Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

It Takes a Village to Manage Cyber Risk

Regulators from the New York State Department of Financial Services should be applauded for their update to their upcoming cyber security regulation (if you are not in NYS or financial services, stay tuned, something similar is certainly coming to your state and industry soon). 

Regulators from the New York State Department of Financial Services should be applauded for their update to their upcoming cyber security regulation (if you are not in NYS or financial services, stay tuned, something similar is certainly coming to your state and industry soon). 

While there were numerous adjustments made based on feedback during the comment period, most importantly, there was a shift in mindset from one standard for all systems and situations to a philosophy of risk based security. 

Throughout the updated regulation, requirements are defined in the context of “the covered entity’s risk assessment” vs. absolute requirements for all systems and data.  This is a critical shift that I hope other regulators will follow because it allows covered entities to modulate what measures are required based on the risk to each system and data set.  It provides covered entities an alternative to applying the most stringent requirements equally to all systems, for example, applying two factor authentication selectively to internal applications based on accessibility and exposure.

CISO's and Risk ManagementWith that said, to take advantage of this newfound flexibility, CISOs will have to put in place a formalized cyber risk assessment and management process that is defensible and documented. In large legacy enterprise environments and smaller entities alike, that is often easier said than done. 

There are many facets to a robust cyber risk management program, that are beyond the scope of this article, but one best practice that is often overlooked is making security everybody’s business. Although CISOs are accountable for cyber risk management, and in the case of the NYS DFS regulation, have to sign on the dotted line, effective cyber risk management is only achievable if IT and the business teams are intimately involved.  Ultimately, the IT team has technical authority over systems and data and the business team has operational responsibility, and so to be successful, it behooves CISOs to make sure everybody has skin in the game. 

At the highest level, risk management focuses on the intersection of threats, vulnerabilities and business impact.  The information security team mostly has responsibility for access management, threat and vulnerability management.  However, to be effective at cyber risk management requires a well-run resilient infrastructure, asset management and patch management, which are typically the domain of the CIO. 

Application owners in the business are the ones who determine access levels, approve access to their applications and data, approve patching of their application’s infrastructure and provide critical context for validating insider threats and compromised accounts.  They are also best positioned to provide the financial metrics that measure impact of losing confidentiality, integrity and availability. 

Business management is also responsible to promote the importance of security and ensure their departments can conduct their activities in a secure manner. 

Finally, though beyond the scope of the NYS DFS regulation, which is focused on industry and consumer protection, the board is responsible for establishing the company’s risk tolerance and approval of investments in security. That is a lot of moving parts to coordinate and manage. To efficiently manage cyber risk requires effective business intelligence systems to consolidate all the appropriate data in one place, the appropriate analytics to automate making sense of it all, and the right decision support processes to enable everyone to do their part.

Advertisement. Scroll to continue reading.

When it comes to security and cyber risk, CISOs are in the middle of it all, but they are not alone in protecting the enterprise. Collaborating with the right stakeholders, who may be outside the information security team, and equipping them with the right information and processes, makes them part of the solution instead of the problem. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...