RSA Conference | 5.13.2024 | By: Bob Ackerman

In the critical world of cybersecurity risk management, there is no question that the sophistication of cutting-edge technology has made huge strides over the years. The advent and growth of advanced software analytics and machine learning algorithms, coupled with much stronger corporate recognition that cybersecurity is extremely important, have stopped or at least mitigated an explosion of cyber-attacks and breaches.

Yet an enormous amount of work remains. The management of cybersecurity risks, for all its improvement, is broader than ever in a physical world broadly connected to and controlled by a digital planet awash with cybercriminals. And cloud services, which tend to have relatively high security issues despite heightened efforts to control them, continue to grow at a frantic pace of nearly 15% annually.

An on-going slew of attacks also persists among less secure third-party vendors, who too often have mediocre security protection and end up mistakenly forwarding their vulnerabilities. Meanwhile, small and medium-sized companies, which also tend to have weaker cybersecurity, continue to get attacked vigorously and successfully by cybercriminals. Similarly, an explosion of remote workers frequently learn the hard way that home-based protection isn’t as good as it is at a corporate office.

Even deep-pocketed corporations fail to escape the heat. No entity is 100% safe from attack. The answer, in part, is to embrace thorough Incident Response Plans (IRPs), which usually mitigate the pain of a breach. Unfortunately, too many IRPs wind up getting short shrift because of indecision about their value.

The biggest problem of all may be that too many companies sidestep the reality that cyberattacks typically occur out of the blue and happen quickly.

Many still think that an appropriate response is mostly the responsibility of the cybersecurity team. Under immense pressure, it needs to be much broader. More important, the odds of a breach occurring in any short timeframe are very small.  So protective planning must be handled as a long-term priority – something many companies downplay.

Turning to the big picture in cybersecurity risk management, it’s important to fully understand what this entails. It is the strategic process of finding, analyzing, prioritizing, and addressing cybersecurity threats swiftly. Continuous risk management is integral to ensure ongoing security, thereby requiring administrators to stay abreast of the latest attack methods. Administrators must then update their protection.

Top security executives need to evaluate and periodically re-evaluate several stages of risk management to determine whether assessments need to be updated.

Here the basic judgments that must be examined and often altered over time:

+ Determine the scope of assessment. The first step in risk management is to determine the total scope of each assessment, studying individual undertakings one at a time to determine any assets hackers may want to control as a pivot point.   Usually, it’s best to start with a specific location, business unit, or business aspect, such as a web application or payroll processing. 

+ Analyze risks and their impact. Determine the likelihood of a threat exploiting a vulnerability and how severe it might be. Then decide how likely the risks identified will actually happen and the impact they would have on the organization.

+ Mitigate risks as much as possible. Sometimes, specific measures can reduce the level of a risk to an acceptable level. If unsuccessful, strongly consider discontinuing the related activity.

+ Document risks. This is critical because risk management is ongoing. It should be reviewed regularly to stay current on all risks, including risk scenarios, current security controls, mitigation plans, and the latest risk levels.

In addition to these evaluations, of course, there are a number of more mainstream steps that security managers must take. These include updating and upgrading software, actively managing systems and configurations, and monitoring the posture of third-party security.

Amid the abundant pool of vulnerabilities cited here, the most troublesome are probably breached third-party vendors and the inadequate adoption overall of Incident Response Plans.

According to publisher/researcher Cybersecurity Dive, some studies showed that data compromises due to supply chain attacks soared 78 % last year and 98 % of surveyed organizations worldwide said they have a relationship with a vendor that experienced a data breach within the last two years. There have been numerous examples of companies adversely affected by preventable mistakes made by vendors in their supply chains.

In one doozy last summer, hundreds of third parties were reported to have been affected by hackers that exploited a vulnerability in Progress Software’s file transfer tool, Movelt. Hackers claimed this enabled them to attack nearly 400 organizations, including Shell, Johns Hopkins University, and the US Department of Energy.

In the case of IRPs, there is similarity in that some mitigation of breach attacks could have occurred if responsible players took cybersecurity more seriously.  IRPs create detailed directions for dealing with specific attack scenarios to mitigate damage and reduce breach recovery time. According to a global survey by S&P Global, only 43% of companies have a cybersecurity response plan and test it at least annually. 20 % of companies have no plan at all.

As previously mentioned, the single biggest reason for many issues in cybersecurity risk management is probably inertia. Change is uncomfortable. Many organizations continue to stick with past approaches and implement aging legacy technology solutions. But in today’s world, “What got you here won’t get you there,” proclaims Marshall Goldsmith, a world-renowned American executive leadership coach.