Key elements for a successful cyber risk management strategy

In this Help Net Security interview, Yoav Nathaniel, CEO at Silk Security, discusses the evolution of cyber risk management strategies and practices, uncovering common mistakes and highlighting key components for successful risk resolution.

Nathaniel anticipates a growing pressure on organizations to implement effective cyber risk management programs, driven by regulations such as the SEC’s Cybersecurity Disclosure Rule.

How has the approach to cyber risk resolution evolved over the past few years?

For over 25 years, cybersecurity professionals systematically relied on spreadsheets, emails, and extensive manual risk assessments to resolve cyber risks based on their impact and likelihood to exploit. Over the past few years, the corporate workplace and IT footprint transformed to be more distributed and dynamic, even more so thanks to the adoption of cloud, IoT and work-from-home.

Security teams are modernizing their capabilities with growing urgency. Consolidated scanning results, automated risk-based prioritization models, executive accountability, and communication workflows that enable self-service resolution by the distributed IT owners are foundational elements of this new approach. The goal is to achieve and maintain a measurable and manageable security posture.

Over the past decade, we’ve seen the emergence of partial solutions focusing on prioritizing vulnerabilities with CVEs. However, the growth in IT complexity and an explosion in different exposure categories, such as misconfigurations, code application risks, and identity risks, has highlighted their limitations. Newer approaches centralize all of the risks and resolution processes into a holistic solution.

What common mistakes do companies make in their cyber risk resolution strategies?

The most common mistake is lacking standardization for cyber risk resolution processes, leading to various security teams duplicating their remediation efforts. It becomes difficult to prioritize and track security findings consistently and accurately if each team needs to come up with their own risk resolution process. Centralizing risk resolution processes creates organizational clarity, and can save security teams up to 50% of their time.

Another common mistake is not implementing effective processes to factor both threat context and environmental context into cyber risk prioritizations. Relying on any one type of model, such as EPSS, is not sufficient. We hope to find the ‘golden’ indicator for which risk will eventually lead to a breach, but until that day, security teams need to holistically incorporate several layers of risk factors to determine business risk and drive justifiable communications.

What are the key components of an effective cyber risk management strategy?

Effective cyber risk management involves discovering risks and doing something proactively about those risks. It’s like a muscle that needs to be exercised on a regular cadence to continuously re-assess, resolve, and report top risks. Scanning for more types of IT risks is always recommended, but it’s just as important to implement continuous distributed processes to resolve those detected risks. The key pillars of risk resolution are prioritization, ownership and communication workflows, as well as accurate tracking and comprehensive reporting of all relevant metrics.

Resolving risk has been the most challenging journey for security teams working in distributed environments — this is what has been known as ‘the last mile of security.’ Newer approaches include unifying risk models and embedding advanced resolution workflows into collaboration systems for more effective communication with IT stakeholders. Industry analysts at Gartner and Forrester have formulated frameworks that encompass the phases of this risk resolution lifecycle.

How does organizational culture impact the effectiveness of cyber risk management?

Cyber risk management is a team sport – everyone needs to be aware and actively engaged with their own potential risks in order for the organization to have a winning program. Organizational cultures that promote accountability and clarity around risk appetite are more likely to get everyone onboard. Such cultures are more receptive to metrics and processes that promote cyber risk reduction.

Can you provide examples of successful cyber risk resolution cases and what made them successful?

The most successful risk resolution programs incorporate both executive and low-level alignment on security posture and risk appetite. Executive buy-in, clarity on cyber risk, and scalable processes can improve resolution by more than 50 times and resolve tens of thousands of risks per week. Accurate IT ownership mapping is typically the biggest hurdle organizations need to overcome, and there are automated methods to achieve this. I’ve personally led successful F100 cyber risk resolution programs and am now providing a platform for all organizations to manage their cyber risks more effectively.

How do you foresee the future of cyber risk management evolving in the next 5-10 years?

Regulations such as the SEC’s Cybersecurity Disclosure Rule are adding pressure and urgency for organizations to adopt more effective cyber risk management programs, or face material repercussions. We anticipate cyber risk resolution to gain a lot more attention and for unifying risk resolution platforms to address this.