Tips on where to start in managing risk

You may not be able to plug up every hole, but there are ways to keep the dam from caving.

managing risk

Plugging the holes

What is risk management? Any time you have something of value (like a corporate network, a website, or a mobile application), there will be risk to manage in order to protect it. As organizations innovate and change the way they use technology, the risks change too. Traditional approaches and controls are no longer good enough. Caroline Wong, vice president of security strategy at Cobalt, provides a fewtips for managing risk in today’s modern business environment.

managing risk
Get Bullish (Creative Commons BY or BY-SA)

Know what your crown jewels are

The first step to managing risk is to know exactly what it is that you want to secure. Your organization may need to protect customer data, payment information, or intellectual property. Once you know what's important and why, then you can start to tailor your risk management approach.

managing risk

Know your attack surface

Do you know all the ways in which the bad guys can potentially access or compromise your firm’s most valuable assets? You can find out using tools, consultants, or a crowdsourced security platform. Make sure your testing covers the entire application portfolio, so your largest risk is not the risk you don't know about.

managing risk

Simulate the attacker, before the "bad guys" attack

Penetration testing and bug bounty programs simulate the attacker perspective. You want the good guys to hack you so you can be aware of the risks and address them as needed - before the bad guys exploit vulnerabilities and potentially compromise the crown jewels.

managing risk

Don't rely solely on tools to manage risk

There is a lot of great technology available to help organizations secure their networks and applications. Tools don't run themselves, however, and issues identified by tools usually can't be fixed without human intervention. Human creativity is needed to identify the most interesting security defects (e.g. application business logic flaws), rank them by probability of exploit and potential impact, and address them accordingly.

managing risk

Use metrics to evaluate risk management practices

Risk management has a tendency to be more activity than outcome driven. Use metrics to evaluate the effectiveness of risk management controls. For example, finding new security issues through code review or penetration testing does not actually improve an organization's risk posture - fixing them does. Count fixes, not just tests and findings.

managing risk

Prioritization matters

Prioritization is a key component to managing risk because budgets are limited and vulnerabilities can seem endless. The reality is you can’t do everything. It’s just as important to explicitly decide what you will not do as what you will do. Coming up with prioritization criteria can help you stay consistent when tough decisions need to be made.

managing risk

Focus on risk management results, not hype

Public bug bounties get news headlines, but how effective are they at actually reducing risk for your organization? Consider what your desired objective is for any risk management control, and make sure you're accomplishing it with your risk management strategy. For example, a better fit for finding and fixing web application vulnerabilities might be a crowdsourced penetration test or a private bug bounty.

managing risk

Align risk management skills with industry trends

Does your risk management team understand agile development? CI/CD? The security implications of moving operations to the cloud? If the way that your organization builds products is changing, then the skill sets required to manage the associated risk need to change too.

managing risk

Embrace and invite change

As businesses change the way they build products, attackers evolve the way they attempt to breach applications. As IT departments move their operations into the cloud, risk management needs to focus more on applications than networks. Keep up by testing frequently and embracing new risk management approaches, like crowdsourced security.