend embracing two of the core tenets of the DevOps culture, collaboration and sharing. Collaborate with all of the application and infrastructure stakeholders to build an inventory of applications, data, and assets. Once you have that inventory, you can then start mapping out your risk matrix, and, while doing so, continually share with the stakeholders to make sure they have insight and awareness during the entire strategy creation process. That should also help during the strategy implementation phase, because none of the plans will be a surprise to anyone. 

A Continuous Approach
In closing, we’d stress that this is an ongoing, continuous process. CISOs can’t just put a strategy in place and ignore input and metrics. Much like with application development, there needs to be a continuous security integration and delivery approach that is constantly be iterated and improved upon.

Related Content:

 

Jim Bandanza is a trusted advisor to top security companies and CISOs worldwide, Jim Bandanza has over 20 years of cybersecurity and software experience. During his career, he has served as executive vice president of field operations and chief operating officer for several ... View Full Bio
 

Recommended Reading:

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15488
PUBLISHED: 2020-09-30
Re:Desk 2.3 allows insecure file upload.
CVE-2020-15849
PUBLISHED: 2020-09-30
Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability to recover sensitive data from the application's database, allowing for a...
CVE-2020-14375
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. Virtio ring descriptors, and the data they describe are in a region of memory accessible by from both the virtual machine and the host. An attacker in a VM can change the contents of the memory after vhost_crypto has validated ...
CVE-2020-14376
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A lack of bounds checking when copying iv_data from the VM guest memory into host memory can lead to a large buffer overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system...
CVE-2020-14377
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A complete lack of validation of attacker-controlled parameters can lead to a buffer over read. The results of the over read are then written back to the guest virtual machine memory. This vulnerability can be used by an attack...