Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Design Risk Management Plans to Fail: Bank Security Expert

Operational Risk Assessments: Not Glamorous, But Indispensable

PUNTA CANA – KASPERSKY LAB SECURITY ANALYST SUMMIT – It may not be the most glamorous security role, but when it comes to operational risk assessment, someone has got to do it.

Operational Risk Assessments: Not Glamorous, But Indispensable

PUNTA CANA – KASPERSKY LAB SECURITY ANALYST SUMMIT – It may not be the most glamorous security role, but when it comes to operational risk assessment, someone has got to do it.

In a room filled with some of information security’s rock stars, and at a conference where speakers describe exotic attacks and demonstrate sophisticated proofs of concept, the theme of operational risk assessment and management feels out of place. But Steve Adegbite, senior vice-president in charge of enterprise information security program oversight and strategy at Wells Fargo, makes a case for the importance of risk assessment in organizations, especially online banking.

A key part of risk assessment depends on the organization knowing what types of information it holds, understanding how and why it is being used, identifying who would consider it valuable, and determining the threats to the integrity of the data. But that is just the beginning. Adegbite said companies need to understand that zero-day vulnerabilities are inevitable in software development as we don’t live in a world of perfect code. This means security defenses, no matter how robust and thorough, will eventually fail.

As a result, a risk model is a key component of any security practice, Adegbite said.

Banks are increasingly adopting a risk mentality more commonly associated with Wall Street traders, Adebite said. When it comes to risk, it’s all about cost—mainly how much money the organization is willing to lose before it becomes too expensive, as that is the point when security investment makes sense.

The Target breach had a financial impact, but it wasn’t catastrophic because shoppers went back to Target.

Advertisement. Scroll to continue reading.

It’s important to accept at this point, however, that there is no such thing as the perfect risk model. No matter how thorough the planning is, there is no way to control one factor of any business operation: humans.

“Your risk model is never going to always work,” said Adegbite.

Risk assessments also can’t be static. Once the organization has assessed risk, the model has to be continuously tweaked and refined. Attack techniques have evolved rapidly, and the type of defenses are also changing. This is why organizations can’t just say, “this is just the way we do things,” because nothing is static. Why should the risks be treated any differently?

Risk management plans need to be designed to fail, Adegbite said. If organizations plan for failure, they can respond better when something goes wrong, thus limiting damage. A better response means less impact on the bottom line, less data impact, and less tarnishing of the company’s reputation. And when the plan fails, organizations need to examine why it failed and make a better plan for next time.

Risk assessments aren’t something new. Humans have been making risk assessments for thousands of years, starting with how to escape hungry bears and whether to plant a certain crop. The ability to assess a situation and determine “what if” scenarios before making a decision is something that has kept humans alive and will also help corporations protect sensitive data, Adegbite said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.