A CISO’s responsibility has shifted immensely over the past few years. Security leaders are now responsible for a multitude of attack surfaces across applications, cloud and infrastructure assets. In today’s digital-first world, there are more attack surfaces than ever. In fact, according to a recent Trend Micro report, nearly half of IT and business leaders said that the expanding attack surface is “spiraling out of control.” But throwing even more tooling and people at the issue doesn’t address the underlying problem. The real problem lies in a disconnect between the teams, processes and tools that a CISO probably already has in place.
Addressing this disconnect isn’t possible until we can first understand these questions:
What cyber surfaces create risk, and how can we assess it at scale?
What risk is relevant to your specific business or organization?
How tolerant can you be of unmitigated risk?
What teams and tools need to be aligned to effectively and efficiently mitigate risk?
As a security leader responsible for orchestrating all the moving parts of your cyber risk management strategy, you need clear answers to these questions if you’re going to have a shot at minimizing and eliminating critical risk. But where do we start?
These seven steps will move your teams toward more-effective cyber risk mitigation, eliminating or containing vulnerability risk that poses the biggest threat to your business. The steps consist of consolidation, correlation, enrichment, prioritization, orchestration, collaboration and reporting. Read on to learn how IT security organizations at companies like Snowflake, Mandiant, Chick-fil-A, Zoom, Skechers and Anaplan have gone from “spiraling out of control” to comfortably managing the lifecycle of vulnerability risk most pertinent to their organization.
The days of narrowly defined processes and roles to manage cyber risk and vulnerabilities are gone. We already have in our arsenal a wide array of scanners shining the spotlight on individual vulnerabilities, but these tools only send teams on a wild goose chase without a consolidated view of vulnerability risk across all assets and cyber surfaces. In fact, recent research conducted by Pulse and Vulcan Cyber revealed that 78% of IT security leaders agree that vendor consolidation would lead to better security. Security teams need a way to accommodate multiple scan, asset and threat intelligence sources to deliver a focused data stream presented in a common risk language that all teams can understand and act upon.
Once risk data is compiled from pertinent sources, your team now needs a way to simplify and deduplicate vulnerability data tied and associate it with specific assets and business groupings. This step involves taking unified action on a handful of vulnerabilities impacting the same assets, rather than blindly attending to each and every vulnerability without context. Your cyber risk management program should be able to streamline this process to provide a look at vulnerabilities as related groups rather than specific instances.
Once you’ve gotten your vulnerability and risk data under control and organized, the next step in an effective cyber risk management lifecycle is intelligent enrichment. This is where most vulnerability management platforms and solutions fall short. Identifying and prioritizing vulnerabilities is critical, but without the right context and guidance, many organizations struggle with what to do next. For CISOs and other security professionals in charge of risk reduction, the necessary next step to a successful vulnerability and risk management process is enriching the data with all relevant threat context and expert driven remediation intelligence. But taking the time to manually add relevant threat context as well as research and verify remediation options is simply not viable. In order to start simplifying the complex risk management processes security teams struggle with, automated, smart data enrichment is absolutely a must.
Every organization has its own DNA made up of distinct business and operating priorities, their own mix of applications and infrastructure, and a unique combination of potential attack surface and acceptable risk. But too many legacy vulnerability management programs treat all risk assessment as the same. They’re still dependent on static risk ratings that lack the relevant context and threat intelligence to accurately prioritize which vulnerabilities they should address first based on their actual risk. Recent Vulcan Cyber research found that 86% of IT and security executives still rely on third-party vulnerability severity data to prioritize vulnerabilities. This next stage addresses the question – “What risk actually matters most to our business?” In this step, your team needs to align your prioritization strategy to customizable logical categories like business unit, network segment, application and/or asset type, compliance requirements or any other grouping relevant to your environment.
Once risk is prioritized based on your organization’s unique makeup, it’s time to act on that data and start mitigating your risk through a combination of orchestration and automation. This includes application security orchestration and correlation (ASOC) workflows, along with cloud and infrastructure vulnerability and risk management, to deliver orchestration across the organization. The most effective way to do this efficiently and effectively is to automate as many of the time consuming tasks and repetitive processes in the vulnerability and cyber risk management lifecycle as possible. This can remove a significant weight off your team’s shoulders – by automating these tedious tasks, you will reduce operating overhead, accelerate risk mitigation and lower MTTR.
Effective risk management requires companywide involvement, and a culture of collaboration should always lay the foundation for the tools and strategies implemented. As mentioned earlier, everyone in the organization should be empowered to become a risk manager. When everyone’s working together, cyber risk management becomes an organizational initiative rather than a burden only on security teams. Without collaboration, each team – from DevOps and SecOps to application security and IT – is speaking its own language and working towards different goals. Your ability to communicate effectively with each of the teams involved in mitigating vulnerabilities and risk can make or break your entire cyber risk management program. Being able to clearly communicate with each of these departments what they need to do and why, using their preferred methods (Jira, Slack, ServiceNow, etc.), is necessary to break down the barriers between these different departments.
We’ve come to the end (and thus beginning) of the cyber risk management lifecycle. If you can’t report on your cyber risk management activities, it’s like they never happened. However, 30% of IT security leaders don’t measure or track remediation success. Reporting is a necessary deliverable for a wide array of entities such as compliance, external auditors, the C-Suite or a Board of Directors. Your reporting capabilities should take a business intelligence approach, giving extensive flexibility to analyze data based on specific requirements so that you can continuously understand how well your program is working and where you need to improve. In this step, teams across the organization should be able to leverage out of the box report templates or easily create customized reports and dashboards to fit any audience, from daily practitioners to the C-Suite.
Reducing cyber risk isn’t possible in a vacuum without the orchestrated contributions of teams, tools and processes across IT and security functions. At its core, cyber risk management is truly a data management issue. The data is available to process, correlate, prioritize, measure and put into action to remediate vulnerabilities and mitigation risk. Your job as a security leader is to simplify the cyber risk management process as much as possible, minimizing the load your team is carrying and allowing them to think strategically about how to actually minimize risk. These seven steps, when fully embraced by all risk managers across different teams, can truly transform and simplify your cyber risk program.