Over the past few months, I’ve been lucky enough to meet with CIOs and chief information security officers (CISOs) in places like Antwerp, Belgium; Bangalore, India; Bangkok, Thailand; Kingston, Jamaica; London, England; Manhattan, New York and Washington, D.C. In these diverse cities, the common pattern I’ve observed is that organizations want to refine and mature their approach to managing risk. They may not use the phrase “risk management,” but that’s what they’re doing.
The leaders I’ve spoken with are busy identifying toxic narratives about risk, identifying chronic security issues and finding more data-driven solutions. Some are taking novel approaches to interpreting information, as well as educating their workers. But everyone is looking for a more complete understanding of risk management.
Differing Perspectives on Risk Management
During my conversations with security leaders, I’ve heard some fun stories and interesting quips. For example, when it comes to personal risk, I’ve heard:
- What happens in Vegas ends up on YouTube!
- The best way to protect yourself against identity theft is a 350 credit score!
When it comes to business risk, I’ve heard:
Security is always unnecessary and excessive until it isn’t.
If you think your organization isn’t experiencing a security issue right now, then you’re probably not looking hard enough.
Holding different perspectives about risk management and security can lead to internal issues. For example, leaders are having a heck of a time finding workers. Why? First, because they’re struggling to identify the most important skills those workers need. Second, they’re finding it a challenge to properly train those workers. But the most pressing problem is that they’re haunted by toxic narratives about risk management and security.
Avoiding Toxic Narratives About Risk Management
Healthy organizations always look for ways to eliminate unnecessary barriers to move things forward. The whole idea behind a successful business is to find more efficient ways to operate. This, unfortunately, has traditionally led organizations to see security as an unnecessary barrier, or just a technical activity. We all know the results of this attitude.
Here are a few more toxic narratives:
- Practical security means cleaning up problems after they happen.
- Security begins (or ends) by purchasing equipment or a service.
- Talented security techies and anti-hackers will save the organization from attacks.
- Adopting my favorite security framework will reduce risk.
- All it takes is one false step, and we’ll get compromised.
- Managing risk is a complex task, requiring complex solutions.
- Enabling proactive security is easy.
There are particles of truth in each of the statements listed above. But, taken as a whole, these ideas cause more problems than solutions. They contribute to major risk issues, including:
- Shadow IT: Where IT solutions are sourced without consulting the IT department.
- Technical Debt: Where choices are made to skip vital steps when implementing a technical solution.
- Lack of Communication: The best organizations know that managing risk starts here.
- Lack of Education: The best organizations know that education is the best way to address risk and eliminate information silos – a hacker’s best friend.
Perhaps the most pressing risk management issue is the lack of actionable information given to stakeholders.
Following Actionable Information
I always find it amusing that when people start managing risk, they want to jump right into using terms like risk identification, risk transfer or security frameworks without first realizing that the most important thing about risk management is gathering actionable information. That actionable information involves creating risk metrics, which often are created by the interplay of red and blue teams.
I’m not arguing that we need more data. Not at all. IT and security professionals are inundated with datasets of various types, such as Wireshark packet captures, log files, SIEM reports and pen test reports. Data won’t help us. But information will. What business leaders worldwide need is actionable information.
When it comes to compliance and risk, it’s vital to choose security controls and mechanisms wisely. This can only happen if an organization acts upon useful information. One way to do this is by basing risk on real information via risk profiles.
Creating Risk Profiles
Risk profiles involve more than just identifying at-risk assets or listing the characteristics of an attack group. They are the result of creative, data-driven activities. Organizations worldwide are discovering that the healthy interplay between red team and blue team activities, supplemented by the use of cybersecurity threat intelligence (CTI) information, is the best way to move toward risk profiles. This interplay helps organizations identify unique problems and solutions. But it does more than just discover indicators of compromise. The interplay helps create actionable information that helps organizations create true risk profiles.
A risk profile helps an organization understand its place in the world. It helps an organization see itself as it is seen by attackers. Risk profiles also help organizations determine supply chain and other issues that will affect them the most. It doesn’t matter if you use tools like one of the Mitre ATT&CK model matrices or something else. What matters is making sure that your risk management activities are unique to your organization’s problems. This way, you’re moving from mere compliance to frameworks toward actual security maturity.
Eliminating Unnecessary Barriers
Worldwide, hiring managers are having a heck of a time finding people to join them in their risk management activities. Each culture I’ve visited has different ways of stating and addressing this issue. But the more effective solutions involve finding creative ways to upskill workers.
For example, I witnessed Thailand’s NCSA Secretary General, Amorn Chomchoey, create micro-learning opportunities for his security operations center (SOC) workers. This eliminates a barrier because micro-learning helps keep workers learning while on the job.
In Jamaica, I saw a small company, called MS Tech Solutions, increase its risk management capabilities by turning its students into SOC interns. They asked themselves, “Why create an unnecessary distinction between student and learner?” In New York, I learned how CIOs and CISOs take steps to eliminate traditional causes of poor communication between business units. Their first step is to see IT and security workers as vital elements of any business discussion.
By eliminating the unnecessary divide of student and worker, and between IT pro and business strategist, these organizations are making themselves more efficient and ready to manage risk. But these are only just a few steps. Lots of work remains to be done when it comes to identifying and managing the root causes of risk in organizations.
Your Next Steps: The Complete Guide to Risk Management
At this point, it’s easy to throw out additional terms like incident response, business continuity, cloud backup and the NIST Cybersecurity Framework (CSF). But, if you’re really looking to learn more about what risk management means today, take a look at our Complete Guide to Risk Management. We created it because our research has shown us that organizations need access to a deeper discussion into the best practices that bring about security maturity.
You’ll find that risk management concepts are found throughout CompTIA certifications, beginning with CompTIA IT Fundamentals (ITF+) through CompTIA Security+ and CompTIA Advanced Security Practitioner (CASP+).