Cyber-risk management remains challenging

When asked to rate the importance of cyber-risk management at their organizations, 91% of cybersecurity professionals rated it as "very important," while 9% said "important."

It's safe to say that cyber-risk management -- the process of identifying, prioritizing, managing and monitoring risks to information systems -- is an organizational priority. Unfortunately, it is also a moving target. According to results from TechTarget's Enterprise Strategy Group cyber risk management survey, to be published, 65% of cybersecurity professionals believe cyber-risk management is more difficult at their organizations today than it was two years ago. This is true for organizations with less than 1,000 employees and those with more than 5,000 employees alike.

Anyone familiar with the dynamic state of corporate IT and its implications on cybersecurity shouldn't find this surprising. Things are moving quickly on the IT front -- including cloud-native applications, digital transformation, generative AI and so on. To keep up, cybersecurity teams need to know about these initiatives, understand the details, sanity check them against threat models, monitor them for vulnerabilities, and ultimately work with software developers and IT operations teams to mitigate risk in a reasonable time frame. This is a tall order amid constant IT growth and changes.

When asked to identify their organizations' top cyber-risk management challenges, survey respondents said the following:

• Performing cyber-risk assessments on a recurring basis. Because IT assets and adversary tactics, techniques and procedures are constantly changing, security teams must always remain vigilant. This means conducting regular cyber-risk assessments and looking inward for moves, adds and changes, then correlating them with threat intelligence analysis. Think of this as monitoring a Venn diagram where the intersection is made up of critical/vulnerable IT assets that could be exploited by cyber adversaries. Amid constant change of both threats and vulnerabilities, it's extremely difficult to identify and mitigate risks.
• Managing identities, access policies and entitlements. As the saying goes, "People are the weakest link in the security chain." In terms of vulnerabilities, this includes overly permissive administrator accounts, shared passwords and stale user accounts. These issues are often exacerbated by weak corporate policies or business managers who give employees access to everything. Security teams are forced to figure out how to tighten identity and access management (IAM) and manage cyber-risk without disrupting business or software development processes.
• Integrating data from multiple systems to get a comprehensive view of cyber-risk. This is significant, especially at large organizations. To assess cyber-risk, security teams need to gather, aggregate and analyze data from configuration management databases, vulnerability management scanners, endpoint security tools, IAM systems, cloud security posture management platforms and other sources. Cyberasset attack surface management tools, such as those from Axonius, JupiterOne and Panaseer, as well as risk-based vulnerability management tools, including those from Cisco, Nucleus Security and Tenable, can help here, but many organizations haven't crossed this security technology bridge yet. In fact, 59% of organizations admitted they still rely on spreadsheets as part of this process.
• Securing the software supply chain. Remember the CCleaner, Log4j and SolarWinds attacks? When these types of attacks happen, security teams must find every instance in their environment, identify the asset owner, work with developers and IT operations on risk mitigation and implement compensating controls -- all while reporting to the CISO and business managers on risk identification and mitigation efforts. This has become especially difficult over the past few years with the proliferation of new applications and software built on top of open source libraries.
• Quantifying cyber-risk in monetary terms. Inevitably, cyber-risk is a business risk. CISOs and security teams must therefore translate technical terminology, including CVEs, CVSS, the Mitre ATT&CK framework and penetration testing reports, into specific risks of dollars and cents to the business. This requires a lot of front-end work, strong business knowledge, and communications and reporting expertise.

A common theme throughout these challenges is that cyber-risk management requires coordination and collaboration across people, processes and technologies in different groups, with different objectives, different communications and different skill sets. No wonder most organizations said things are getting more difficult.

How organizations can best address these challenges is a question that remains.

Jon Oltsik is analyst emeritus and founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.