Light Dark
May 24, 2017 By Kevin Beaver 3 min read
Risk Management
CISO

Risk management is the essence of what we do as information security professionals. We identify key security risks and analyze those risks in the context of the business. We then communicate the confirmed or potential outcomes to management. Finally, we decide — or wait for decisions — on how to respond.

Misguided Decisions

Many security challenges begin at this step. Sometimes, chief information security officers (CISOs) and other executives make decisions are based on fear — fear of experiencing a breach, of running afoul of regulators, of losing their jobs, etc. In many cases, security leaders simply throw money at problems and expect things to change. The problem is, nothing is ever really solved.

Other executives make decisions based on misinformation. This could be due to the IT team’s failure to perform proper assessments and audits, or a security tool’s failure to provide accurate insights into network activity.

Then again, some security leaders make decisions based on no information at all. These executives often have preconceived notions about security, like “security is an IT thing and those people are handling it,” or “we spent all that money and effort on security so all is well, right?”

Don’t Accept Security Risks

In all three of the above scenarios, security risks are being accepted when they shouldn’t be. This could be due to any of the following scenarios that commonly play out in typical enterprises today:

  • Security policies exist but are not fully disseminated or understood.
  • IT staff and executives are exempt from security policies.
  • Compliance and legal teams are disconnected from security teams and everyone is working on their own initiatives, even if it means duplicated efforts and unnecessary overlap.
  • Proper vulnerability scanning and penetration testing are not being performed because the right tools are not available.
  • High-risk, third-party software patches are not being applied to workstations, even though a patch management program is in place.
  • Web content filtering is not being monitored by business unit managers outside of IT.
  • Information discovery and classification is absent.
  • Endpoint malware protection is the only control keeping users from impacting the network with a ransomware infection.
  • Generic email phishing testing makes up the entire user awareness and training program.
  • There is a reliance on SOC 2 audit report reviews, security questionnaires and legal contracts for fully managing vendors.
  • Incident response is a policy document focused on forensics with no specifics on how to contain and recover from incidents, handle breach notifications or address the news media.

From my perspective, many security teams accept these risks due to lack of budget or the reallocation of funds to other IT initiatives. For this reason, you might not be formally accepting the risks, but there’s certainly a level of implicit acceptance.

Even when formal requirements are put in place for policy updates, business process adjustments or new technologies, unfunded mandates are not really mandates. Like New Year’s resolutions that fade away by mid-February, they’re mere wishes that demonstrate a lack of initiative to formally address security risks.

Change Your Approach to Risk Management

As Friedrich Nietzsche once said, “There are no facts, only interpretations.” Misguided interpretations about security is what gets people — and businesses — into trouble. As you develop your security program, make sure that you’re gathering all the facts and sharing them with the right people to minimize your maximum regret, determine the worst possible security outcomes and do whatever it takes to keep those things from happening.

The list of accepted risks above should be a part of this conversation. You’ll surely identify your own unique issues, but the most important thing is to acknowledge that what you’re doing with security right now is not enough. How can you change your approach to known and accepted risks to make things better for your business?

Listen to the podcast series: Take back control of your Cybersecurity now

 |  |  |  |  |  |  | 
Kevin Beaver
Independent Information Security Consultant

More from Risk Management
April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

April 11, 2024

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature