Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/14/2016
10:30 AM
Jim Bandanza and Mike D. Kail
Jim Bandanza and Mike D. Kail
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Risk Management Best Practices For CISOs

What's your company's risk appetite? Our list of best practices can help you better understand a difficult topic.

CISOs tend to be extremely risk averse when it comes to managing their security infrastructure and its ongoing assessment. One key reason is that in the past, CISOs were overly focused on being technical experts without developing an understanding of the business’s “risk appetite”—that is, the level of risk it’s willing to accept—and not communicating effectively with peers, the CEO, and the board. This results in a culture of fear in which engineers aren’t empowered to make strategic choices about security infrastructure. There is also the challenge of having enough resources to both handle current issues and strategically plan for future initiatives. The well-known shortage of cybersecurity engineers combined with the lack of automated tools and platforms is a key contributor to this problem.

Below is our list of best practices for effective risk management for CISOs.

Cultural Challenges
The risk-averse mindset creates a culture of fear in which engineers hesitate to take a transformational approach to cybersecurity resiliency. It also results in a schism between the developers and operations (DevOps) team and the CISO/security team by not taking an innovative, collaborative approach to improving the organization’s security posture. If the security team is always behind, it can get labeled as inefficient or ineffective.

Measuring Resiliency
Without a close working relationship with the DevOps team, CISOs can’t initially determine a baseline measurement of their security resiliency or lack thereof. Without confirming that baseline, it’s impossible to determine if initiatives are actually improving resiliency. “It won’t happen to us” is not the correct approach to cybersecurity and increasing resilience. Not integrating and collaborating with the DevOps team results in security being an afterthought or a periodic manual, nonrepeatable process.

Improving Resiliency
There are a few basic steps that CISOs should take after establishing their resiliency baseline in order to start improving it. We suggest that CISOs perform a value-chain mapping exercise, which will result in a much more detailed pictorial view of the security landscape. The X-axis of this map is “Evolution of Resiliency” and the Y-axis is the “Invisible to Visible Value Chain”—meaning, what solutions currently exist and what can be implemented over the evolution timeline to increase the visibility of security, which has a direct positive effect on resiliency. This exercise will also flesh out any duplicative efforts, which decrease efficiency. After the initial map has been created, it can be used as part of a continuous resiliency improvement process.

Defense In Depth
In addition to the security map, we suggest that you also create risk profiles that are associated with various components of your network, server infrastructure, and application landscape. This is the next level of insight as part of the classic defense-in-depth approach to security, meaning that you should build coordinated layers of security controls and eliminate any single points of failure within your security architecture.

Base Strategy
Creating the security map and set of risk profiles gives the CISO an initial “floor” of their strategy to mitigate risk. They help the CISO prioritize areas of focus, instead of trying to fix every problem at once. It also allows the CISO to share the progress of resiliency with the rest of the company to increase overall security awareness. This starts building a culture where security isn’t viewed as “scary” or “mysterious,” and also helps build a better overall relationship between the CISO/security team and the rest of the company. The “fear, uncertainty, and doubt” approach has proven to not be effective, and in fact, is quite the opposite.

Culture Joins Strategy For Lunch
In order to combine the strategic initiatives with culture, we recommend embracing two of the core tenets of the DevOps culture, collaboration and sharing. Collaborate with all of the application and infrastructure stakeholders to build an inventory of applications, data, and assets. Once you have that inventory, you can then start mapping out your risk matrix, and, while doing so, continually share with the stakeholders to make sure they have insight and awareness during the entire strategy creation process. That should also help during the strategy implementation phase, because none of the plans will be a surprise to anyone. 

A Continuous Approach
In closing, we’d stress that this is an ongoing, continuous process. CISOs can’t just put a strategy in place and ignore input and metrics. Much like with application development, there needs to be a continuous security integration and delivery approach that is constantly be iterated and improved upon.

Related Content:

 

Jim Bandanza is a trusted advisor to top security companies and CISOs worldwide, Jim Bandanza has over 20 years of cybersecurity and software experience. During his career, he has served as executive vice president of field operations and chief operating officer for several ... View Full Bio
 

Recommended Reading:

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.