Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

Cyber Risk Management: What’s Holding Us Back?

Organizations Are Struggling to Operationalize Their Knowledge of Risk

Organizations Are Struggling to Operationalize Their Knowledge of Risk

Over the past year, cyber risk management has gained a lot of attention in the media and among practitioners. Even though risk management has been proven to optimize business performance and lead to better investment decisions, many organizations have still not adopted this concept when it comes to their enterprise security model. Last week’s WannaCry ransomware attack is a stark reminder that a risk-based approach to security is long overdue. WannaCry is the last cyber-attack to expose the industry’s inability to find and fix threats that really matter. So what’s holding organizations back from implementing cyber risk management? 

Consider these facts… last Friday, the world faced the biggest cyber-attack yet, with more than 300,000 organizations in more than 200 countries falling victim to the WannaCry ransomware. The malware exploited a known vulnerability in the Microsoft Windows SMB Server, for which the vendor had provided a patch on March 14, 2017. Unfortunately, many organizations had not patched or were simply running on operating systems that had reached their end of life (e.g., Windows XP and Windows Server 2000) and do not receive new security updates. While the attack’s impact has been massive, the story behind it is very characteristic of any successful cyber-attack — hackers are exploiting known vulnerabilities and are betting on the fact that organizations don’t know how to fix what really matters.

That’s where cyber risk management comes into play. Many industry standard bodies (e.g., Payment Card Industry) and government regulators (e.g., Office of the Comptroller of the Currency, SEC) have taken steps to propagate the usage of risk management by incorporating its core principles into their regulations. These refreshed guidelines are designed to address several factors including scarcity of resources, the disruptive effect of big data in the context of cyber security, market volatility, regulatory changes, and the need for better, faster decision making.

However, many organizations are still struggling to operationalize their knowledge of risk in order to optimize business investments and performance. Let’s look at the factors that are preventing organizations from adopting a risk-based approach to security and what can be done to overcome them.

Risk Culture

When implementing cyber risk management practices, it is essential to instill a risk-aware culture at all levels and across all functional areas of the organization. Lack of buy-in from all stakeholders is one of the most common hurdles to making the transition from a compliance- to risk-driven approach to security. There are many examples of organizations that hired a first-time Chief Risk Officer in an attempt to force the transition, but failed due to the fact that the individuals required to implement the new practices on a day-to-day basis were still stuck in their antiquated compliance views. To be successful, risk management must avoid a gap between senior management and the rest of the organization when it comes to understanding and embracing risk management concepts and benefits. To address this roadblock, a well thought out training program is required for current and incoming employees.

Risk Management Perceptions

Although risk management was initially introduced to increase shareholder value, not all companies understand its benefits. It is important to realize that there is no one-size-fits all approach, but rather the benefits and costs of risk management are dependent on factors such as organizational size, complexity, vertical industry, and location. Considering these factors when planning the scope of a cyber risk management implementation will increase the odds that its benefits will be more clearly understood and supported across the organization.

Risk Technology

Instead of relying on employees to implement cyber risk management in silo-based fashion using antiquated tools such as spreadsheets to document their findings, organizations should consider the use of an intelligence-driven and platform-based system. Pitfalls to look out for include making sure that the derived risk scores are based on a scientific approach that take a multitude of factors (i.e.., vulnerability risk rating, IP reputation, accessibility, and business criticality) into account rather than singling out for instance just the external risk exposure of an organization. In this context, it is essential to assure proper integrations with internal security intelligence data sources to secure investments into existing IT and security tools and to leverage the data to unify with external threat data and business criticality.

Organizations that address the above-mentioned inhibitors to cyber risk management head-on, can significantly reduce the time it takes to identify their cyber risk exposure, quickly orchestrate remediation, and monitor the results. In case of the WannaCry outbreak, a properly implemented cyber risk management program would have identified the exposure and business criticality of the threat weeks prior to the attack, giving the organization plenty of time to patch systems in a controlled and orderly fashion.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.