Dyman & Associates Risk Management Projects: How To Get The Most Out Of Risk Management Spend
Even with most security budgets growing or at least staying flat for 2014, no organization ever has unlimited funds for protecting the business. That's where a solid risk management plan can be a lifesaver.
Dark Reading recently spoke with a number of security and risk management experts, who offered practical tips for getting the most out of risk management. They say smart risk management strategies can make it easier to direct security funds to protect what matters most to the business. Organizations that use them typically can base their spending decisions on actual risk factors for their businesses, rather than employing a shotgun strategy that chases after every threat under the sun. Here are a couple of ways to start making that happen.
Establish A Risk And Security Oversight Board
If an organization is going to get more for its IT risk management buck, then the first thing it has to remember is that security risk is only one facet of business risk. That is why it is important to engage with cross-functional teams, says Dwayne Melancon, chief technology officer for Tripwire, who explains doing so makes it easier to look at risk holistically.
Melancon says he has seen many customers establish "Risk and Security Oversight Boards" that are made up with leaders like the CFO, chief legal counsel, and other stakeholders from across the business.
"This board discusses, prioritizes, and champions actions and investments based on a risk registry developed through cross-functional debate and agreement," he says. "This approach ensures that the business ‘puts their money where their mouth is’ and helps align different parts of the business around the short list of risks that have the potential to cause most harm to the business."
Get A Second Opinion
Even if an oversight board may not be practical, getting a second opinion from the business as to where IT risk management should focus stands as a crucial way to set priorities.
"One way we've seen success with this is to engage with legal, finance, and PR instead of the IT executives," says J.J. Thompson, CEO and managing director for Rook Security. "They identify the real issues with simplicity and have not been brainwashed by the IT industry, who still struggles to realize what really matters to business."
For example, in one consulting engagement, Thompson says his CIO contact was caught up in focusing on standard ISO 27000x practices around SOC services Rook would offer his firm. But when his consultants talked to that firm's legal department, they were most concerned about how that SOC outsourcing would affect their largest defense contractor client. That was the No. 1 risk priority.
"The business was simply concerned about the highest area of risk: that which directly pertained to their largest client," Thompson says. "We shifted focus to the controls that directly reduced the risk of such a compromise occurring and tailored custom control monitoring that focused on creating a sensitive data map, and setting custom anomaly detection triggers when the sensitive data is accessed."
[Are you getting the most out of your security data? See Dyman & Associates Risk Management Projects blog updates for techniques and security trends.]
Map Risk To A Business Bloodline
What's the business bloodline for your company? In other words, what are the areas of the business for which security threats could truly disrupt the way in which the organization operates? This is exceedingly important to determine -- and one that second opinion should help deliver. Once you figure that out, start mapping technical elements to it in order to understand what kind of events could do the organization the most harm, says Amichai Shulman, chief technology officer for Imperva.
"For some companies, a POS system or its database full of credit cards may be its most valuable assets; for some it may be Social Security numbers and the personal information attached," he says.
"For a company that bases its livelihood on transactions and uptime, the loss of revenue or customer loyalty caused by a DDoS could be devastating."
Communicate Risk Visually
A big part of risk management is communicating identified risks both up to senior management and down to the security managers who will put practices in place to mitigate them. One of the most effective ways to do that is to make those results visual.
"Pursuing risk management purely within security can help you make better decisions, but it can't help you get the right level of funding unless you can show people outside what you're doing," says Mike Lloyd, chief technology officer for RedSeal Networks. "Helping executives outside to understand is hard. Doing this with formulae won't work -- you will need pictures."
For example, Rick Howard, chief security officer for Palo Alto Networks, says that any time he starts a proposal to the executive suite; he begins with a business heat map that shows the top 10 to 15 business risks to the company on a grid. Typically cyber-risk is in that top 15, which makes it easier to get the company to address those risks more fully.
"Once that is done, I like to build a risk heat map just for cyber," he says. "I take the one bullet on the business heat map and blow it up to show all of the cyber-risks that we track. Again, this is not technical -- it is an overview. We are not trying to show the 1,000 potential ways that an adversary can get into the network. We want to show the C-suite who the adversary is."
To read more about Risk Management Projects articles, visit our website.
Target’s Cyber Security Staff Raised Concerns in Months Before Breach
Target Corp.’s computer security staff raised concerns about vulnerabilities in the retailer’s payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, people familiar with the matter said.
At least one analyst at the Minneapolis-based retailer wanted to do a more thorough security review of its payment system, a request that at least initially was brushed off, the people said. The move followed memos distributed last spring and summer by the federal government and private research firms on the emergence of new types of malicious computer code targeting payment terminals, a former employee said.
The suggested review also came as Target was updating those payment terminals, a process that can open security risks because analysts would have had less time to find holes in the new system, the employee said. It also came at a difficult time—ahead of the carefully planned and highly competitive Black Friday weekend that would kick off the holiday shopping period.
It wasn’t clear whether Target did the requested review before the attack that ran between Nov. 27 and Dec. 18. The nature of the feared security holes wasn’t immediately clear, either, or whether they allowed the hackers to penetrate the system.
The sheer volume of warnings that retailers receive makes it hard to know which to take seriously. Target has an extensive cyber security intelligence team, which sees numerous threats each week and could prioritize only so many issues at its monthly steering committee meetings, the former employee said.
Target declined to confirm or comment on the warning.
The breach has caused headaches for Target customers who have dealt with fraudulent charges and have had millions of credit and debit cards replaced by issuers. Investigators and card issuers haven’t quantified damages from the attack.
Scam court email alert
The Business Crime Reduction Centre (BCRC) is warning people about a new email scam that threatens victims with court action.
Fraudsters have been sending out legitimate looking spoofed emails designed to trick recipients into installing malware.
The emails say you have been notified and scheduled to appear for a court hearing and contains specific dates, times, locations and reference numbers.
It asks you to download a copy of the “court notice” attached. The dowloadable.zip file actually contains an. exe file (a file that executes when clicked) containing a virus.
The email has no connection to the Criminal Justice System and anyone receiving the email should not download any attachments or click any links. Report to Action Fraud by using the online fraud reporting tool.
You are likely to see some variations of this email, as it is easy for fraudsters to amend the details and continue targeting people.
BCRC’s cyber security specialist said “the email is difficult to block as the subject headers change frequently.”
He also said: “Provoking a paniked, impulse reaction has become a very common scam technique for cyber criminals. Opening the attachment allows the criminal to spy on the victim, use their computer to commit crime, or steal personal and financial information.”
Dyman & Associates
Risk Management Projects: How To Get The Most Out Of Risk Management Spend
Dyman & Associates Risk Management Projects: How To Get The Most Out Of Risk Management Spend
By Valerio Anema
Dyman & Associates Risk Management Projects: How To Get The Most Out Of Risk Management Spend
- 430
