Risk Management from the CISO Perspective
One of my favorite aspects of my role as a Security Evangelist for Radware is that I get the chance to really talk with business leaders about the challenges they face every day when protecting their business. I do a lot of listening, honestly, and I get the chance to learn a lot from these conversations.
Over the past few weeks, Risk and Risk Management have been common topics of discussion. They can be challenging because every business is different and we all face different risks or threats. Some of us have regulatory or compliance controls that we must operate within, which define how we handle certain risks. Others have customers who require that we maintain certain protocols and certifications as a method of protecting their data. Still, others have no programs in place at all.
One of the tasks of the CISO is to assess cyber threats and risks to the organization and to make recommendations on how to protect against them. So what are CISOs and security leaders concerned with right now? Here’s a recap of some of the messages I’ve heard over the past two weeks.
Size and Scope Might Be Indicative of Your Risk Program
“A risk program, you say?” Not all businesses have implemented a risk program. Others live by it. One CISO described how your risk program is likely influenced by the following:
– The purpose of your business
– How many employees you have
– Whether or not you’re a public company
– How long you’ve been in business
For example, a startup may not have a strong risk practice. Perhaps they’re more likely focused on growing a business with limited means. Do they hire a CISO? Probably not immediately (if at all), but maybe their idea, technology, or other intellectual property is the crown jewel of their business. Protecting those assets may be critical to the future of the business.
On the other hand, a multinational financial company could have dozens of regional regulations with which they must comply. These companies have a much more mature risk program. In fact, many global organizations have CISOs dedicated to specific regions to assist with this complexity.
“Everything is unprecedented until it happens for the first time.”
One security leader recently referenced this quote from the movie “Sully” when discussing his risk program. While often used as inspiration, this quote is incredibly relevant in cyber security. Security practitioners share the task of keeping our companies alive, online, and safe.
I think this quote stands on its own.
The CEO Usually Doesn’t Want to Know the Details About Your Risk Program
The CEO wants to know how you’re dealing with risk, but they usually don’t want to know the exact details (unless maybe they need to understand or they are part of risk committees). That’s why they have you, the CISO. Instead, they need to understand how you are handling risk. Develop a clear and concise summary of your risk profile and what you are doing about it. The CEO needs to be able to tell Board members, shareholders, and customers if, how, and why you’re safe, but help him or her develop a clear way to explain your risk program.
Use Internal Auditing as a Tool
Let’s face it, nobody enjoys auditing. However, one CISO that I talked with recommends that you embrace it. It can be difficult, but if you trust the process and commit to it, an internal audit can help you reach your security goals.
For example, an internal audit can help find gaps in protections that would ultimately need to be defined as risks. From there, you can define the likelihood of the risk, the impact to the business, and finally make a recommendation to mitigate the risk. Some of this might include budget allocation, which may help you achieve other goals as well.
Telecommuting Employees Are Bad at Backups
Do you have remote employees or contractors? Do they have laptops? Are they backing up data? Several discussions focused on this topic recently, specifically because of the WannaCry outbreak. If you do have remote workers in your network, how are they backing up their laptops? Laptops are usually opened while working and closed while not, meaning the backups have to be completed while open.
If they are backing up, are they using home resources or a central corporate server/resource? If it’s the latter, are they on VPN? Residential internet links don’t always have fast uplink speeds, making remote backups a chore for the user. Even if they run during the day, with slow upload speeds, a user might notice the burden of a saturated uplink on their residential link during the backup and even perhaps abort it, or avoid it altogether.
This recipe creates two common scenarios; telecommuters who either don’t back up their data regularly or they back up to non-corporate resources. We would all agree that using non-corporate resources to store corporate data presents risk, but so does foregoing backups.
Teach Your Employees About Risk
The CISO is accountable for cyber risk, but everyone should be invested in protecting the company. The good news is that threat awareness inside of organizations seems to be increasing. However, employees must also understand why cyber threats can also threaten the business directly. From safe internet browsing to developers coding with security in mind, everyone needs to understand how their activities impact the company’s risk profile.
In the same vein, teach your employees that they need to trust you and the IT teams if something has happened. Be approachable and make sure employees understand that they can safely reach out to your team in the event of a suspected issue. We would all rather know about something immediately than finding out later, the hard way.
40% of Businesses Don’t Have an Incident Response Plan
Radware’s 2016-2017 Global Application & Network Security Report found that 40% of businesses do not have an incident response plan in place. Handling a security crisis can often come down to preparation. Even if you don’t have a security budget, you can still plan for what you will do if you encounter a security problem. Understand who needs to be notified, both internally and externally, as well as who will be involved in your response. Then practice it. Those first few minutes and hours will be critical to how you fare under duress.
Cyber Insurance Can Transfer Risk
The same report referenced above also found that 70% of businesses do not have cyber insurance. We also found that businesses tend to underestimate the cost of a cyber-event by 50%. A cyber insurance policy might be a way for you to transfer certain risks away from your organization. However, the feedback in the community is that policies vary drastically and you should have your legal team heavily involved if or when you decide on a policy.
The greatest observation from these discussions is that we all have different levels of risk tolerance. We also have different levels in maturity of our programs. But as security leaders, we understand that how we approach risk is critical to our business. Use risk assessments to help drive your security goals. Gain the attention of the senior leadership in your organization by defining risks that you face, their likelihood of occurrence, their impact to the business, and your recommendation to mitigate them.