Do you have a risk management strategy in place? If so, how solid is it? Will it withstand the rigours of any security threat? If not, the consequences could be catastrophic, as editor Brian Wall reports.
What are the main drivers that need to be considered to achieve a real and sustainable risk management strategy? How exactly do you structure a risk management framework for your business? And what are the likely consequences of not having such a framework in place? These are all questions that need to be addressed, if you are to handle this challenge with any degree of success. And it’s a territory that can be fraught with pitfalls.
“Given today’s complex threat landscape, a standard approach to risk management has become a way of the past,” warns Steve Durbin, global vice president, Information Security Forum. “Resilience is the new way forward and organisations require a resilient security strategy that is not just robust, but also flexible.
To achieve this, companies need to approach risk management in three key stages, he advises. First, it’s essential to develop a cohesive security framework designed to ensure risk management becomes a fully integrated part of the organisation, but also delivers stakeholder value, aligns to the organisation’s overall strategy and provides information assurance. “This framework should be recognised at a senior level within the organisation, and based on the participation of business owners, individuals responsible for running critical infrastructure and the information security specialists that advise on it.” The second step is to translate this strategy into action by encouraging greater engagement and communication across the entire business. “In practical terms, this will require organisations to undertake a programme of continuous improvement, rather than relying upon a standard security audit,” he says. “Organisations will also need to have a strong understanding of their risk appetite, and ensure that the value of their ongoing security investment meets the needs of the business, is adequate and also well spent.”
Lastly, while individual threats will continue to pose a risk, there is even more danger when they combine. Traditional risk management is simply not agile enough to deal with today’s multi-faceted mix of internal, external, regulatory and cyber security hazards.
Know Your Enemy
As a result, businesses need to implement policies, procedures and tools that support good governance. “Ultimately, organisations need to rethink how they handle enterprise risk by creating a more business-focused security strategy. This approach will not only help to minimise risk and prevent reputational damage right now, but will also allow the adoption of a more resilient approach to risk management, as the threat landscape continues to change in the future.”
Today, security research focuses heavily on vulnerabilities. “Knowing your weaknesses is essential, but to truly protect an organisation, security professionals must have a deep understanding of the adversary,” states Rob Rachwald, director of security strategy, Imperva. “Can you imagine an army showing up on a battlefield with zero knowledge of their opponents’ weapons or tactics? General Custer tried it once.”
In cyber security, knowing the enemy is vital for several reasons, he adds. “First, hacking has become industrialised. Attacks leverage automated attack tools that make the volume of attacks massive. Secondly, attack techniques and attack vectors keep evolving with an ever rapid pace. Hackers pride themselves in new innovations, just like anyone else. Thirdly, attack tools and platforms keep evolving at pace that is very difficult to monitor.
Finally, security teams must have a disciplined process for risk management, and knowing hacker tactics helps security teams maintain effective security in a limited budget environment by helping them keep an eye on their opponents, rather than the theory of threat.
For example? “Many reports exist, describing the volume and prevalence of web application vulnerabilities. From a CISO perspective, this is useful, but how do you prioritise what to do?” But it gets worse. Attacks targeting high-value business data and applications have increased in sophistication, scale and frequency. And organisations of all sizes are losing the battle to prevent hacking, data breaches, internal abuse and fraud.
“These same organisations too often also become mired in increasingly complex regulatory standards, intended to force them to protect their business assets. Unfortunately, existing network and endpoint security solutions are easily circumvented by sophisticated application and business logic attacks, and do not provide visibility into the usage of data and thus cannot address insider abuse.” But failure of network and endpoint security stacks to defend against business threats is not surprising. These categories were developed to solve different threats than those facing the business today, he says. “As organisations adopt new technologies and architectures that increase the sophistication and openness of the data centre, they expose their businesses to new threats. What’s needed is a new category specifically built to address these threats.” What should risk managers do? Rebalance the software security portfolio, he advises, to address the shifting landscape.
Meanwhile, the changing face of the security backdrop has brought us to a place where remote access, combined with IT security as well as physical and mobile access, is growing in significance, argues Harm Radstaak of HID Global. “Given the influx of employee owned devices in the workplace and the integration of physical security procedures like access control and CCTV, as well as the challenges that new trends like NFC pose, tackling risk has become more of a Rubik’s Cube than a customary checklist,” he says. “The pressure on businesses to develop a comprehensive and adaptable risk management strategy that can meet these variables has never been greater – not to mention magnified by UK society.
“While the task of controlling access to rooms or buildings has traditionally been kept separate from managing how users can access information on their desktop or via the corporate network, the convergence of these physical and logical strands will require a substantial change in thinking for any organisation. Cultivating a risk aware culture and understanding security vulnerabilities in all their guises begins with the question of who is accessing what, where, when and how? “The new paradigm here is mobile access,” he advises. “As well as running specific applications on devices like smartphones or tablets that deal with system control, they are also being deployed as identifiers for, say, physical access control applications. This makes the implementation of a hybrid access control system, which merges both logical and physical security infrastructures, integral to the formulation of a risk management system capable of working effectively and mitigating unnecessary risks.”
No-one is Safe
The growing list of companies that have faced cyber attacks is testament to the reality that no one is safe. Most organisations have absolutely no control over their encryption assets. Risk managers have no way to ensure that policies – if they do exist – are being adhered to. These organisations have opened themselves to systemic, unquantified and unmanaged risk – with potentially ‘life threatening’ consequences, warns Calum MacLeod, EMEA director, Venafi.
“Very few organisations have a response plan for public key infrastructure (PKI) disasters, such as the compromise of a certification authority (CA) or an algorithm that becomes computationally weak. Attackers, on the other hand, understand the enormous attack leverage they gain from targeting these high-value assets,” he says.
“Unfortunately, when a CA or private key is compromised, managers in the vast majority of enterprises wouldn’t know where to start.” So what should you do? “Risk managers should consider several practical steps based on industry best practices,” he advises, including:
- Clarify the importance of encryption deployment and management, including the threats against which encryption protects and the consequences of a security breach, with regards to lost revenue, regulatory fines, IT costs and operational downtime
- Define clear encryption certificate and key management policies, processes, and procedures
- Implement a central inventory and monitoring system to ensure that all encryption assets are accounted for and tracked, that owners for each asset are known, and that notifications are sent for impending certificate expiration, errors and other issues
- Automate key and certificate lifecycle management
- Dedicate sufficient staff to managing the implementation and maintenance of central encryption key and certifi- cate management policies and technologies.
Nor is this all about size. However big a company may be or whatever sector it falls within, security usually falls down at the same place – coping with the blizzard of data. “Companies on the whole don’t know where data is, who the users are and who’s making changes to it,” asserts Erik Petersen, director of security and risk consulting, Dell SecureWorks. “No organisation seems able to achieve this and it makes risk management complex, as the data is all over the place.”
People frequently ask about industry best practice when it comes to risk management, and that shouldn’t be the focus. Copying someone else’s approach may not translate well to your business. A risk management strategy has to translate into a workable risk management plan,” he says. “The drivers are individual for each organisation – business leaders need to examine what their own risk threshold is, plan and develop a structure accordingly. A company’s attitude to risk will determine how much they spend on security: it should be proportional. The strategy needs to be derived from IT and the overall business to ensure they’re aligned and working in coordination.
It’s easy to spend your whole life looking at possible routes and potential attacks. “Take a step back and put in processes for different tiers of attacks.” he recommends. “Draw on multiple industries, look at other examples to build from. Most importantly – don’t be led astray by trying to fit into someone else’s framework for best practice. There’s a risk that businesses spend all their time looking for the perfect situation – but it doesn’t exist. You should try to improve on what you have to create better processes, rather than ticking boxes for compliance.”
There are three primary strategies that organisations should pursue for managing risk in association with securing their IT infrastructure, believes Kevin Cunningham, president and founder, SailPoint. First, they must instill a risk management discipline across the organisation. “This requires a formal categorisation of risks, in order to understand potential threats and vulnerabilities, and to implement the appropriate set of controls to balance the business’ need for convenience, usability and availability with the need for security measures that mitigate risk. This includes implementing the necessary controls to eliminate specific risks, such as workers who hold access privileges they don’t need, terminated workers whose access privileges are not removed or toxic combinations of access privileges that increase the potential for fraud, etc.
To effectively address risk, organisations must also deploy ‘identity intelligence’ tools that provide visibility and improve control across large numbers of enterprise systems, applications and data. “In order to achieve transparency and better manage risk, the organisation will need to inventory, analyse and understand the access privileges granted to employees, partner, and sometimes even customers – and to be ready to answer the critical question on demand: ‘Who has access to what?’ Compiling and correlating this data manually is usually not a viable approach, due to the complexity of the IT environment and the frequency of changes that routinely occur to user populations. Therefore, an automated approach that provides data on demand is required.”
Equally, the overall security strategy must foster collaboration between business staff and IT staff. “Addressing risk requires business-level participation, as business managers need to align IT operational policies to business policies and priorities. Likewise, IT is in the best position to gather the data on who has access to what and report back to the business people to let them determine if that access is correct or not.”
Possibly the biggest downfall for security and risk management is complacency, cautions Karl Driesen, VP Europe, Middle East & Africa, Palo Alto Networks. “Many organisations put in place a security programme and, provided there are no visible signs of breach or attack, no changes are made to this programme. The danger in this approach is that, while defences are not evolving, attackers’ techniques are.
“One could say there aren’t any real winners in security, as there is never a definitive finish line. There are, however, losers, who can fall at the many hurdles along the way. The way to avoid losing is to continuously identify vulnerabilities and to manage all of your network traffic at an application, user and content level. By doing this, you can intelligently evolve your defences to protect against these threats.” Complexity is the enemy of security, he adds, especially where restrictive policies inadvertently encourage employees to find ‘workarounds’ to get their jobs done still. “This approach to security resembles reactivity more than strategy. Non-pliable systems may appear robust from the outset, but plugging each individual leak with bolt-on fixes could ultimately lead to a flood. Having adaptability at the core of your risk management strategy will prove most effective.”
Ultimately, ‘rocket science’ is not something that is called for with any of this. Even a basic understanding of business risk can go a long way towards structuring a risk management framework for your business, says Richard Hibbert, president & CEO of SureCloud. “Risk management is perceived by many to be a complex, somewhat mystical activity and invariably gets pushed to the bottom of the priority list when it comes to information security. However, the principles of risk management are very simple.” He suggests this action plan:
- Catalogue your critical business assets
- Value or score them, in terms of impact to the business, in the event that incidents result in unwanted disclosure, modification, non-availability and/or destruction of the asset
- Understand the likelihood of an incident occurring (the risk)
- Put in place mechanisms (controls) to reduce the risk, which could be policies and procedures – or technology such as firewalls, anti- virus and SIEM (security information and event management).
“Even by conducting a ‘finger in the air’ analysis of critical assets, including the impact to the business in the event that a security incident occurs, the organisation will be well placed to prioritise and treat risks,” Hibbert concludes.