Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Design Risk Management Plans to Fail: Bank Security Expert

Operational Risk Assessments: Not Glamorous, But Indispensable

PUNTA CANA – KASPERSKY LAB SECURITY ANALYST SUMMIT – It may not be the most glamorous security role, but when it comes to operational risk assessment, someone has got to do it.

Operational Risk Assessments: Not Glamorous, But Indispensable

PUNTA CANA – KASPERSKY LAB SECURITY ANALYST SUMMIT – It may not be the most glamorous security role, but when it comes to operational risk assessment, someone has got to do it.

In a room filled with some of information security’s rock stars, and at a conference where speakers describe exotic attacks and demonstrate sophisticated proofs of concept, the theme of operational risk assessment and management feels out of place. But Steve Adegbite, senior vice-president in charge of enterprise information security program oversight and strategy at Wells Fargo, makes a case for the importance of risk assessment in organizations, especially online banking.

A key part of risk assessment depends on the organization knowing what types of information it holds, understanding how and why it is being used, identifying who would consider it valuable, and determining the threats to the integrity of the data. But that is just the beginning. Adegbite said companies need to understand that zero-day vulnerabilities are inevitable in software development as we don’t live in a world of perfect code. This means security defenses, no matter how robust and thorough, will eventually fail.

As a result, a risk model is a key component of any security practice, Adegbite said.

Banks are increasingly adopting a risk mentality more commonly associated with Wall Street traders, Adebite said. When it comes to risk, it’s all about cost—mainly how much money the organization is willing to lose before it becomes too expensive, as that is the point when security investment makes sense.

The Target breach had a financial impact, but it wasn’t catastrophic because shoppers went back to Target.

It’s important to accept at this point, however, that there is no such thing as the perfect risk model. No matter how thorough the planning is, there is no way to control one factor of any business operation: humans.

Advertisement. Scroll to continue reading.

“Your risk model is never going to always work,” said Adegbite.

Risk assessments also can’t be static. Once the organization has assessed risk, the model has to be continuously tweaked and refined. Attack techniques have evolved rapidly, and the type of defenses are also changing. This is why organizations can’t just say, “this is just the way we do things,” because nothing is static. Why should the risks be treated any differently?

Risk management plans need to be designed to fail, Adegbite said. If organizations plan for failure, they can respond better when something goes wrong, thus limiting damage. A better response means less impact on the bottom line, less data impact, and less tarnishing of the company’s reputation. And when the plan fails, organizations need to examine why it failed and make a better plan for next time.

Risk assessments aren’t something new. Humans have been making risk assessments for thousands of years, starting with how to escape hungry bears and whether to plant a certain crop. The ability to assess a situation and determine “what if” scenarios before making a decision is something that has kept humans alive and will also help corporations protect sensitive data, Adegbite said.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...