CISO advice for addressing cyber-risk management challenges

Cyber-risk management is simple in concept and difficult in practice. CISOs weigh in on some potential ways to reign in the chaos, educate executives and mitigate cyber-risks.

Cyber-risk management is one of the foundations of cybersecurity, requiring a thorough understanding of all IT entities -- identities, both human and nonhuman; devices; software assets; etc. Beyond identification, cyber-risk management depends upon details and context as well. This includes considerations such as where assets are deployed; how they are configured; who owns each asset; what changes have been applied, when and by whom -- the list goes on and on.

The overarching goal here is to identify vulnerabilities and then mitigate risks before a bad guy can exploit them. This is no different than locking your doors and windows when you go away on vacation to prevent easy access to your home.

Cyber-risk management challenges

OK, but here's the problem: Cyber-risk management has become a monumental task for the following reasons:

  • Attack surface growth. According to research from TechTarget's Enterprise Strategy Group, 62% of organizations claimed their attack surfaces have expanded over the past two years. Consider the recent growth of cloud-native development tools, IoT/OT devices, service accounts and remote work, and you'll see an alarming trend. An average enterprise has a cyber-risk purview that requires visibility into hundreds of thousands or even millions of different entities. Yikes!
  • Constant IT innovation and change. Whether software updates, configuration setting alterations or service account profile modifications, changes happen constantly throughout the enterprise IT environment. Keeping up requires continuous monitoring rather than periodic scanning.
  • An unwieldy software supply chain. Think Log4j, MoveIt and SolarWinds -- software vulnerabilities are arriving via open source libraries and trusted vendor applications. It's not enough anymore to know what software is installed. Rather, security teams need software bills of materials to detail all the components of their application portfolios. They then have to know which of these software components might be at risk. This isn't easy, as past software supply chain attacks have revealed.
  • Growing use of large language models and generative AI. This trend is just starting, but I guarantee we'll see many cyberattacks related to GenAI in the next few years due to data integrity issues, faulty coding and shadow AI usage. Will security teams be able to keep up with GenAI risk monitoring? Probably not.

In aggregate, the scale and scope of cyber-risk management has grown beyond our ability to address it in an effective and efficient way.

Security technology vendors and service providers recognize this gap, as do regulators. There's no silver bullet currently available, however, and I don't foresee one on the horizon anytime soon.

CISO cyber-risk management strategies

Given this reality, what can organizations do to better address the growing scale of cyber-risk management requirements? I recently asked this question of several CISOs. While strategies varied, there were some common themes. Security executives I spoke to said they are doing the following:

  1. Educating executives and board members. It's safe to say executives and board members freak out when they read about cyberattacks and business disruption but don't really understand the root causes. The CISOs I spoke with have taken a proactive approach to bridging this knowledge gap by providing cybersecurity education in a business context.

    In other words, they aren't talking about CVEs or adversary tactics, techniques and procedures (TTPs). Rather, they are focusing on critical systems and data vulnerabilities, compensating controls and risk mitigation actions and costs. They also create summary reports, in simple terms, each time there is a newsworthy ransomware incident or data breach -- especially when they occur within their industry or geographic area. Finally, they make themselves available for informal calls or regular board meetings to support the business. These activities may seem like no-brainers, but they are often neglected or ignored. As part of their mission, the CISOs I spoke with won't let them be.
  1. Making sure security team members are early participants in new IT initiatives. To paraphrase an old saying, "You can't mitigate risks you don't know about." OK, perhaps you can bolt something on after the fact, but that's not nearly as effective as performing threat modeling up front, gauging potential vulnerabilities and building security into new applications.

    Successful CISOs insist on a seat at the table for all new IT initiatives so they can ask questions like who will use this application and where will they be located? Will they be accessing sensitive or regulated data? Based on these inputs, security teams can build in risk mitigation controls and know what to monitor to detect anomalous, suspicious or malicious behavior patterns.
  1. Establishing the right policies and standards. Too many organizations minimize or even disregard foundational security best practices.

    Take, for example, the concept of least privilege -- a cybersecurity pillar. To mitigate risks, active CISOs lock down individual access rights by defining roles, templating access privileges and implementing zero-trust controls. They also monitor for dormant identities, overly permissive accounts, shared passwords and service account sprawl.

    Beyond identities, these CISOs also establish standard configurations for endpoints, servers and cloud workloads, and then monitor and remediate drift from gold images.
  1. Training, measuring and monitoring software developers. Application developers are paid for features and functionality, not security. Security training helps build awareness, but effective CISOs go beyond training alone by setting goals, measuring progress and incenting developers toward continuous improvement. For added security, many firms have created DevSecOps teams directly involved with CI/CD processes and workflows.
  2. Increasing efforts around threat intelligence analysis. Regardless of resources or commitment, no organization can protect against all types of risks. To focus their organizations, these CISOs double down on threat intelligence analysis, gaining a better understanding of who might attack their organizations, the TTPs they might use and whether the organizations have the right countermeasures in place to prevent or detect these events.

    Progressive organizations go one step further through continuous penetration testing and red teaming to prove their defenses actually work. In this way, CISOs guide their organizations to focus on mitigating the most likely risks, not every possible risk.
  1. Working on federation and consolidation. A modern enterprise hybrid IT infrastructure is extremely specialized and distributed. To align with this model, security teams need dedicated cyber-risk management processes and tools designed for their domains.

    On the tools side, cloud teams need cloud security posture management, identity management folks need identity security posture management, and so on. This model enables experts in each area to take the lead, but individual risks can have a cumulative impact at an enterprise level. Cyberattack surface management tools, such as Axonius, JupiterOne, Panaseer and Sevco, as well as risk-based vulnerability management systems, such as Nucleus Security, Qualys and Tenable, can integrate with disparate tools via APIs to provide a more complete picture. Leading products and services also include risk scoring and workflow support to help with risk mitigation prioritization and operations.

The term cyber resiliency is also bandied about these days, with the goal of building rapid recoverability and self-healing into assets. Hmm, maybe -- but CISOs I spoke with were extremely focused on improving the basics before taking on any new IT/security science projects.

I admit these CISO recommendations aren't new or unique. Shouldn't organizations be doing these things already? Of course they should, but they often get sloppy or depend on tools and processes that don't scale.

In my humble opinion, the CISOs I spoke to were saying that you can't improve cyber-risk management without optimizing the basics first. Sound advice from experienced practitioners.

Jon Oltsik is analyst emeritus and founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.

Dig Deeper on Security operations and management