Connect with us

Hi, what are you looking for?


Risk Management

It Takes a Village to Manage Cyber Risk

Regulators from the New York State Department of Financial Services should be applauded for their update to their upcoming cyber security regulation (if you are not in NYS or financial services, stay tuned, something similar is certainly coming to your state and industry soon). 

Regulators from the New York State Department of Financial Services should be applauded for their update to their upcoming cyber security regulation (if you are not in NYS or financial services, stay tuned, something similar is certainly coming to your state and industry soon). 

While there were numerous adjustments made based on feedback during the comment period, most importantly, there was a shift in mindset from one standard for all systems and situations to a philosophy of risk based security. 

Throughout the updated regulation, requirements are defined in the context of “the covered entity’s risk assessment” vs. absolute requirements for all systems and data.  This is a critical shift that I hope other regulators will follow because it allows covered entities to modulate what measures are required based on the risk to each system and data set.  It provides covered entities an alternative to applying the most stringent requirements equally to all systems, for example, applying two factor authentication selectively to internal applications based on accessibility and exposure.

CISO's and Risk ManagementWith that said, to take advantage of this newfound flexibility, CISOs will have to put in place a formalized cyber risk assessment and management process that is defensible and documented. In large legacy enterprise environments and smaller entities alike, that is often easier said than done. 

There are many facets to a robust cyber risk management program, that are beyond the scope of this article, but one best practice that is often overlooked is making security everybody’s business. Although CISOs are accountable for cyber risk management, and in the case of the NYS DFS regulation, have to sign on the dotted line, effective cyber risk management is only achievable if IT and the business teams are intimately involved.  Ultimately, the IT team has technical authority over systems and data and the business team has operational responsibility, and so to be successful, it behooves CISOs to make sure everybody has skin in the game. 

At the highest level, risk management focuses on the intersection of threats, vulnerabilities and business impact.  The information security team mostly has responsibility for access management, threat and vulnerability management.  However, to be effective at cyber risk management requires a well-run resilient infrastructure, asset management and patch management, which are typically the domain of the CIO. 

Application owners in the business are the ones who determine access levels, approve access to their applications and data, approve patching of their application’s infrastructure and provide critical context for validating insider threats and compromised accounts.  They are also best positioned to provide the financial metrics that measure impact of losing confidentiality, integrity and availability. 

Business management is also responsible to promote the importance of security and ensure their departments can conduct their activities in a secure manner. 

Advertisement. Scroll to continue reading.

Finally, though beyond the scope of the NYS DFS regulation, which is focused on industry and consumer protection, the board is responsible for establishing the company’s risk tolerance and approval of investments in security. That is a lot of moving parts to coordinate and manage. To efficiently manage cyber risk requires effective business intelligence systems to consolidate all the appropriate data in one place, the appropriate analytics to automate making sense of it all, and the right decision support processes to enable everyone to do their part.

When it comes to security and cyber risk, CISOs are in the middle of it all, but they are not alone in protecting the enterprise. Collaborating with the right stakeholders, who may be outside the information security team, and equipping them with the right information and processes, makes them part of the solution instead of the problem. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.