Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Risky Business: Understand Your Assets and Align Security With the Business

For years I wondered why business groups would move forward with technology initiatives before fully understanding their risk exposure. Focused on the business outcome, teams always wanted to implement first and figure out the risks later. 

For years I wondered why business groups would move forward with technology initiatives before fully understanding their risk exposure. Focused on the business outcome, teams always wanted to implement first and figure out the risks later. 

Problem is, risks are intrinsic to business outcomes. A solution is only as valuable as the information flowing through it. Compromise the information, bring down the solution, and the business outcome cannot be realized.   

Too often this dawns on the business after implementation, when risk treatment options are limited. Often the only choice is to put a wrapper around the solution, a compensating mitigation with a tendency to make users less happy and the technology less appealing — which also diminishes the desired outcome.

Align security and risk with the business

Once you dive into the trenches with business groups, it’s much easier to understand why this is such a challenge, since you’re representing initiatives that are potentially hugely valuable to the company. But there doesn’t have to be so much friction in the process. 

By working closely with business groups to do a thorough risk analysis, we’re not only doing the due diligence required by regulatory and industry associations — we can also teach business pros how to understand risk and the different avenues for dealing with it. 

Understand your assets

First it’s important to understand the value of the information and the technology in terms of its impact to the business. Business groups need to understand not only what their assets are, but also how the security team classifies those assets in terms of business impact. 

For sensitive information, the military uses four categories: Top Secret, Secret, Confidential, and Unclassified. They describe the consequences of unintended release of Top Secret information with one word: grave. 

Advertisement. Scroll to continue reading.

WAF by F5 NetworksA similar model within corporations etc. In the corporate world a similar model etc. Most companies use a three-tiered classification of high, medium or low business impact. And in terms of high-impact business data, I would argue that the term grave still applies.  

Whatever system you use, once you’ve classified your assets and determined the level of risk involved, you’re in a better position to decide which risk treatment options and timeframes make sense within the context of the business, its size and its industry.

For some systems, the necessary treatments are already defined by regulatory or industry requirements. To process credit cards, for example, companies must comply with PCI requirements or face higher processing costs or even the suspension of processing altogether. 

But for other systems it’s not so cut and dry, and risk mitigation strategies will lean heavily on the organization’s appetite for risk, as well as its ability to mitigate. There are generally four treatment options, and mature companies typically end up doing all of these: 

Avoidance

For business leaders, the least obvious option is probably just avoiding the risk altogether. But when the security team is proactive and doing risk analysis with the business up front, you’ll be surprised at how many decision-makers end up avoiding the risk by scrapping the initiative. They see that even though it provides a sizable financial benefit, it simply opens the business up to too much exposure. 

Sometimes it’s ok to not implement the technology. Being smart about when to avoid risk is actually great for everyone, because you end up eliminating controls that are difficult to maintain. 

Transfer

The same thing could be said about risk transfer. Risk transfer can involve non-technology solutions, such as buying an insurance policy to help compensate the business in the event of an exploit or other compromise to the system. It can also involve contracts that literally transfer the risk to another party. 

Technology-based risk transfer options include moving to a cloud provider with the resources to centralize security controls and attain certifications most companies can’t afford. There’s also the option to outsource controls like a WAF, instead of trying to build them on your own. For some companies, this type of risk transfer may become a primary mitigation strategy. 

Acceptance

And then there’s risk acceptance, which may actually be the most important tool that exists for security. This is when you go to an officer of the company, educate her on the risk in question, and ask her to accept it and document the acceptance. 

Here the documentation is critical. The CISO and the business owner are mutually agreeing on the acceptance of a risk and the company’s plan for dealing with it. This then becomes the codification in the organization of the risk being accepted and how that risk will be managed. 

And again, you’d be shocked at how many people decide to go from risk acceptance to risk avoidance. 

Mitigation

Of course, there will always be mitigation, and that’s really about controls. If you’re doing things right and the security team is brought in at the beginning, you minimize the need to perform compensating controls later. This results in a much stronger system. 

But mitigation isn’t the only game in town, and business owners don’t always understand these additional options — because they’re not being taught. The solution is to work with them to understand the value of the assets and what the risk treatment options are, then build a risk treatment plan that truly reflects your priorities, risk tolerance and resources. 

Working closely with business groups throughout the process of due diligence and due care not only fulfills the CISO’s responsibilities, it also creates more security-savvy business groups who understand how to use their risk treatment toolkit more strategically. 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...