In today’s digitally-connected world, cyber risk is no longer a matter of probabilities, but certainties. This requires CISOs to rethink their reactive risk management program by evolving to embrace a proactive risk intelligence approach. With a risk intelligence-informed program, CISOs and their teams can continuously collect insights in a way that enables proactive, holistic, and data-driven decisions about security.
In the first part of our Evolve from Risk Management to Risk Intelligence webinar series, I spoke with three security leaders for their insights into risk intelligence: Vigilance Cyber Security’s CISO Moriah Hara, Huawei’s cybersecurity and privacy officer Nuno Teodoro, and SecurityScorecard’s CISO Mike Wilkes. Here’s what they have to say about the evolution from risk management to risk intelligence.
Intelligence Starts with Visibility
Each CISO agreed that the evolution of risk management towards risk intelligence has everything to do with automation and scale. With an organization’s attack surface spread far and wide, organizations need to leverage technology to gain the visibility required to make smarter decisions about where to focus their efforts.
“Think about if you have 10,000 vulnerabilities on your infrastructure. Risk intelligence would help you focus on the threats that are actively exploiting your vulnerabilities so you don’t treat them all with equal priority,” Wilkes said.
Hara believes that risk intelligence is crucial for gaining the situational awareness required to understand who is attacking the organization and why. This allows a CISO to direct her team’s resources towards not only the most vulnerable parts of the organization’s attack surface, but the aspects that are most likely to be targeted.
“If you’re working on intellectual property, then a nation state may be coming after you. But if you’re a bank, you’re going to have a completely different attacker profile. You need to be aware of how to use your limited resources in order to protect your crown jewels,” Hara said.
Practice (and Preparation) Make Perfect
To build a holistic risk intelligence program, organizations require a multi-pronged process that enables both visibility and insights. By understanding risk from an inside-out, outside-in, and third-party perspective, organizations can then identify where to focus their proactive efforts. But while collecting and analyzing data from across the attack surface is critical, each CISO believes that it’s the people and processes that make or break a risk intelligence program.
“It’s crucial that organizations have the policies, guidelines, reporting flows and teams already set up for incident response. Simulating attacks and testing for the top potential attacks is critical,” Teodoro said. By practicing for the most likely events, Teodoro said that security teams can pre-determine their response for a more efficient and impactful response. At the same time, he cautions other CISOs to prepare for the unpredictable.
“Unforeseen incidents are part of the job,” Teodoro said. “I find it really useful to do surprise tests where we have to involve other people in the organization. You should put people in the spotlight and in the heat of the moment to really understand if the policies and processes you have are enough for what you need at an organizational level.”
To build and test an organization’s risk intelligence capabilities, Hara believes tabletop exercises are a must. “Work with your Chief Legal Officer to create three or four of the most likely scenarios that your business may be impacted by. Not only do you want to see how your cyber team is going to respond, but you want to involve your CFO, head of HR, head of PR, your CEO, and others to give them real world experience. The only thing that’s worse than having an incident is responding poorly to it,” Hara said.
If the key to risk intelligence is a holistic approach, then this holistic approach means thinking beyond the attack to the days after. Many incidents have legal and regulatory implications, which require careful documentation. Not only do you need a process in place for your response, but Wilkes says you need a process for documenting the execution of the response itself.
“There’s two attacks you need to worry about. One is the bad guys, and that one’s actually easier. The second attack is all the armchair quarterbacks – the regulators, the insurance company, the board of directors – who will come in and start second guessing all of your decisions, all your investments , and all of your properties. That second attack is one you can prepare for with good documentation,” Wilkes said.
Evolve to Risk Intelligence with SecurityScorecard
A holistic approach to risk – one that combines a 360º view of the attack surface with the ability to communicate risk meaningfully and respond effectively – is critical for business success in today’s cybersecurity threat landscape. With SecurityScorecard’s latest product release, organizations now have everything they need to build a world-class risk intelligence program.
Check out the complete webinar series to watch this webinar on-demand and learn how leading security and vendor risk management teams are trailblazing and transforming from risk management to risk intelligence.