Cyber Security and Risk Mitigation Go Hand in Hand

Cyber Risk means different things to different people in an organization. Deloitte distinguishes it well: A CEO might worry about the expected financial loss related to cyber risk exposure; while the CFO is challenged to show the value of security while managing the associated costs. The CMO might worry about the impact to the brand if a breach to the company occurs; while the CISO is thinking about which key initiatives to prioritize to maximize risk buy down.  But one thing that savvy executives agree on is that cyber security is a business risk that should be included in corporate risk mitigation strategy and processes.

Cyber Risk Mitigation focuses on the inevitability of disasters and applies actions and controls to reduce threats and impact to an acceptable level.

Lisa Lee, Chief Security Advisor for Financial Services in Microsoft’s Cybersecurity Solution Group,  partnered with Circadence in April 2020 to talk about this topic in a webinar.  Originally broadcast for a financial risk mitigation audience, the practical advice Lisa offers in 6 areas of cyber risk mitigation is broadly applicable.

Cyber Risk Insurance

Insurance can help to reduce the financial impact of an incident, but it does NOT mitigate the likelihood of a cyber breach happening – in the same way that having car insurance helps with the financial consequences of an accident but cannot in anyway prevent an accident from occurring.

Identity and Access Management

Microsoft recommends making “Identity” the security control plane. Employees use multiple devices (including personal devices), networks, and systems throughout their lifecycle with a company. The explosion of devices and apps and users makes security built around the physical device perimeter increasingly complex.  At the same time, access to on-premise systems and cloud systems are shifting to transform to meet business needs.  Partners, vendor/consultants, and customers might also all require varying degrees of access.  A strongly protected, single user identity at the center of business for each of these constituents can exponentially improve the efficiency and efficacy of the overall security posture of the company.

Configuration and Patch Management

This is IT or cyber security 101.  Everyone should be doing it on a consistent basis.  But  20% of all vulnerabilities from unpatched software are classified as High Risk or Critical. The Center for Internet Security  is an excellent resource for more information on best practices.

Asset Protection (devices, workload, data)

There is a massive amount and diversity of signal data coming in from the network and there are many tools on the market to help assist in the collection, management, and assessment.  Lisa advised not to spend too much time trying to evaluate and select the best of breed tool in each category.  Rather, find a suite that works well together so that you don’t have to spend time on integration. Beyond devices, also consider your security policies and practices to ensure visibility for workloads across on-prem, cloud, and hybrid cloud environments.  And finally, consider protecting the information directly so that wherever data elements go, even outside the company, they carry protection with them.  The key to this is encryption.

Monitoring and Management

These two concepts are seemingly more about  ‘risk management’ vs. ‘risk mitigation’.  But monitoring helps you to ‘know what you don’t know’ in order to adapt and improve mitigation strategies.  And today, many of the monitoring tools from Microsoft and other vendors have features that enable cyber analysts to take action, i.e analysts can use the same tool that helps identify a vulnerability to then resolve it.

Cyber Security Training

Security is an ever-changing situation because bad actors are always developing new attacks.  Therefore, training and education is an ongoing requirement for cyber professionals.  Circadence’s Project Ares is a cloud-based learning platform specifically designed for continuous cyber security training and upskilling.   IT and cyber organizations that invest in on-going training for their people are making as strong an investment in mitigation as in the tool stack that the analysts use on-the-job.

With consideration in all 6 of these areas, you will be able to architect and compose a comprehensive cyber mitigation strategy.

Here’s a link to the full webinar.  It’s only 45 minutes long and Lisa provides more detail in each of these categories.

Great Dance Partners: How Cybersecurity and Risk Mitigation Go Hand in Hand

 

Photo by Toa Heftiba on Unsplash

Computer Fraud and Security – Gamification as a Winning Strategy

In this “game of protection’ to balance defensive and offensive security techniques, now is the time for CISOs and business leaders to reach for a new cyber security manual – one that leverages gamification.

Are you living the CISO nightmare? Five Cyber Concerns Keeping Them Up at Night

What keeps CISOs up at night? Is it the looming concern of a threat? The uncertainty of cloud security? Wondering if you have enough cyber pros on the frontlines to defend and protect? Maybe it’s all three –and more. CISOs are carrying a lot of security responsibility on their shoulders, all while trying to make sure their department is transparent, vigilant, agile, and of course, secure. Focusing on so many areas of digital opportunity, security vulnerability, and defensive improvement make it challenging for CISOs to truly dedicate attention to any specific operational “thing” for too long before they have to move to the next issue. Adapting to this rapid change of pace in the security industry can compromise security strength and lead to growing concerns about whether teams are really prepared for the next threat. We’ve pinpointed the top five cybersecurity concerns of CISOs that are stuff nightmares are made of.

  1. New Threats

This shouldn’t be a surprising concern. Threats are ever-evolving just as technology and digital connectivity is. While CISOs strive to keep their defenses up to snuff with the latest technology, there is always a new weakness waiting to be exploited. The recent government shutdown is a perfect example. It pulled many defenders off the frontlines of security, leaving the door wide open for malicious hackers to walk on it and do unimaginable damage. Also, the 2016 election attracted black hat hackers to manipulate public perception of the race via the use of social media. There’s always a new threat, a new vulnerability to be wary of—and CISOs are looking for ways to ensure their teams are always ready, always prepared, and have the proper support they need from machines and fellow colleagues to keep assets and people safe from harm.

  1. Minimal Agility

While CISOs desire agile operations and solutions, many still follow a linear “waterfall” model with sprinklings of agile adaptations. Developers, in particular, create security solutions tend to follow prescriptive, step-by-step requirements without always considering how security fits into the bigger solution picture. One can imagine the repercussions of such an approach. Failure to close the widening gap between deployment velocity and security implementation can yield weak security resilience. CISOs wonder if their organizations are strong enough to have both deep security testing in place and remediation plans effective enough to remove any semblance of fear, uncertainty, and doubt. DevSecOps spells opportunity for agile security as the approach advocates for the integration of security “checks” during every stage of development from planning to coding to testing and deployment and monitoring.

  1. IoT and Cloud Security

As work migrates out of the traditional office, users are moving off the network and accessing the cloud directly. More applications and servers are moving to the cloud to save money, achieve scale, and obtain greater access. However, massive amounts of sensitive data are now stored in the cloud and the “location” of that data and perceived lack of visibility is concerning for CISOs. According to a Kaspersky Lab study, one in three CISOs ranked cloud computing as a top security risk. Part of a CISO’s job is to apply controls to cloud security but when other responsibilities including managing security solutions take priority, concerns of cloud security often go unalleviated.

  1. Cybersecurity Skills Gap

This is one of the reoccurring nightmares for CISOs: finding and retaining enough security talent to bolster a capable cyber team with the right skills to address attacks. CISOs need a solution to improve the cyber skills at their company but can’t realistically send everyone away to class. Likewise, CISOs may realize they have skills gaps on their teams and assessing their competencies and hiring the right talent is becoming a growing challenge. Further, every CISO is concerned about their company being the next news headline of a cyberattack, so they are constantly worried about their overall cyber readiness and keeping their teams razor sharp. Looking down the barrel of a 300,000+ security job shortfall in the U.S. alone, CISOs fear their teams, whether large or small and mighty, may not have all the skills they need to effectively top new threats.

  1. Rebuilding Trust

It’s been a bad few years for cybersecurity leaders with the growing number of well-publicized hacks of large and small companies. Naturally, such news leaves many consumers and company stakeholders distrusting companies who fall victims to these attacks. What’s worse is trying to rebuild trust after an attack. It’s not a flip of a switch or apologetic PR statement that automatically regains public trust in data security for a company. It can take months or even years for a company to bounce back from a breach of any magnitude. Privacy issues, security and device addiction are all elements that need to be addressed from the beginning in order to take ownership and responsibility of how customer data is stored, used, transferred, and accessed.

There’s often too much momentum in the way of today’s cyber operations to allow for any kind of change but this is something that MUST change. CISOs and their teams live with cybersecurity worries, threats, and “unknown unknowns” that are simply too scary to block out. Frustrated talented resources and limited budgets perpetuate these cybersecurity nightmares. For CISOs to wake up from these horrible scenarios, they need to consider new ways to develop their teams and foster holistic “security is everyone’s responsibility” cultures in order to move forward. New threats, cloud security issues, and skill gap concerns can be quelled with the proper persistent learning solutions in place to empower and augment cyber teams toward a stronger security infrastructure. Likewise, educating the entire staff, not just the IT department on security issues and best practices ensure everyone will have sweeter dreams.

Photo by Sergey Zolkin on Unsplash