Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Cyber Risk Management: What’s Holding Us Back?

Organizations Are Struggling to Operationalize Their Knowledge of Risk

Organizations Are Struggling to Operationalize Their Knowledge of Risk

Over the past year, cyber risk management has gained a lot of attention in the media and among practitioners. Even though risk management has been proven to optimize business performance and lead to better investment decisions, many organizations have still not adopted this concept when it comes to their enterprise security model. Last week’s WannaCry ransomware attack is a stark reminder that a risk-based approach to security is long overdue. WannaCry is the last cyber-attack to expose the industry’s inability to find and fix threats that really matter. So what’s holding organizations back from implementing cyber risk management? 

Consider these facts… last Friday, the world faced the biggest cyber-attack yet, with more than 300,000 organizations in more than 200 countries falling victim to the WannaCry ransomware. The malware exploited a known vulnerability in the Microsoft Windows SMB Server, for which the vendor had provided a patch on March 14, 2017. Unfortunately, many organizations had not patched or were simply running on operating systems that had reached their end of life (e.g., Windows XP and Windows Server 2000) and do not receive new security updates. While the attack’s impact has been massive, the story behind it is very characteristic of any successful cyber-attack — hackers are exploiting known vulnerabilities and are betting on the fact that organizations don’t know how to fix what really matters.

That’s where cyber risk management comes into play. Many industry standard bodies (e.g., Payment Card Industry) and government regulators (e.g., Office of the Comptroller of the Currency, SEC) have taken steps to propagate the usage of risk management by incorporating its core principles into their regulations. These refreshed guidelines are designed to address several factors including scarcity of resources, the disruptive effect of big data in the context of cyber security, market volatility, regulatory changes, and the need for better, faster decision making.

However, many organizations are still struggling to operationalize their knowledge of risk in order to optimize business investments and performance. Let’s look at the factors that are preventing organizations from adopting a risk-based approach to security and what can be done to overcome them.

Risk Culture

When implementing cyber risk management practices, it is essential to instill a risk-aware culture at all levels and across all functional areas of the organization. Lack of buy-in from all stakeholders is one of the most common hurdles to making the transition from a compliance- to risk-driven approach to security. There are many examples of organizations that hired a first-time Chief Risk Officer in an attempt to force the transition, but failed due to the fact that the individuals required to implement the new practices on a day-to-day basis were still stuck in their antiquated compliance views. To be successful, risk management must avoid a gap between senior management and the rest of the organization when it comes to understanding and embracing risk management concepts and benefits. To address this roadblock, a well thought out training program is required for current and incoming employees.

Risk Management Perceptions

Advertisement. Scroll to continue reading.

Although risk management was initially introduced to increase shareholder value, not all companies understand its benefits. It is important to realize that there is no one-size-fits all approach, but rather the benefits and costs of risk management are dependent on factors such as organizational size, complexity, vertical industry, and location. Considering these factors when planning the scope of a cyber risk management implementation will increase the odds that its benefits will be more clearly understood and supported across the organization.

Risk Technology

Instead of relying on employees to implement cyber risk management in silo-based fashion using antiquated tools such as spreadsheets to document their findings, organizations should consider the use of an intelligence-driven and platform-based system. Pitfalls to look out for include making sure that the derived risk scores are based on a scientific approach that take a multitude of factors (i.e.., vulnerability risk rating, IP reputation, accessibility, and business criticality) into account rather than singling out for instance just the external risk exposure of an organization. In this context, it is essential to assure proper integrations with internal security intelligence data sources to secure investments into existing IT and security tools and to leverage the data to unify with external threat data and business criticality.

Organizations that address the above-mentioned inhibitors to cyber risk management head-on, can significantly reduce the time it takes to identify their cyber risk exposure, quickly orchestrate remediation, and monitor the results. In case of the WannaCry outbreak, a properly implemented cyber risk management program would have identified the exposure and business criticality of the threat weeks prior to the attack, giving the organization plenty of time to patch systems in a controlled and orderly fashion.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.