As companies continue to respond to the global pandemic, millions of their employees are working remotely, often from home. While this is the recommended response, it’s also creating new cyber risks. More specifically, organizations face four daunting challenges today that significantly increase their risk exposure: Distributed workforce: Organizations have created a distributed workforce on an unprecedented scale. But many of these devices are not up to date with the latest patches and hence poses a … More
The post Why you should make cyber risk a business gain, not a loss appeared first on Help Net Security.
Concerns around security, privacy, cloud and technology resilience are being further fueled by shifting business priorities, the pandemic-induced remote work environment and accelerated deployment of new technologies, according to a survey from Protiviti and ISACA. Entering into 2021, IT audit groups – particularly those in more digitally mature organizations – are utilizing more dynamic and real-time approaches to technology risk assessment, which enables them to be more agile and responsive to the rapidly evolving risk … More
The post Organizations further along the digital transformation maturity spectrum have an advantage appeared first on Help Net Security.
Both business and security leaders are allowing massive insider risk problems to fester in the aftermath of the significant shift to remote work in the past year, according to a Code42 report.
During that same time, 76% of IT security leaders said that their organizations have experienced one or more data breaches involving the loss of sensitive files and 59% said insider threat will increase in the next two years primarily due to users having access to files they shouldn’t, employees’ preference to work the way they want regardless of security protocols and the continuation of remote work. Despite these forces, 54% still don’t have a plan to respond to insider risks.
“Insider risk affects every organization. It is a byproduct of employees getting their work done everyday – how they create, access and share files in today’s collaboration culture. However, security teams are at a disadvantage: there is a lack of understanding of insider risk, which is leading to complacency, failing technologies and inadequate processes. The severity of the insider risk problem is being consistently overlooked, evidenced by the sharp rise in risky behavior this year,” said Joe Payne, Code42’s president and CEO.
“Our findings show that organizations are not even measuring the efficacy of their insider risk mitigation programs. Inattention to insider risk management, as demonstrated in this report, will threaten the future of the digital enterprise.”
COVID-19 exacerbated an already growing threat
Prior to the pandemic, cloud-based collaboration technologies and workforce turnover had become major drivers of data exfiltration as insider threat programs were failing to keep pace with today’s digital workplace.
Insider risk is not a new threat vector, but with our new work-from-home normal and rising employee burnout rates, employees are 85% more likely to leak sensitive files now, than before COVID-19. And the leaking of sensitive files isn’t just theoretical – since COVID-19, 61% of IT security leaders said their remote workforce was the cause of a data breach.
Additionally, the study found:
- In the past year, 76% of IT security leaders say their organization has experienced one or more data breaches involving the loss of sensitive information contained in files.
- Of those data breaches, the two most common causes were malicious or criminal insiders and employee carelessness, followed by external attacks and system glitches.
Insider risk response plan
Today IT security leaders say it takes an average of 118 days to identify a data breach and 55 days to contain one – a nearly six month process. Why is that? 46% of organizations have an insider risk response plan (IRRP). Of those with an IRRP, 71% apply it inconsistently or on an ad hoc basis.
In addition to insufficient response planning, the majority of security tools for insider risk are not adapted to the way we work. 71% of IT security leaders lack complete visibility to sensitive data movement.
The study also found:
- 80% of business decision makers believe they are entitled to or should own the work product they create.
- Insider risk processes are broken in 70% of organizations where the C-suite and board of directors are briefed on insider threats annually, on an ad-hoc basis, only when they request it or not at all.
- 40% say they do not regularly – or ever – assess the effectiveness of their technologies in mitigating the insider threat.
- 66% of IT security leaders believe their budget for insider risk is insufficient and 54% of them spend less than 20% of their budgets on insider risk.
Security teams need to mature their capabilities – and DLP is not the answer
Productivity demands are requiring the use of tools that enable speed and collaboration across organizations, but security teams are largely limited in their ability to monitor those tools for risky behavior due to an over-reliance on traditional, blocking technologies.
Security teams are missing the right context for the problem, and instead continue to deploy technologies that block file sharing, inevitably impacting productivity both for employees and security teams. At the same time that trends around remote work are expected to continue, budget for insider risk programs remains a concern.
The study found:
- 59% of IT security leaders say insider threat will increase or increase significantly in the next two years primarily due to users having access to files they shouldn’t, employees’ preference to work the way they want regardless of security protocols and the continuation of remote work.
- Employees are being disrupted while trying to do legitimate work. 51% of IT security leaders receive daily or weekly complaints about mistakenly blocking legitimate employee file activity.
- Files moving from endpoint to cloud services and applications, whether employees are on or off the network, are the biggest insider risk blindspots for security teams.
- 53% of security teams are blind to users moving files to untrusted domains. And 56% of security teams lack historical context into user behavior. In other words, security teams have no idea when an employee may become an insider risk.
A proactive technology refresh strategy and a well-integrated tech stack are, according to a recent Cisco report, two security practices that are more likely than many others to help organizations achieve goals such as keeping up with business, creating security culture, managing top risks, avoiding major incidents, and so on.
A well integrated IT and security tech stack is a practice that is most conducive to retaining security talent, creating a security culture, and running cost-effectively, while a proactive tech refresh strategy will (most prominently) help achieve business goals, meet compliance regulations, avoid major incidents, and streamline IR processes.
Cisco’s report is based on a double-blind study that polled over 4,800 active IT, security, and privacy professionals from 25 countries around the world.
The analysis of the results revealed many expected and unexpected things:
- Identifying top cyber risks and having someone in the company who “owns” the compliance function (i.e., has “compliance” in the job title) does not correlate with any of the wanted outcomes.
- A well-integrated tech stack improves recruitment and retention of security talent.
- A strong security culture embraced by all employees depends on good equipment, a clearly communicated and sound security strategy, and timely fixes when things break.
- Major incidents and losses can be avoided by proactively refreshing the technology used and by learning from prior incidents, through prompt disaster recovery, sufficient security tech, timely incident response and accurate threat detection.
- The effective use of automation helps companies keep up with business, run cost-effectively, minimize unplanned work, retain security talent and streamline IR processes, but does not correlate with meeting compliance regulation or avoiding major incidents.
- Organizations that successfully minimized the impact of COVID-19 on operations maintained a modern IT and security infrastructure, had adequate security staffing levels and invested in role-based training, and kept top executives informed.
- Meeting and maintaining compliance is the goal that’s easiest to achieve, while minimizing unplanned work is the hardest.
The most important success factors
In general, proactive tech refresh, well-integrated tech timely incident response and prompt disaster recovery significantly contribute to nearly every security outcome. Other practices may correlate to one or two specific outcomes or to all, but to a lesser extent.
“Beyond adherence to specific practices, we also asked respondents about where their security programs place the greatest priority in terms of investment, resources, and effort. We used the high-level security functions defined in the NIST Cybersecurity Framework (CSF) for this,” the company noted.
“While the CSF’s Protect function isn’t at the bottom for every outcome, it ranks next to last for contributing to the overall success of the security program (Identify ranks #1). That’s certainly counterintuitive, but we don’t see this as suggesting protection isn’t important. Rather, it indicates that the best programs invest in a well-rounded set of defenses to identify, protect, detect, respond, and recover from cyber threats. The field has long been protection-heavy; this says that protection alone is not the most effective strategy.”
The company has also published individual reports that cover various regions and the healthcare and financial services sectors
In this interview, Matt Cooke, cybersecurity strategist, EMEA at Proofpoint, discusses the cybersecurity challenges for retail organizations and the main areas CISOs need to focus on.
Generally, are retailers paying enough attention to security hygiene?
Our research has shown that the vast majority of retailers in the UK and Europe-wide simply aren’t doing enough to protect their customers from fraudulent and malicious emails – only 11% of UK retailers have implemented the recommended and strictest level of DMARC protection, which protects them from cybercriminals spoofing their identity and decreases the risk of email fraud for customers.
Despite this low and worrying statistic, it’s promising to see that a small majority of UK retailers have at least started their DMARC journey – with 53% publishing a DMARC record in general. When we look at the top European-wide online retailers, 60% of them have published a DMARC record.
If we compare this to the largest organisations in the world (the Global 2000), only 51% of these brands have published a DMARC record. This illustrates the retail industry is slightly ahead of the curve – therefore certainly is paying attention to security hygiene – but there’s still a long way to go.
Unfortunately, starting your DMARC journey isn’t quite enough – without having the ‘reject’ policy in place cyber criminals can still pretend to be you and trick your customers.
What areas should a CISO of a retail organization be particularly worried about?
Business Email Compromise (BEC) and Email Account Compromise Attacks (EAC), are on the rise, targeting organisations in all industries globally. Dubbed cyber-security’s priciest problem, social engineering driven cyber threats such as BEC and EAC are purpose-built to impersonate someone users trust and trick them into sending money or sensitive information.
These email-based threats are a growing problem. Recent Proofpoint research has shown that since March 2020, over 7,000 CEOs or other executives have been impersonated. Overall, more money is lost to this type of attack than any other cybercriminal activity. In fact, according to the FBI, these attacks have cost organisations worldwide more than $26 billion between June 2016 and July 2019.
The retail industry has a very complex supply chain. When targeting an organisation in this sector, cyber criminals don’t only see success from tricking consumers/customers, they can also target suppliers, with attacks such as BEC, impersonating a trusted person from within the business.
We have seen cases within the retail sector where cyber criminals are compromising suppliers’ email accounts in order to hijack seemingly legitimate conversations with someone within the retail business. The aim here is to trick the retailer into paying an outstanding invoice into the wrong account – the cybercriminals’ account, as opposed to the actual supplier.
In addition, due to the pandemic, global workforces have been thrusted into remote working – and those in the retail sector are not exempt. As physical stores have closed worldwide, customer service and interaction has shifted to digital communication more so than ever. Those employees that were used to talking directly to customers, are now using online platforms and have new cloud accounts – expanding the attack surface for cybercriminals.
The retail industry – along with all other industries – need to ensure employees are adequately trained around identifying the risks that might be delivered by these different communication channels and how to securely handle customer data.
Domain spoofing and phishing continue to rise, what’s the impact for retail organizations?
Threat actors are constantly tailoring their tactics, yet email remains the cybercriminals’ attack vector of choice, both at scale and in targeted attacks, simply because it works.
Cybercriminals use phishing because it’s easy, cheap and effective. Email addresses are easy to obtain, and emails are virtually free to send. With little effort and little cost, attackers can quickly gain access to valuable data. As seen in recent breaches, emails sent from official addresses that use the domains of known international companies, seem trustworthy both to the receiver and spam-filters, increasing the number of potential victims. However, this has a detrimental effect on both the brands’ finances and reputation.
Organisations have a duty to deploy authentication protocols, such as DMARC to protect employees, customers, and partners from cybercriminals looking to impersonate their trusted brand and damage their reputation.
Opportunistic cyber criminals will tailor their emails to adapt to whatever is topical or newsworthy at that moment in time. For example, Black Friday-themed phishing emails often take advantage of recipients’ desire to cash in on increasingly attractive deals, creating tempting clickbait for users.
These messages may use stolen branding and tantalising subject lines to convince users to click through, at which point they are often delivered to pages filled with advertising, potential phishing sites, malicious content, or offers for counterfeit goods. As with most things, if offers appear too good to be true or cannot be verified as legitimate email marketing from known brands, recipients should avoid following links.
Do you expect technologies like AI and ML to help retailers eliminate most security risks in the near future?
Today, AI is a vital line of defence against a wide range of threats, including people-centric attacks such as phishing. Every phishing email leaves behind it a trail of data. This data can be collected and analysed by machine learning algorithms to calculate the risk of potentially harmful emails by checking for known malicious hallmarks.
While AI and ML certainly help organisations to reduce risks, they are not going to eliminate security risks on their own. Organisations need to build the right technologies and plug the right gaps from a security perspective, using AI and ML as just part of this overall solution.
Organisations should not outsource their risk management entirely to an AI engine, because AI doesn’t know your business.
There is no doubt that artificial intelligence is now a hugely important line of cyber defence. But it cannot and should not replace all previous techniques. Instead, we must add it to an increasingly sophisticated toolkit, designed to protect against rapidly evolving threats.
Third-party risk management (TPRM) professionals increasingly do not trust that security questionnaires provide sufficient information to properly understand and act on their third-party risk, according to RiskRecon and Cyentia Institute.
As a result, the study found more enterprises are moving towards data-driven third-party risk management programs.
Many firms use questionnaires to assess vendor security risk
The research, based on a survey of 154 active TPRM professionals, found that 79% of firms have a TPRM program, 84% of which use questionnaires to assess vendor security risk.
While 81% of enterprises report that at least 75% of their vendors claim perfect compliance to their security requirements, only 14% are highly confident that vendors actually perform those requirements.
“In the mass outsourcing of systems and services to third parties, enterprises have dramatically increased the scale and complexity of their risk surface. This study reveals that risk professionals widely are of the opinion that questionnaire-based assessments are sufficient for managing third-party risk. The magnitude of risk in the hands of third parties necessitates much better performance visibility than questionnaires can provide,” said Kelly White, CEO, RiskRecon.
“Increasingly, third-party risk teams are adapting the risk management strategies deployed to protect their internal enterprise – rapid acquisition and analytics of objective data that reveal the reality of the quality of each vendor’s risk management program. For example, rather than just trusting vendors’ word that they are properly patching systems, they are using security ratings services and other information sources to objectively assess the quality of their patch management program.”
While the adoption of TPRM surges, there’s still more to be learned
- Companies are critically dependent on third parties, trusting them with their most sensitive data and operations functions. The survey found that one out of three TPRM programs manage more than 100 vendors per year. On average, respondents said that 31% of their vendors could cause a critical impact to their organization if breached, while 25% claim that half of their entire network could trigger severe impacts.
- Lack of proper resources and support continues to be a challenge for effective risk management. 57% of respondents say that staffing levels regularly limit their ability to keep up with the responsibilities of managing risk across their third-party portfolio, as TPRM programs typically manage 50 vendors per full-time employee. And more than 25% of programs report severe personnel shortages, which prevents critical tasks from being completed.
- Professionals do not trust questionnaire-based assessments; adding objective data to close the gap. Only 14% of surveyed professionals report being highly confident in the accuracy of vendor questionnaire responses. For this reason, 42% of respondents use cybersecurity ratings, along with other measures as part of their assessment mix.
“Our study clearly shows that the necessity to manage third-party risk well is not lost on security leaders. While this may be the case, there are stark differences in the methodologies of assessing third-party risk,” said Wade Baker, partner, Cyentia Institute.
“While security questionnaires remain a common program pillar, companies are seeking to achieve better risk outcomes more efficiently by leveraging objective assessment data from services such as security rating solutions. This is where the future patterns and practices of third-party risk management will be defined.”
A CyberGRX report reveals trends and challenges organizations of all sizes face in combating third-party cyber risk today. Each insight was gleaned from proprietary assessment data gathered from a sample of 4,000 third parties.
Twenty percent of an organization’s third parties are high risk
Based on the third-party population ingested by enterprise customers, on average, 20% of an enterprise’s third-party portfolio pose high inherent risk. This means that if these third parties become compromised or unavailable, the fallout of that event will have a high impact on the enterprise.
Unlike residual risk, inherent risk is the risk absent any security controls, but it is critical in helping organizations identify where to focus their due diligence efforts.
Third parties in certain industries still have significant gaps
Third parties in certain industries are more likely to have mature cybersecurity programs, but still have significant gaps. Organizations in the financial, technology, telecom, and healthcare industries are oftentimes third parties themselves.
These third parties tend to have strong controls in place to mitigate risks associated with incident containment, threat removal, and identity authorization and authentication.
Company size correlates with security maturity and coverage
Larger organizations do not necessarily equate to greater risk. In fact, as companies get smaller, data shows they have fewer controls in place and less mature programs.
These smaller companies can retain significant access to sensitive data and systems, and it should not be assumed they pose less risk.
The most common third-party security gaps
The most common third-party security gaps are desktop and laptop protection, server protection and virtualization protection (on-premise or cloud-based).
No matter the reported maturity of their security program, all industries researched reported areas of weakness across the following five areas: desktop and laptop protection; server protection; virtualization protection (on-premise or cloud-based); data at rest protection; and data in motion protection.
These gaps in protections are considered basic security controls. The lack thereof leaves companies—and those in their third-party ecosystem—open to risks such as ransomware attacks, website defacement, data modification, exfiltration, and malicious use of PII.
Vendors posing the greatest risk
Organizations tend to focus on the same set of vendors, but it is often the vendors they aren’t looking at that pose the greatest risk. Many companies tend to focus on the same set of third parties, and often on their larger third parties when they determine who to assess.
But according to research data, vendors with a history of being assessed are incentivized to improve, and often have more mature security programs in place. Whereas, smaller or lesser known companies may pose significant risk.
This finding makes it evident that using a scalable and repeatable approach that allows companies to review deeper layers of their vendor ecosystem is critical, because that is where significant risk often sits.
Why this matters
According to a 2020 Ponemon survey, the typical enterprise has an average of 5,800 third parties, and that number is expected to grow by 15 percent in the next year. As digital transformation continues to drive increased reliance on third parties, the criticality of third-party cyber risk management will only increase.
The report illustrates the incredible value of data to drive the prioritization and reduction of third-party risk. Replacing false positives and static assessments with standardized, validated data and insights empowers organizations to better understand their third-party ecosystem and transition from simply assessment collection to robust risk management.
While COVID-19 has created new concerns and deepened traditional challenges for IT, organizations with complete insight and governance of their technology ecosystem are better positioned to achieve their priorities, a Snow Software survey of 1,000 IT leaders and 3,000 workers in the United States, United Kingdom, Germany and Australia reveals.
The challenge of managing risk
In fact, mature technology intelligence – defined as the ability to understand and manage all technology resources – correlated to resilience and growth. Of the IT leaders classified as having mature technology intelligence, 79% were confident in their organization’s ability to weather current events and 100% indicated that innovation continues to be a strategic focus for their organization.
“The complexities, risks and budget concerns IT departments traditionally face have been exacerbated, and a rapid acceleration of digital transformation and cloud adoption has brought new issues to the forefront. Now more than ever, IT leaders need to be in a position to quickly adapt to these macro trends as they define their top technology priorities in 2021.”
Technology management has become increasingly difficult
Many IT leaders indicated increases in technology spend across the board – on software, hardware, SaaS and cloud – over the past 12 months. Faced with more complex ecosystems, it is no surprise that 63% also reported technology management had become more difficult.
As anticipated budget restrictions go into effect for 2021, IT leaders will need to demonstrate the value of their investments and ensure proper governance over their entire technology stack.
Improved employee perception of IT
Employee perception of IT has improved, but differing perceptions on technology management and procurement hint at potential issues. While 41% of workers believe that access to technology has improved, there remains a 22-point gap between IT leaders and employees on how easy it is to purchase software, applications or cloud services.
This is not the only area where IT leaders and workers have varying views. Though they agree that security is the number one issue caused by unmanaged and unaccounted for technology, awareness of additional issues drops dramatically after that, with 16% of workers believing it causes no business issues whatsoever.
The data suggests continued challenges ahead for organizations as they try to reduce risk across the board.
Vendor audits a looming but potentially underestimated risk in 2021
87% of IT leaders said they had been audited by a software vendor over the last 12 months.
The vendors that audited the most were Microsoft, IBM, Oracle, Adobe and SAP. Yet only 51% said they were concerned about audits over the next 12 months, an answer that varied wildly based on geography – 81% of US leaders said they were concerned compared to just 30% in Germany and 42% in the UK.
Based on 2020 trends as well as vendor behavior following the 2008 recession, it appears European IT leaders are significantly underestimating this risk.
Organization’s top IT priorities
Organization’s top IT priorities are inherently at odds with each other and often align with the IT department’s biggest challenges. IT leaders reported that their organization’s top priorities in 2020 were adopting new technologies (38%), reducing security risks (38%), reducing IT spend (38%).
They paralleled the biggest challenges IT leaders faced over the past 12 months with managing cybersecurity threats (43%), implementing new technologies (40%) and supporting remote work (39%). Juggling these conflicting and difficult priorities became even more complicated in light of COVID-19.
Few meeting the bar for mature technology intelligence
Strong technology intelligence enabled IT leaders to more effectively tackle their top priorities and challenges. Just 14% of IT leaders met the bar for mature technology intelligence. This elite group outpaced other respondents in their ability to support digital transformation, reduce risk, enable employees and control spend.
“As we collectively look ahead to 2021, it’s more important than ever that CIOs and IT leaders strike the right balance between managing risk and remaining agile in the face of continued unpredictability,” said Pooley.
“It is clear from the data that a comprehensive understanding of technology resources and the ability to manage them is a key differentiator. IT leaders can use the insights to endure challenging periods like the pandemic, as well as embrace innovation to drive future growth and resilience.”
Exposures and cybersecurity challenges can turn out to be costly, according to statistics from the US Department of Health and Human Services (HHS), 861 breaches of protected health information have been reported over the last 24 months.
New research from RiskRecon and the Cyentia Institute pinpointed risk in third-party healthcare supply chain and showed that healthcare’s high exposure rate indicates that managing a comparatively small Internet footprint is a big challenge for many organizations in that sector.
But there is a silver lining: gaining the visibility needed to pinpoint and rectify exposures in the healthcare risk surface is feasible.
The research and report are based on RiskRecon’s assessment of more than five million of internet-facing systems across approximately 20,000 organizations, focusing exclusively on the healthcare sector.
Healthcare has one of the highest average rates of severe security findings relative to other industries. Furthermore, those rates vary hugely across institutions, meaning the worst exposure rates in healthcare are worse than the worst exposure rates in other sectors.
Severe security findings decrease as employees increase. For example, the rate of severe security findings in the smallest healthcare providers is 3x higher than that of the largest providers.
Sub sectors vary
Sub sectors within healthcare reveal different risk trends. The research shows that hospitals have a much larger Internet surface area (hosts, providers, countries), but maintain relatively low rates of security findings. Additionally, nursing and residential care sub-sector has the smallest Internet footprint yet the highest levels of exposure. Outpatient (ambulatory) and social services mostly fall in between hospitals and nursing facilities.
Cloud deployment impacts
As digital transformation ushers in a plethora of changes, critical areas of risk exposure are also changing and expanding. While most healthcare firms host a majority of their Internet-facing systems on-prem, they do also leverage the cloud. We found that healthcare’s severe finding rate for high-value assets in the cloud is 10 times that of on-prem. This is the largest on-prem versus cloud exposure imbalance of any sector.
It must also be noted that not all cloud environments are the same. A previous RiskRecon report on the cloud risk surface discovered an average 12 times the difference between cloud providers with the highest and lowest exposure rates. This says more about the users and use cases of various cloud platforms than intrinsic security inequalities. In addition, as healthcare organizations look to migrate to the cloud, they should assess their own capabilities for handling cloud security.
The healthcare supply chain is at risk
It’s important to realize that the broader healthcare ecosystem spans numerous industries and these entities often have deep connections into the healthcare provider’s facilities, operations, and information systems. Meaning those organizations can have significant ramifications for third-party risk management.
When you dig into it, even though big pharma has the biggest footprint (hosts, third-party service providers, and countries of operation), they keep it relatively hygienic. Manufacturers of various types of healthcare apparatus and instruments show a similar profile of extensive assets yet fewer findings. Unfortunately, the information-heavy industries of medical insurance, EHR systems providers, and collection agencies occupy three of the top four slots for the highest rate of security findings.
“In 2020, Health Information Sharing and Analysis Center (H-ISAC) members across healthcare delivery, big pharma, payers and medical device manufacturers saw increased cyber risks across their evolving and sometimes unfamiliar supply chains,” said Errol Weiss, CSO at H-ISAC.
“Adjusting to the new operating environment presented by COVID-19 forced healthcare companies to rapidly innovate and adopt solutions like cloud technology that also added risk with an expanded digital footprint to new suppliers and partners with access to sensitive patient data.”
Andrew Magnusson started his information security career 20 years ago and he decided to offer the knowledge he accumulated through this book, to help the reader eliminate security weaknesses and threats within their system.
As he points out in the introduction, bugs are everywhere, but there are actions and processes the reader can apply to eliminate or at least mitigate the associated risks.
The author starts off by explaining vulnerability management basics, the importance of knowing your network and the process of collecting and analyzing data.
He explains the importance of a vulnerability scanner and why it is essential to configure and deploy it correctly, since it gives valuable infromation to successfully complete a vulnerabilty management process.
The next step is to automate the processes, which prioritizes vulnerabilities and gives time to work on more severe issues, consequently boosting an organization’s security posture.
Finally, it is time to decide what to do with the vulnerabilities you have detected, which means choosing the appropriate security measures, whether it’s patching, mitigation or systemic measures. When the risk has a low impact, there’s also the option of accepting it, but this still needs to be documented and agreed upon.
The important part of this process, and perhaps also the hardest, is building relationships within the organization. The reader needs to respect office politics and make sure all the decisions and changes they make are approved by the superiors.
The second part of the book is practical, with the author guiding the reader through the process of building their own vulnerability management system with a detailed analysis of the open source tools they need to use such as Nmap, OpenVAS, and cve-search, everything supported by coding examples.
The reader will learn how to build an asset and vulnerability database and how to keep it accurate and up to date. This is especially important when generating reports, as those need to be based on recent vulnerability findings.
Who is it for?
Practical Vulnerability Management is aimed at security practitioners who are responsible for protecting their organization and tasked with boosting its security posture. It is assumed they are familiar with Linux and Python.
Despite the technical content, the book is an easy read and offers comprehensive solutions to keeping an organization secure and always prepared for possible attacks.
Senior risk and compliance professionals within financial services company’s lack confidence in the security data they are providing to regulators, according to Panaseer.
Results from a global external survey of over 200+ GRC leaders reveal concerns on data accuracy, request overload, resource-heavy processes and lack of end-to-end automation.
The results indicate a wider issue with cyber risk management. If GRC leaders don’t have confidence in the accuracy and timeliness of security data provided to regulators, then the same holds true for the confidence in their own ability to understand and combat cyber risks.
41% of risk leaders feel ‘very confident’ that they can fulfill the security-related requests of a regulator in a timely manner. 27.5% are ‘very satisfied’ that their organization’s security reports align to regulatory compliance needs.
GRC leaders cited their top challenges in fulfilling regulator requests, as:
- Getting access to accurate data (35%)
- The number of report requests (29%)
- The length of time it takes to get information from security team (26%)
The limitations of traditional GRC tools
The issue has been perpetuated by the limitations of traditional GRC tools, which rely on qualitative questionnaires to provide evidence of compliance. This does not reflect the current challenges from cyber.
92% of senior risk and compliance professionals believe it would be valuable to have quantitative security controls assurance reporting (vs qualitative) and 93.5% believe it’s important to automate security risk and compliance reporting. However, only 11% state that their risk and compliance reporting is currently automated end to end.
96% said it is important to prioritize security risk remediation based on its impact to the business, but most can’t isolate risk to critical business processes composed of people, applications, devices. Only 33.5% of respondents are ‘very confident’ in their ability to understand all the asset inventories.
Charaka Goonatilake, CTO, Panaseer: “Faced with increasing requests from regulators, GRC leaders have resorted to throwing a lot of people at time-sensitive requests. These manual processes combined with lack of GRC tool scalability necessitates data sampling, which means they cannot have complete visibility or full confidence in the data they are providing.
“The challenge is being exacerbated by new risks introduced by IoT sensors and endpoints, which rarely consider security a core requirement and therefore introduce greater risk and increase the importance of controls and mitigations to address them.”
Andreas Wuchner, Panaseer Advisory Board member: “To face the new reality of cyberthreats and regulatory pressures requires many organizations need to fundamentally rethink traditional tools and defences.
“GRC leaders can enhance their confidence to accurately and quickly meet stakeholder needs by implementing Continuous Controls Monitoring, an emerging category of security and risk, which has just been recognised in the 2020 Gartner Risk Management Hype Cycle.”
80% of organizations experienced a cybersecurity breach that originated from vulnerabilities in their vendor ecosystem in the past 12 months, and the average organization had been breached in this way 2.7 times, according to a BlueVoyant survey.
The research also found organizations are experiencing multiple pain points across their cyber risk management program as they aim to mitigate risk across a network that typically encompasses 1409 vendors.
The study was conducted by Opinion Matters and recorded the views and experiences of 1505 CIOs, CISOs and Chief Procurement Officers in organizations with more than 1000 employees across a range of vertical sectors including business and professional services, financial services, healthcare and pharmaceutical, manufacturing, utilities and energy. It covered five countries: USA, UK, Mexico, Switzerland and Singapore.
Third-party cyber risk budgets and other key findings
- 29% say they have no way of knowing if cyber risk emerges in a third-party vendor
- 22.5% monitor their entire supply chain
- 32% only re-assess and report their vendor’s cyber risk position either six-monthly or less frequently
- The average headcount in internal and external cyber risk management teams is 12
- 81% say that budgets for third-party cyber risk management are increasing, by an average figure of 40%
Commenting on the research findings, Jim Penrose, COO BlueVoyant, said: “That four in five organizations have experienced recent cybersecurity breaches originating in their vendor ecosystem is of huge concern.
“The research clearly indicated the reasons behind this high breach frequency: only 23% are monitoring all suppliers, meaning 77% have limited visibility and almost one-third only re-assess their vendors’ cyber risk position six-monthly or annually. That means in the intervening period they are effectively flying blind to risks that could emerge at any moment in the prevailing cyber threat environment.”
Multiple pain points exist in third-party cyber risk programs as budgets rise
Further insight into the difficulties that are leading to breaches was revealed when respondents were asked to identify the top three pain points related to their third-party cyber risk programs, in the past 12 months.
The most common problems were:
- Managing the volume of alerts generated by the program
- Working with suppliers to improve security performance, and
- Prioritizing which risks are urgent and which are not.
However, overall responses were almost equally spread across thirteen different areas of concern. In response to these issues, budgets for third-party cyber risk programs are set to rise in the coming year. 81% of survey respondents said they expect to see budgets increase, by 40% on average.
Jim Penrose continues: “The fact that cyber risk management professionals are reporting difficulties across the board shows the complexity they face in trying to improve performance.
“It is encouraging that budget is being committed to tackling the problem, but with so many issues to solve many organizations will find it hard to know where to start. Certainly, the current approach is not working, so simply trying to do more of the same will not shift the dial on third-party cyber risk.”
Variation across industry sectors
Analysis of the responses from different commercial sectors revealed considerable variations in their experiences of third-party cyber risk. The business services sector is suffering the highest rate of breaches, with 89% saying they have been breached via a weakness in a third-party in the past 12 months.
The average number of incidents experienced in the past 12 months was also highest in this sector, at 3.6. This is undoubtedly partly down to the fact that firms in the sector reported working with 2572 vendors, on average.
In contrast, only 57% of respondents from the manufacturing sector said they had suffered third-party cyber breaches in the past 12 months. The sector works with 1325 vendors on average, but had a much lower breach frequency, at 1.7.
“Thirteen percent of respondents from the manufacturing sector also reported having no pain points in their third-party cyber risk management programs, a percentage more than twice as high as any other sector.
Commenting on the stark differences observed between sectors, Jim Penrose said: “This underlines that there is no one-size-fits-all solution to managing third-party cyber risk.
“Different industries have different needs and are at varying stages of maturity in their cyber risk management programs. This must be factored into attempts to improve performance so that investment is directed where it has the greatest impact.”
Mix of tools and tactics in play
The survey investigated the tools organizations have in place to implement third-party cyber risk management and found a mix of approaches with no single approach dominating.
Many organizations are evolving towards a data-driven strategy, with supplier risk data and analytics in use by 40%. However static, point-in-time tactics such as on-site audits and supplier questionnaires remain common.
Jim Penrose concludes: “Overall the research findings indicate a situation where the large scale of vendor ecosystems and the fast-changing threat environment is defeating attempts to effectively manage third-party cyber risk in a meaningful way.
“Visibility into such a large and heterogenous group of vendors is obscured due to lack of resources and a continuing reliance on manual, point-in-time processes, meaning real-time emerging cyber risk is invisible for much of the time.
“For organizations to make meaningful progress in managing third-party cyber risk and reduce the current concerning rate of breaches, they need to be pursuing greater visibility across their vendor ecosystem and achieving better context around alerts so they can be prioritized, triaged and quickly remediated with suppliers.”
BigPanda revealed the results of an IDG Research survey conducted in the early days of the pandemic. The study explores challenges IT Ops, NOC, DevOps and SRE teams face as their organizations race to capture the digital-led market.
The results of the survey show that, in addition to managing complex and ever-changing IT environments with many different tools, teams are now plagued with an increasing volume of IT incidents and outages which results in customer churn and costly service outages.
“An influx of data from multiple tools, coupled with low levels of automation, can have a paralyzing effect on IT incident management processes,” said Jen Garofalo, IDG’s Research Director.
“More than 40% of respondents indicate IT incident remediation is handled with a mix of manual and automated processes, while another 20% report these processes are mostly manual.”
Complex environments lead to longer incident management cycles
22% of respondents have 20 or more distinct IT teams supporting the different IT and business services at their organizations. On average, enterprises use 20 different monitoring and observability tools to detect potential issues with infrastructure, applications and services.
The average respondent reports that infrastructure is hosted in more than one location including on-premises infrastructure (60%), public cloud (57%), private cloud (47%) and commercial data centers (24%).
47% of IT Ops professionals said coordinating IT incident or outage detection, analysis, and response across siloed IT teams is the biggest challenge they face. Reasons why include:
- More than 14,000 alerts are generated from IT monitoring tools on average, and 65% of respondents report that alerts have increased in frequency over the past 12 months.
- 44% of alerts are caused by infrastructure or software changes made by someone in the organization who doesn’t have visibility across all systems to understand the impact of their change.
- Respondents report an average of 12 hours to determine the root cause of a P1 (major) incident.
- Further, the survey uncovered the largest business impacts of IT incident management challenges, including increased operating costs (43%), delays in time to market (42%) and decreased IT Ops productivity (41%).
While all of this is happening, more applications are being built and put into production — 74% of respondents expect Development/DevOps workloads to increase over the next 12 months, with 30% expecting a significant increase.
“For a variety of reasons, the COVID-19 pandemic is accelerating the pace at which enterprises are digitally transforming. This, in turn, increases the challenge facing IT Operations teams to keep their companies running smoothly,” said Assaf Resnick, CEO for BigPanda.
“The IDG report clearly shows that corporate executives are not just driving business teams to increase their digital footprint – they are doubling-down on IT’s parallel effort to adopt AI and automation in order to support those new revenue-generating initiatives.”
Budgets for IT operations expected to increase
79% of respondents expect budgets for IT operations to increase over the next 12 months (34% significantly, 45% somewhat). This will be reflected in multiple areas including automating IT incident management, increasing communication/knowledge sharing and improving IT monitoring and event correlation, all of which were cited by more than 50% of respondents.
Meanwhile, most respondents have heard the term AIOps, and 44% are considering or already have a solution with AIOps in place. Those who are considering or already have a solution with AIOps in place are most likely to leverage it to automate IT incident response.
Overall, respondents are most interested in the potential to leverage AIOps to accelerate IT incident and outage resolution.
In the end, the survey confirmed that modern and constantly evolving IT environments require a best-of-breed IT operations toolkit.
71% of CISOs believe cyberwarfare is a threat to their organization, and yet 22% admit to not having a strategy in place to mitigate this risk. This is especially alarming during a period of unprecedented global disruption, as 50% of infosec professionals agree that the increase of cyberwarfare will be detrimental to the economy in the next 12 months.
CISOs and infosec professionals however are shoring up their defenses — with 51% and 48% respectively stating that they believe they will need a strategy against cyberwarfare in the next 12-18 months.
These findings, and more, are revealed in Bitdefender’s global 10 in 10 Study, which highlights how, in the next 10 years, cybersecurity success lies in the adaptability of security decision makers, while simultaneously looking back into the last decade to see if valuable lessons have already been learnt about the need to make tangible changes in areas such as diversity.
It explores, in detail, the gap between how security decision makers and infosec professionals view the current security landscape and reveals the changes they know they will need to make in the upcoming months and years of the 2020s.
The study takes into account the views and opinions of more than 6,724 infosec professionals representing a broad cross-section of organizations from small 101+ employee businesses to publicly listed 10,000+ person enterprises in a wide variety of industries, including technology, finance, healthcare and government.
The rise and fall (and rise again) of ransomware
Outside of the rise of cyberwarfare threats, an old threat is rearing its head — ransomware. During the disruption of 2020, ransomware has surged with as much as 43% of infosec professionals reporting that they are seeing a rise in ransomware attacks.
What’s more concerning is that 70% of CISOs/CIOs and 63% of infosec professionals expect to see an increase in ransomware attacks in the next 12-18 months. This is of particular interest as 49% of CISOs/CIOs and 42% of infosec professionals are worried that a ransomware attack could wipe out the business in the next 12-18 months if they don’t increase investment in security.
But what is driving the rise in ransomware attacks? Some suggest it’s because more people are working from home — which makes them an easier target outside of the corporate firewall. The truth might however be tied to money.
59% of CISOs/CIOs and 50% of infosec professionals believe that the business they work for would pay the ransom in order to prevent its data/information from being published — making ransomware a potential cash cow.
A step change in communication is in high demand
Cyberwarfare and ransomware are complex topics to unpack, amongst many others in infosec. The inherent complexity of infosec topics does however make it hard to gain internal investment and support for projects. This is why infosec professionals believe a change is needed.
In fact, 51% of infosec professionals agree that in order to increase investment in cybersecurity, the way that they communicate about security has to change dramatically. This number jumps up to 55% amongst CISOs and CIOs — many of whom have a seat at the most senior decision-making table in their organizations.
The question is, what changes need to be made? 41% of infosec professionals believe that in the future more communication with the wider public and customers is needed so everyone, both in and organization and outside, better understands the risks.
In addition, 38% point out that there is a need for the facilitation of better communication with the C-suite, especially when it comes to understanding the wider business risks.
And last, but not least, as much as 31% of infosec professionals believe using less technical language would help the industry communicate better, so that the whole organization could understand the risks and how to stay protected.
“The reason that 63% of infosec professionals believe that cyberwarfare is a threat to their organization is easy,” said Neeraj Suri, Distinguished Professorship and Chair in Cybersecurity at Lancaster University.
“Dependency on technology is at an all-time high and if someone was to take out the WiFi in a home or office, no one would be able to do anything. This dependency wasn’t there a few years back–it wasn’t even as high a few months back.
“This high dependency on technology doesn’t just open the door for ransomware or IoT threats on an individual level, but also to cyberwarfare which can be so catastrophic it can ruin economies.
“The reason that nearly a quarter of infosec pros don’t currently have a strategy to protect against cyberwarfare is likely because of complacency. Since they haven’t suffered an attack or haven’t seen on a wide scale–the damage that can be done–they haven’t invested the time in protecting against it.”
Diversity, and specifically neurodiversity, is key to future success
Outside of the drastic changes that are needed in the way cybersecurity professionals communicate, there’s also a need to make a change within the very makeup of the workforce. The infosec industry as a whole has long suffered from a skills shortage, and this looks to remain an ongoing and increasingly obvious issue.
15% of infosec professionals believe that the biggest development in cybersecurity over the next 12-18 months will be the skills gap increasing. If the skills deficit continues for another five years, 28% of CISOs and CIOs say they believe that it will destroy businesses.
And another 50% of infosec professionals believe that the skills gap will be seriously disruptive if it continues for the next 5 years.
Today, however, it will take more than just recruiting skilled workers to make a positive change and protect organizations. In 2015, 52% of infosec workers would have agreed that there is a lack of diversity in cybersecurity and that it’s a concern.
Five years later, in 2020, this remains exactly the same — and that is a significant problem as 40% of CISOs/CIOs and infosec professionals say that the cybersecurity industry should reflect the society around it to be effective.
What’s more, 76% of CISOs/CIOs, and 72% of infosec professionals, believe that there is a need for a more diverse skill set among those tackling cybersecurity tasks. This is because 38% of infosec professionals say that neurodiversity will make cybersecurity defenses stronger, and 33% revealed a more neurodiverse workforce will level the playing field against bad actors.
While it’s clear that the cybersecurity skills gap is here to stay, it’s also clear why changes need to be made to the makeup of the industry.
Liviu Arsene, Global Cybersecurity Researcher at Bitdefender concludes, “2020 has been a year of change, not only for the world at large, but for the security industry. The security landscape is rapidly evolving as it tries to adapt to the new normal, from distributed workforces to new threats. Amongst the new threats is cyberwarfare.
“It’s of great concern to businesses and the economy — and yet not everyone is prepared for it. At the same time, infosec professionals have had to keep up with new threats from an old source, ransomware, that can affect companies’ bottom lines if not handled carefully.
“The one thing we know is that the security landscape will continue to evolve. Changes will happen, but we can now make sure they happen for better and not for worse. To succeed in the new security landscape, the way we as an industry talk about security has to become more accessible to a wider audience to gain support and investment from within the business.
“In addition, we have to start thinking about plugging the skills gap in a different way — we have to focus on diversity, and specifically neurodiversity, if we are to stand our ground and ultimately defeat bad actors.”
Only 44% of healthcare providers, including hospital and health systems, conformed to protocols outlined by the NIST CSF – with scores in some cases trending backwards since 2017, CynergisTek reveals.
Healthcare providers and NIST CSF
Analysts examined nearly 300 assessments of provider facilities across the continuum, including hospitals, physician practices, ACOs and Business Associates.
The report also found that healthcare supply chain security is one of the lowest ranked areas for NIST CSF conformance. This is a critical weakness, given that COVID-19 demonstrated just how broken the healthcare supply chain really is with providers buying PPE from unvetted suppliers.
“We found healthcare organizations continue to enhance and improve their programs year-over-year. The problem is they are not investing fast enough relative to an innovative and well-resourced adversary,” said Caleb Barlow, CEO of CynergisTek.
“These issues, combined with the rapid onset of remote work, accelerated deployment of telemedicine and impending openness of EHRs and interoperability, have set us on a path where investments need to be made now to shore up America’s health system.
“However, the report isn’t all doom and gloom. Organizations that have invested in their programs and had regular risk assessments, devised a plan, addressed prioritized issues stemming from the assessments and leveraged proven strategies like hiring the right staff and evidence-based tools have seen significant improvements to their NIST CSF conformance scores.”
Bigger budgets don’t mean better security performance
The report revealed bigger healthcare institutions with bigger budgets didn’t necessarily perform better when it comes to security, and in some cases, performed worse than smaller organizations or those that invested less.
In some cases, this was a direct result of consolidation where systems directly connect to newly-acquired hospitals without first shoring up their security posture and conducting a compromise assessment.
“What our report has uncovered over recent years is that healthcare is still behind the curve on security. While healthcare’s focus on information security has increased over the last 15 years, investment is still lagging. In the age of remote working and an attack surface that has exponentially grown, simply maintaining a security status quo won’t cut it,” said David Finn, EVP of Strategic Innovation at CynergisTek.
“The good news is that issues emerging in our assessments are largely addressable. The bad news is that it is going to require investment in an industry still struggling with financial losses from COVID-19.”
Leading factors influencing performance include poor security planning and lack of organizational focus, inadequate reporting structures and funding, confusion around priorities, lack of staff and no clear plan.
Key strategies to bolster healthcare security and achieve success
Look under the hood at security and privacy amid mergers and acquisitions: For health systems planning to integrate new organizations into the fold through mergers and acquisitions, leadership should look under the hood and be more diligent when examining the organization’s security and privacy infrastructure, measures and performance.
It’s important to understand their books and revenue streams as well as their potential security risks and gaps to prevent these issues from becoming liabilities.
Make security an enterprise priority: While other sectors like finance and aerospace have treated security as an enterprise-level priority, healthcare must also make this kind of commitment.
Understanding how these risks tie to the bigger picture will help an organization that thinks it cannot afford to invest in privacy and information security risk management activities understand why making such an investment is crucial.
Hospitals and healthcare organizations should create collaborative, cross-functional task forces like enterprise response teams, which offer other business units an eye-opening look into how security and privacy touch all parts of the business including financial, HR, and more.
Money isn’t a solution: Just throwing money at a problem doesn’t work. Security leaders need to identify priorities and have a plan which leverages talent, tried and true strategies like multi-factor authentication, privileged access management and on-going staff training to truly up level their defenses and take a more holistic approach, especially when bringing on new services such as telehealth.
Accelerate the move to cloud: While healthcare has traditionally been slow to adopt the cloud, these solutions provide the agility and scalability that can help leaders cope with situations like COVID-19, and other crises more effectively.
Shore up security posture: We frequently learn the hard way that security can disrupt workflow. COVID-19 taught us that workflow can also disrupt security and things are going to get worse before getting better. Get an assessment quickly to determine immediate needs and coming up with a game plan to bolster defenses needed in this next normal.
Hackers are targeting everyone and taking advantage of fear, uncertainty, and a 24/7 news cycle that can dwell on a single theme for weeks on end. The victim pool includes everyone from the global remote workforce (some working in industries that didn’t know remote work was even feasible), to essential workers in labs working on vaccines or treatment plans for COVID-19.
According to Microsoft, phishing and social engineering attacks have jumped to 30,000 a day, and extremely sophisticated levels of ransomware attacks are up 800%. Ransomware’s latest tactic is a conversion to doxware. Attackers steal company data before encrypting it and threaten to reveal that your organization has been hacked and that sensitive customer data has been compromised. So even if you have backups and don’t pay the hackers, your reputation is still at risk.
As ransomware attacks become more frequent, IT and information security leaders often end up pointing fingers at each other after a cyber-attack. And there are many fingers in the room, adding to the chaos, trying to avoid responsibility, and deflecting ownership of the problem to other stakeholders.
The CISO has the biggest finger, but should point carefully
A recent WSJ article talked about how CISOs are now being elevated to corporate leadership roles. We are currently witnessing a growing epidemic of cyber risk. Today more than ever, CISOs can use their influence to do more than just drive technological change by piercing the silos across the enterprise.
But it’s going to take a completely different method of communicating. The outcome must be seen much faster and it must clearly demonstrate greater cyber maturity and resilience in such a way that it can’t be disputed. In a nutshell, this means that cybersecurity must be spoken about in business terms, in dollars and cents, not bits and bytes.
This has often not been the case. Before the pandemic, it wasn’t unusual for a CISO to walk into a CFO’s office and have a budget conversation with a color quadrant of red, yellow, and green. Security vulnerabilities in red needed the most attention and would require immediate investment. Success would mean having less red and yellow on the chart. Vying for this type of security progress through vague risk reduction was enough to get approval for the latest technology and address control deficiencies and alleviate other impending threats.
The days of vague cyber plans and investments are over
In June, the International Monetary Fund forecasted that the global GDP will suffer a 4.9 percent contraction this year.
American credit rating agency Fitch Ratings announced that the number of defaults in the first five months exceeded the total for 2019 and that the pandemic fallout will erase $5 trillion more. There is no doubt that budgets will be more closely scrutinized in this global contraction. In 2020 and beyond, an entire cybersecurity program must answer the critical question: “Can you put a number on this technology investment?”
Choose the right tools
In order to validate cyber investment with a cyber budget holder, one must first understand cyber event types the organization may face and the range of business assets and operations in question.
Conversations around cyber risk management are often centered around estimating both the probability and impact of a risk event. Using cyber risk analysis centered around probability is alluring because we all want to know the future. When you can predict your cyber future, it becomes very easy to prioritize what risks require more attention. So, considering that most organizations have limited resources, one magic number can give leaders confidence in how their cybersecurity programs are optimized and make them look good to leadership across the enterprise. It seems like a good approach now with shrinking budgets.
However, it’s not enough.
A focus on probability can be misleading and even perilous for analyzing high-impact low-frequency events, such as a large data breach or data destruction event. The tools a leader chooses should look at the big picture in a collaborative and flexible manner that includes input from the entire enterprise. This will allow decisions to be made faster and more accurately.
I’d recommend an approach to cyber risk investment grounded in financial impact analysis, that allows leaders from every business unit to weigh in on what operations and outcomes the company needs to prioritize and determine plausible cyber incidents that could disrupt business operations and their assets.
These financial impacts help inform business decisions such as insurance purchases, investing in controls and more. These costs should be categorized depending on who is affected (and what type of impact it is). And the company should be able to optimize the entire portfolio of controls by playing out how changing one or more controls will impact their exposure. With this kind of methodology, a CISO can quickly determine if it’s cheaper to implement a control or buy insurance or put a number on impact (and sleep better at night if it’s relatively low).
CISOs now have a golden opportunity to take advantage of their publicity and show the organization (and the world) that even in times of uncertainty, cybersecurity investment can be managed quickly and bring a much-needed structure in these times.
The cybersecurity skills shortage means that many organizations are in urgent need of talented and experienced security professionals. This has been intensified by the pandemic, with security teams stretched to breaking point trying to secure new remote working regimes against the influx of opportunistic cyberattacks. There is a human cost to this high-pressure environment and new research from SIRP shows that the additional burdens placed on security operations center (SOC) teams due to COVID-19 has … More
The post Security teams stretched to breaking point trying to secure new remote working regimes appeared first on Help Net Security.
Aligning security and delivery at a strategic level is one of the most complex challenges for executives. It starts with an understanding that risk-based thinking should not be perceived as an overhead or tax, but a value added component of creating a high-quality product or service.
One solution is balanced development automation, which is about aligning automated DevOps (development and IT operations) pipelines with business risk and compliance. To attain this, alignment must be achieved between risk and business teams at two different levels:
1. Strategic level (CEO, COO, CFO, CRO, CIO, DPO)
2. Operational level (DevOps engineers, risk engineers)
The strategic level is more focused on delivery of business value, customer needs, risk, regulations, compliance, and so on. The operational level is focused on aligning to governance protocols like risk thresholds, delivery timelines, and automation during the build phases of business value creation.
Achieving alignment at the strategic level
At the executive level, both sides of business and risk need to concentrate on quality first – only then does it make sense to go about balancing risk and speed. Otherwise, risk and speed wind up as the only concerns and that risks poor quality showing up in products and services at the end of the line.
The end of the line in any process is where the actual customer that receives the value from a product or service experiences the touchpoint with your portfolio of valued items. It is there that perceived value needs to have the appropriate operational indicators. Some refer to these as customer-driven metrics. These are the ones that can measure Operational Key Results in alignment with operational risk metrics.
Once executive alignment is achieved on quality, the next step is to measure against key strategic customer metrics like attrition and satisfaction. This gives an indication of the value customers receive from a product or service. Organizations should think about appropriate high level metrics and measurements at the end of the development lifecycle, risk thresholds, and how these map to their customer. I consider these as the “parent” metrics.
After that, consider “child” metrics in the plan, delivery, and operation of DevOps – from here, governance and speed will come into play. A key problem today is the self-attestation audit activity at the end of the line process, which is hard to validate. This just doesn’t integrate well with a DevOps process because the measurement is reactive and coming too far down the pipeline. Worse yet, going back and fixing risk issues later on gets perceived as getting in the way. What needs to happen is a shift to the left of the development process where risk is measured early and often.
As organizations evolve into a more digital set of processes, this shift left is critical to understanding those key measurements from the beginning of the lifecycle. Otherwise, junk at the beginning will just automate junk faster all the way down the line. Eventually, there will be a higher price to pay for poor quality.
Achieving alignment at the operational level
Operationally, challenges stem from misalignment in understanding who the end customer really is. Companies often design products and services for themselves and not for the end customer. Once an organization focuses on the end user and how they are going to use that product and service, the shift in thinking occurs. Now it’s about looking at what activities need to be done to provide value to that end customer.
Thinking this way, there will be features, functions, and processes never done before. In the words of Stephen Covey, “Keep the main thing the main thing”. What is the main thing? The customer. What features and functionality do you need for each of them from a value perspective? And you need to add governance to that.
Effective governance ensures delivery of a quality product or service that meets your objectives without monetary or punitive pain. The end customer benefits from that product or service having effective and efficient governance.
That said, heavy governance is also waste. There has to be a tension and a flow or a balance between Hierarchical Governance and Self Governance where the role of every person in the organization is clearly aligned in their understanding of value contributed to the end customer. With that, employees and contractors alike feel empowered and purposeful in their work and contributions.
Once the customer value proposition is clearly identified, organizations can identify how day to day operations contribute value to that end customer in an efficient way. This is where lean thinking helps, looking for ways to reduce waste in the value creation process. If something is not a part of the value proposition, is it necessary? If something is missing that would add significant value, how can we add it? This will lead to an alignment that drives value creation.
Delivering on DevOps speed is no longer good enough. Organizations also need to balance the need for speed against regulatory, compliance, and security concerns—and we need to do this fast and first. If a firm can’t get there fast through re-structure of an operating model and associated skills, it is best to have SCRUM Masters trained in LEAN and Six Sigma, TOGAF, and assorted Cybersecurity GRC Frameworks to helps you through iterations. I call that the big “Iterative, Fast and First” (IFF) principle of GRC by Design.
Are the activities an organization is conducting offering something of value to the business? Answering this question has implications for both strategic and operational teams. The business value context sets up alignment with the end customer and drives value at each stage through balanced development automation.
One of the cornerstones of a security leader’s job is to successfully evaluate risk. A risk assessment is a thorough look at everything that can impact the security of an organization. When a CISO determines the potential issues and their severity, measures can be put in place to prevent harm from happening.
To select a suitable risk assessment solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Jaymin Desai, Offering Manager, OneTrust
First, consider what type of assessments or control content as frameworks, laws, and standards are readily available for your business (e.g., NIST, ISO, CSA CAIQ, SIG, HIPAA, PCI DSS, NYDFS, GDPR, EBA, CCPA). This is an area where you can leverage templates to bypass building and updating your own custom records.
Second, consider the assessment formats. Look for a technology that can automate workflows to support consistency and streamline completion. This level of standardization helps businesses scale risk assessments to the line of business users. A by-product of workflow-based structured evaluations is the ability to improve your reporting with reliable and timely insights.
One other key consideration is how the risk assessment solution can scale with your business? This is important in evaluating your efficiencies overtime. Are the assessments static exports to excel, or can they be integrated into a live risk register? Can you map insights gathered from responses to adjust risk across your assets, processes, vendors, and more? Consider the core data structure and how you can model and adjust it as your business changes and your risk management program matures.
The solution should enable you to discover, remediate, and monitor granular risks in a single, easy-to-use dashboard while engaging with the first line of your business to keep risk data current and context-rich with today’s information.
Brenda Ferraro, VP of Third Party Risk, Prevalent
The right risk assessment solution will drive program maturity from compliance, to data breach avoidance, to third-party risk management.
There are seven key fundamentals that must be considered:
- Network repository: Uses the ‘fill out once, use with many approach’ to rapidly obtain risk information awareness.
- Vendor risk visibility: Harmonizes inside-out and outside-in vendor risk and proactively shares actionable insights to enhanced decision-making on prioritization, remediation, and compliance.
- Flexible automation: Helps the enterprise to place focus quickly and accurately on risk management, not administrative tasks, to reduce third-party risk management process costs.
- Enables scalability: Adapts to changing processes, risks, and business needs.
- Tangible ROI: Reduces time and costs associated with the vendor management lifecycle to justify cost.
- Advisory and managed services: Has subject matter experts to assist with improving your program by leveraging the solution.
- Reporting and dashboards: Provides real-time intelligence to drive more informed, risk-based decisions internally and externally at every business level.
The right risk assessment solution selection will enable dynamic evolution for you and your vendors by using real-time visibility into vendor risks, more automation and integration to speed your vendor assessments, and by applying an agile, process-driven approach to successfully adapt and scale your program to meet future demands.
Fred Kneip, CEO, CyberGRX
Organizations should look for a scalable risk assessment solution that has the ability to deliver informed risk-reducing decision making. To be truly valuable, risk assessments need to go beyond lengthy questionnaires that serve as a check the box exercises that don’t provide insight and they need to go beyond a simple outside in rating that, alone, can be misleading.
Rather, risk assessments should help you to collect accurate and validated risk data that enables decision making, and ultimately, allow you to identify and reduce risk ecosystem at the individual level as well as the portfolio level.
Optimal solutions will help you identify which vendors pose the greatest risk and require immediate attention as well as the tools and data that you need to tell a complete story about an organization’s third-party cyber risk efforts. They should also help leadership understand whether risk management efforts are improving the organization’s risk posture and if the organization is more or less vulnerable to an adverse cyber incident than it was last month.
Jake Olcott, VP of Government Affairs, BitSight
Organizations are now being held accountable for the performance of their cybersecurity programs, and ensuring businesses have a strong risk assessment strategy in place can have a major impact. The best risk assessment solutions meet four specific criteria— they are automated, continuous, comprehensive and cost-effective.
Leveraging automation for risk assessments means that the technology is taking the brunt of the workload, giving security teams more time back to focus on other important tasks to the business. Risk assessments should be continuous as well. Taking a point-in-time approach is inadequate, and does not provide the full picture, so it’s important that assessments are delivered on an ongoing basis.
Risk assessments also need to be comprehensive and cover the full breadth of the business including third and fourth party risks, and address the expanding attack surface that comes with working from home.
Lastly, risk assessments need to be cost-effective. As budgets are being heavily scrutinized across the board, ensuring that a risk assessment solution does not require significant resources can make a major impact for the business and allow organizations to maximize their budgets to address other areas of security.
Mads Pærregaard, CEO, Human Risks
When you pick a risk assessment tool, you should look for three key elements to ensure a value-adding and effective risk management program:
1. Reduce reliance on manual processes
2. Reduce complexity for stakeholders
3. Improve communication
Tools that rely on constant manual data entry, remembering to make updates and a complicated risk methodology will likely lead to outdated information and errors, meaning valuable time is lost and decisions are made too late or on the wrong basis.
Tools that automate processes and data gathering give you awareness of critical incidents faster, reducing response times. They also reduce dependency on a few key individuals that might otherwise have responsibility for updating information, which can be a major point of vulnerability.
Often, non-risk management professionals are involved with or responsible for implementation of mitigating measures. Look for tools that are user-friendly and intuitive, so it takes little training time and teams can hit the ground running.
Critically, you must be able to communicate the value that risk management provides to the organization. The right tool will help you keep it simple, and communicate key information using up-to-date data.
Steve Schlarman, Portfolio Strategist, RSA Security
Given the complexity of risk, risk management programs must rely on a solid technology infrastructure and a centralized platform is a key ingredient to success. Risk assessment processes need to share data and establish processes that promote a strong governance culture.
Choosing a risk management platform that can not only solve today’s tactical issues but also lay a foundation for long-term success is critical.
Business growth is interwoven with technology strategies and therefore risk assessments should connect both business and IT risk management processes. The technology solution should accelerate your strategy by providing elements such as data taxonomies, workflows and reports. Even with best practices within the technology, you will find areas where you need to modify the platform based on your unique needs.
The technology should make that easy. As you engage more front-line employees and cross-functional groups, you will need the flexibility to make adjustments. There are some common entry points to implement risk assessment strategies but you need the ability to pivot the technical infrastructure towards the direction your business needs.
You need a flexible platform to manage multiple dimensions of risk and choosing a solution provider with the right pedigree is a significant consideration. Today’s risks are too complex to be managed with a solution that’s just “good enough.”
Yair Solow, CEO, CyGov
The starting point for any business should be clarity on the frameworks they are looking to cover both from a risk and compliance perspective. You will want to be clear on what relevant use cases the platform can effectively address (internal risk, vendor risk, executive reporting and others).
Once this has been clarified, it is a question of weighing up a number of parameters. For a start, how quickly can you expect to see results? Will it take days, weeks, months or perhaps more? Businesses should also weigh up the quality of user experience, including how difficult the solution is to customize and deploy. In addition, it is worth considering the platform’s project management capabilities, such as efficient ticketing and workflow assignments.
Usability aside, there are of course several important factors when it comes to the output itself. Is the data produced by the solution in question automatically analyzed and visualized? Are the automatic workflows replacing manual processes? Ultimately, in order to assess the platform’s usefulness, businesses should also be asking to what extent the data is actionable, as that is the most important output.
This is not an exhaustive list, but these are certainly some of the fundamental questions any business should be asking when selecting a risk assessment solution.
A number of organizations face shortcomings in monitoring and securing their cloud environments, according to a Tripwire survey of 310 security professionals.
76% of security professionals state they have difficulty maintaining security configurations in the cloud, and 37% said their risk management capabilities in the cloud are worse compared with other parts of their environment. 93% are concerned about human error accidentally exposing their cloud data.
Few orgs assessing overall cloud security posture in real time
Attackers are known to run automated searches to find sensitive data exposed in the cloud, making it critical for organizations to monitor their cloud security posture on a recurring basis and fix issues immediately.
However, the report found that only 21% of organizations assess their overall cloud security posture in real time or near real time. While 21% said they conduct weekly evaluations, 58% do so only monthly or less frequently. Despite widespread worry about human errors, 22% still assess their cloud security posture manually.
“Security teams are dealing with much more complex environments, and it can be extremely difficult to stay on top of the growing cloud footprint without having the right strategy and resources in place,” said Tim Erlin, VP of product management and strategy at Tripwire.
“Fortunately, there are well-established frameworks, such as CIS benchmarks, which provide prioritized recommendations for securing the cloud. However, the ongoing work of maintaining proper security controls often goes undone or puts too much strain on resources, leading to human error.”
Utilizing a framework to secure the cloud
Most organizations utilize a framework for securing their cloud environments – CIS and NIST being two of the most popular – but only 22% said they are able to maintain continuous cloud security compliance over time.
While 91% of organizations have implemented some level of automated enforcement in the cloud, 92% still want to increase their level of automated enforcement.
Additional survey findings show that automation levels varied across cloud security best practices:
- Only 51% have automated solutions that ensure proper encryption settings are enabled for databases or storage buckets.
- 45% automatically assess new cloud assets as they are added to the environment.
- 51% have automated alerts with context for suspicious behavior.
New research shows almost three quarters of large businesses believe remote working policies introduced to help stop the spread of COVID-19 are making their companies more vulnerable to cyberattacks. You need to take steps to protect the remote workforce AT&T’s study of 800 cybersecurity professionals across the UK, France and Germany shows that while 88% initially felt well prepared for the migration, 55% now believe widespread remote working is making their companies more or much … More
The post Many companies have not taken basic steps to protect their remote workforce appeared first on Help Net Security.