Risk Management

Slow dancing in a burning room

“We are living in exponential times,” said Eddie Schwartz, EVP of Cyber Service at DarkMatter, during the opening of his keynote at RSA Conference Abu Dhabi in early November. As it pertains to cybersecurity, this is most certainly true. Digital “everything” is transforming the way we live our lives and run our businesses, and it creates myriad opportunities, the likes of which would have been unimaginable 20 or 30 years ago. From machine-to-machine communications and learning to artificial intelligence (AI), the gains in speed, efficiency, and convenience are staggering. These same advantages we enjoy—whether it relates to better and faster threat detection or ordering pizza—are also afforded to cyber criminals. Unfortunately, as Schwartz pointed out, “exponential increases are coming from everywhere except cyber defenses.”

As white hat cybersecurity practitioners and everyday citizens benefit from exponential advances in digital technologies, machine learning, and AI, so too have cyber criminals. The rates of cyber attacks, malware, botnets, social engineering, and misuse of technology for illicit gains have risen. Security vendors race to keep pace with the threat landscape, but what has resulted thus far are point solutions that address one aspect of the problem, “linear responses,” Schwartz calls it, that leave our organizations and accounts still vulnerable to future attacks.

We’re goin’ down

Part of the dilemma, said Rashmi Knowles, Field CTO at RSA, in a separate, unaffiliated talk, is the lack of focus on business risk. Security vendors are homed in on providing technology solutions that address issues like account lockouts, web shell deletions, SQL injections, DDoS, or IDS/IPS events. As a result, Knowles said, businesses are dealing with piecemeal approaches to tackling technology problems. Companies are left with outdated reporting, largely manual processes (even when automation is available), lack of ownership, information silos, inconsistent controls, and—possibly most importantly—limited risk visibility.

Industry regulators and lawmakers have tried to step in and fill this gap, presumably to “fix” what ails businesses and their requisite technology organizations. Since 2008, more than 25,000 new regulations have been introduced. As Knowles pointed out, the result of all these new regulations—“improvements” to security and technology strategies and usage—has been $727 billion and 460 million hours. Are we more secure because of HIPAA, PCI DSS, FISMA, FERC/NERC, and countless others? No. In fact, going back to Schwartz’s presentation, the rise in malware and breaches, etc. has sharply risen alongside the introduction of new laws and regulations. Aside from increased cost and effort to comply, what have we gained? It seems, a lot of wasted time and frustration.

And you can see it too

This isn’t to say cybersecurity technologies haven’t improved companies’ abilities to prevent, detect, and respond to cyber criminal activity; it’s just not at the pace it needs to be to make a true impact against exponentially growing threats and risk.

Returning to Knowles’ presentation, our current reality, she said, is that most organizations operate in a reactive mode, fire fighting immediate threats, and attending to compliance requirements (which don’t appear to facilitate forward progress). Through a combination of layered defenses and siloed tools and strategies, security teams struggle to focus on holistic business risk. To move from siloes to a managed approach, Knowles recommended, security teams must meet “new business requirements,” which include:

  • Full visibility into data, tools, processes, vulnerabilities, threats, etc.
  • Rapid insight when a potential threat is indicated
  • Business context around the potential threat (to understand if it’s 1) applicable and 2) a priority)
  • Efficient, comprehensive response procedures

We’re goin’ down

All of this is predicated on the security team’s ability to align with business priorities. This means security must be “fully risk aware, able to identify opportunity, and be capable of making risk-based—as opposed to tactical—decisions.”

Knowles’ recommendations for moving towards a risk-based and managed security organization center on none other than people, process, and technology. To start, to address “people” issues, she advises:

  • Define clear roles for everyone on the security team
  • Collect and analyze threat intelligence that is germane to your organization
  • Ensure the language used by risk analysts aligns with business risk
  • Regularly rotate staff to keep fresh eyes on your situation
  • Have “24/7 ‘follow the sun’ coverage”
  • Embrace third parties to augment incident response

 To attain an “advantaged” level in processes, Knowles says security teams should have:

  • A continuous process of detection, investigation, and response
  • Implement, regularly review, and practice incident response policies and procedures
  • Institute reputable standards and frameworks like NIST and VERIS

Finally, regarding technology (most security practitioners’ favorite part of managing security), Knowles advises teams to:

  • Embrace data collection and visibility
  • Implement real-time incident detection capabilities
  • Understand the business context of potential issues, threats, vulnerabilities, and actions
  • Have a deep knowledge of your “hunting ground,” i.e., what assets require coverage
  • Implement hunting tools

And you know that we’re doomed

If organizations expect or want to keep up with exponentially growing cyber threats, they must significantly overhaul current approaches to people, processes, and technology. The goal must be to support business risk management through aligned strategies and ongoing implementation, monitoring, and measurement of tools and techniques. To accomplish this, security teams must ensure full visibility into their environments, comprehensively understand which threats are pertinent to and the risk tolerance of the business, and finally, be able to quickly and effectively respond to and recover from security incidents.


Attend the Privacy and Risk Management Summit at InfoSec World 2018 to learn new strategies and techniques for managing your organization's cyber risk.