Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/14/2016
10:30 AM
Jim Bandanza and Mike D. Kail
Jim Bandanza and Mike D. Kail
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Risk Management Best Practices For CISOs

What's your company's risk appetite? Our list of best practices can help you better understand a difficult topic.

CISOs tend to be extremely risk averse when it comes to managing their security infrastructure and its ongoing assessment. One key reason is that in the past, CISOs were overly focused on being technical experts without developing an understanding of the business’s “risk appetite”—that is, the level of risk it’s willing to accept—and not communicating effectively with peers, the CEO, and the board. This results in a culture of fear in which engineers aren’t empowered to make strategic choices about security infrastructure. There is also the challenge of having enough resources to both handle current issues and strategically plan for future initiatives. The well-known shortage of cybersecurity engineers combined with the lack of automated tools and platforms is a key contributor to this problem.

Below is our list of best practices for effective risk management for CISOs.

Cultural Challenges
The risk-averse mindset creates a culture of fear in which engineers hesitate to take a transformational approach to cybersecurity resiliency. It also results in a schism between the developers and operations (DevOps) team and the CISO/security team by not taking an innovative, collaborative approach to improving the organization’s security posture. If the security team is always behind, it can get labeled as inefficient or ineffective.

Measuring Resiliency
Without a close working relationship with the DevOps team, CISOs can’t initially determine a baseline measurement of their security resiliency or lack thereof. Without confirming that baseline, it’s impossible to determine if initiatives are actually improving resiliency. “It won’t happen to us” is not the correct approach to cybersecurity and increasing resilience. Not integrating and collaborating with the DevOps team results in security being an afterthought or a periodic manual, nonrepeatable process.

Improving Resiliency
There are a few basic steps that CISOs should take after establishing their resiliency baseline in order to start improving it. We suggest that CISOs perform a value-chain mapping exercise, which will result in a much more detailed pictorial view of the security landscape. The X-axis of this map is “Evolution of Resiliency” and the Y-axis is the “Invisible to Visible Value Chain”—meaning, what solutions currently exist and what can be implemented over the evolution timeline to increase the visibility of security, which has a direct positive effect on resiliency. This exercise will also flesh out any duplicative efforts, which decrease efficiency. After the initial map has been created, it can be used as part of a continuous resiliency improvement process.

Defense In Depth
In addition to the security map, we suggest that you also create risk profiles that are associated with various components of your network, server infrastructure, and application landscape. This is the next level of insight as part of the classic defense-in-depth approach to security, meaning that you should build coordinated layers of security controls and eliminate any single points of failure within your security architecture.

Base Strategy
Creating the security map and set of risk profiles gives the CISO an initial “floor” of their strategy to mitigate risk. They help the CISO prioritize areas of focus, instead of trying to fix every problem at once. It also allows the CISO to share the progress of resiliency with the rest of the company to increase overall security awareness. This starts building a culture where security isn’t viewed as “scary” or “mysterious,” and also helps build a better overall relationship between the CISO/security team and the rest of the company. The “fear, uncertainty, and doubt” approach has proven to not be effective, and in fact, is quite the opposite.

Culture Joins Strategy For Lunch
In order to combine the strategic initiatives with culture, we recommend embracing two of the core tenets of the DevOps culture, collaboration and sharing. Collaborate with all of the application and infrastructure stakeholders to build an inventory of applications, data, and assets. Once you have that inventory, you can then start mapping out your risk matrix, and, while doing so, continually share with the stakeholders to make sure they have insight and awareness during the entire strategy creation process. That should also help during the strategy implementation phase, because none of the plans will be a surprise to anyone. 

A Continuous Approach
In closing, we’d stress that this is an ongoing, continuous process. CISOs can’t just put a strategy in place and ignore input and metrics. Much like with application development, there needs to be a continuous security integration and delivery approach that is constantly be iterated and improved upon.

Related Content:

 

Jim Bandanza is a trusted advisor to top security companies and CISOs worldwide, Jim Bandanza has over 20 years of cybersecurity and software experience. During his career, he has served as executive vice president of field operations and chief operating officer for several ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-7505
PUBLISHED: 2020-02-18
Stack-based buffer overflow in the gif_next_LZW function in libnsgif.c in Libnsgif 0.1.2 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LZW stream in a GIF file.
CVE-2015-7567
PUBLISHED: 2020-02-18
SQL injection vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary SQL commands via the "passwordreset&token" parameter.
CVE-2012-0718
PUBLISHED: 2020-02-18
IBM Tivoli Endpoint Manager 8 does not set the HttpOnly flag on cookies.
CVE-2019-10791
PUBLISHED: 2020-02-18
promise-probe before 0.10.0 allows remote attackers to perform a command injection attack. The file, outputFile and options functions can be controlled by users without any sanitization.
CVE-2009-5146
PUBLISHED: 2020-02-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.