Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/14/2016
10:30 AM
Jim Bandanza and Mike D. Kail
Jim Bandanza and Mike D. Kail
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Risk Management Best Practices For CISOs

What's your company's risk appetite? Our list of best practices can help you better understand a difficult topic.

CISOs tend to be extremely risk averse when it comes to managing their security infrastructure and its ongoing assessment. One key reason is that in the past, CISOs were overly focused on being technical experts without developing an understanding of the business’s “risk appetite”—that is, the level of risk it’s willing to accept—and not communicating effectively with peers, the CEO, and the board. This results in a culture of fear in which engineers aren’t empowered to make strategic choices about security infrastructure. There is also the challenge of having enough resources to both handle current issues and strategically plan for future initiatives. The well-known shortage of cybersecurity engineers combined with the lack of automated tools and platforms is a key contributor to this problem.

Below is our list of best practices for effective risk management for CISOs.

Cultural Challenges
The risk-averse mindset creates a culture of fear in which engineers hesitate to take a transformational approach to cybersecurity resiliency. It also results in a schism between the developers and operations (DevOps) team and the CISO/security team by not taking an innovative, collaborative approach to improving the organization’s security posture. If the security team is always behind, it can get labeled as inefficient or ineffective.

Measuring Resiliency
Without a close working relationship with the DevOps team, CISOs can’t initially determine a baseline measurement of their security resiliency or lack thereof. Without confirming that baseline, it’s impossible to determine if initiatives are actually improving resiliency. “It won’t happen to us” is not the correct approach to cybersecurity and increasing resilience. Not integrating and collaborating with the DevOps team results in security being an afterthought or a periodic manual, nonrepeatable process.

Improving Resiliency
There are a few basic steps that CISOs should take after establishing their resiliency baseline in order to start improving it. We suggest that CISOs perform a value-chain mapping exercise, which will result in a much more detailed pictorial view of the security landscape. The X-axis of this map is “Evolution of Resiliency” and the Y-axis is the “Invisible to Visible Value Chain”—meaning, what solutions currently exist and what can be implemented over the evolution timeline to increase the visibility of security, which has a direct positive effect on resiliency. This exercise will also flesh out any duplicative efforts, which decrease efficiency. After the initial map has been created, it can be used as part of a continuous resiliency improvement process.

Defense In Depth
In addition to the security map, we suggest that you also create risk profiles that are associated with various components of your network, server infrastructure, and application landscape. This is the next level of insight as part of the classic defense-in-depth approach to security, meaning that you should build coordinated layers of security controls and eliminate any single points of failure within your security architecture.

Base Strategy
Creating the security map and set of risk profiles gives the CISO an initial “floor” of their strategy to mitigate risk. They help the CISO prioritize areas of focus, instead of trying to fix every problem at once. It also allows the CISO to share the progress of resiliency with the rest of the company to increase overall security awareness. This starts building a culture where security isn’t viewed as “scary” or “mysterious,” and also helps build a better overall relationship between the CISO/security team and the rest of the company. The “fear, uncertainty, and doubt” approach has proven to not be effective, and in fact, is quite the opposite.

Culture Joins Strategy For Lunch
In order to combine the strategic initiatives with culture, we recommend embracing two of the core tenets of the DevOps culture, collaboration and sharing. Collaborate with all of the application and infrastructure stakeholders to build an inventory of applications, data, and assets. Once you have that inventory, you can then start mapping out your risk matrix, and, while doing so, continually share with the stakeholders to make sure they have insight and awareness during the entire strategy creation process. That should also help during the strategy implementation phase, because none of the plans will be a surprise to anyone. 

A Continuous Approach
In closing, we’d stress that this is an ongoing, continuous process. CISOs can’t just put a strategy in place and ignore input and metrics. Much like with application development, there needs to be a continuous security integration and delivery approach that is constantly be iterated and improved upon.

Related Content:

 

Jim Bandanza is a trusted advisor to top security companies and CISOs worldwide, Jim Bandanza has over 20 years of cybersecurity and software experience. During his career, he has served as executive vice president of field operations and chief operating officer for several ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.