close
close
5 Key Skills for Effective Cyber ​​Risk Management

5 Key Skills for Effective Cyber ​​Risk Management

These are notable examples, but how many other cyberattacks have occurred that have not been made public and have flown under the radar? In this post, I will describe the current pressures and the actions organizations need to take to successfully manage cyber risk.

5 Key Areas to Improve Cyber ​​Risk Management

1. Asset Visibility and Management

Securing the environment starts with complete asset visibility, because it’s impossible to secure what you can’t see. Common IT asset visibility challenges include unified visibility across hybrid environments, duplicate IT asset data, and siloed or outdated asset databases.

According to TechTarget’s Enterprise Strategy Group’s 2023 research, “Security Hygiene and Posture Management Remains Decentralized and Complex,” nearly all (95%) respondents surveyed faced challenges with fully understanding their organization’s IT asset inventory, with nearly a third (32%) saying they use at least 11 different databases, systems, and tools for security asset management. This is a common problem that needs to be solved.

To gain a complete view of IT assets to secure them, organizations should use products that support a unified view, such as security asset management systems that collect data by connecting to configuration management databases, attack surface management tools, vulnerability management platforms, and more via APIs. The best options add data analysis, risk scoring, and flexible interfaces for role-based use cases.

David Vance, senior analyst, Enterprise Strategy GroupDavid Vance

2. Business context

Building on asset visibility, it is critical that security teams identify which IT assets and applications are the most important, have the highest value, and therefore pose the most risk to the business. To do this, security teams must understand the business context for all IT assets and applications. Historically, one of the biggest drawbacks of legacy security tools is that they are blind to business context.

The same survey found that more than half (56%) of organizations sometimes struggle to determine which assets are business-critical.

Fortunately, security vendors, particularly vulnerability management and application security posture management vendors, have begun to incorporate business context capabilities by adding the ability to classify or categorize critical IT assets and applications that pose the most risk to the business. Security teams should leverage products that support business context to prioritize securing the most valuable IT assets and applications.

3. Improving vulnerability prioritization

Legacy vulnerability assessment scanners and application testing tools (e.g., SAST, SCA, and DAST) have traditionally had limitations in prioritizing discovered vulnerabilities. The process of prioritizing vulnerabilities from these tools can be cumbersome and often requires manually exporting results to CSV files and using spreadsheets, which is slow and prone to human error. This process becomes more challenging in larger enterprise environments with more IT resources and larger application code bases that generate more scan results.

Over the years, security vendors have improved their capabilities in this area by adding support for prioritizing vulnerabilities based on the CVSS score. As recently as 2021, some vendors have further enhanced their products by adding vulnerability prioritization based on the Exploit Prediction Scoring System (EPSS) score to address the limitations of CVSS-based prioritization. Product advancements such as the ability to prioritize vulnerabilities based on CVSS and EPSS scores are a step in the right direction, but they are still not sufficient to keep pace with today’s modern IT environments, which have an increasing number of applications, IT assets, and attack surfaces across hybrid and cloud environments.

The survey also found that 68% of respondents said they understand the importance of security hygiene and posture management, but struggle to prioritize the actions that can have the greatest impact on risk mitigation. While they may have products in place to provide alerts on vulnerabilities, security teams need to ensure they can prioritize and take remediation actions in a timely manner to stay ahead of attacks and threats.

With newer developments in this space, security teams should look for options that encompass other important aspects, including support for business context and threat intelligence that shows active exploits. This allows security teams to make the most impact by addressing the highest-risk vulnerabilities on the most critical IT assets and applications, rather than relying on outdated methods that simply prioritize vulnerabilities based on criticality or severity.

4. Continuous automation

Historically, security processes have been built around legacy security tools and how they fundamentally worked. For example, security teams would perform point-in-time penetration tests or vulnerability scans on a periodic or ad-hoc basis — perhaps monthly or quarterly. Security teams would use these types of tools to run scans, generate results, remediate discovered issues, and repeat the process continuously.

We’ve seen an evolution in this space as security vendors have added the idea of ​​continuous monitoring to their products. Instead of ad hoc or point-in-time scans, tools integrate into the environment and operate continuously. For example, penetration vendors have added the ability to continuously monitor the environment for the same tests that legacy point-in-time penetration testing provided. The ability for tools to operate continuously and in an automated manner is important because it fundamentally eliminates the time gap between traditional scans. Overburdened security teams can benefit greatly from products that include continuous monitoring because the inherent automation reduces the manual effort typically required for manual scans.

5. Quantifying cyber risks

CISOs are responsible for the organization’s security posture and communicating associated cyber risks to management and the board of directors. Quantifying cyber risks in monetary terms can be extremely complex and requires specialized expertise. Due to the complexity, organizations often use third-party risk assessments or consultants to assist with this process.

Cyber ​​risk quantification is an exciting and emerging new capability that security vendors are beginning to incorporate into their security offerings. Security tools with this capability can access key data such as IT asset information and associated vulnerabilities. They also correlate business context and costs associated with the business to calculate and quantify risk in monetary terms, allowing business leaders to make informed decisions about investing in resources that secure and protect the environment. Once adopted, this new capability can be a game changer as organizations can effectively manage and own their risk quantification data to make faster decisions without having to go through a laborious and expensive risk assessment process periodically.

Addressing cyber risk management remains a top priority for organizations. Legacy security tools and processes must be updated to support today’s modern IT environments. By addressing these areas, organizations can more successfully manage cyber risk to support their business and enable growth.

David Vance is a senior analyst covering risk and vulnerability management for TechTarget’s Enterprise Strategy Group. He has more than 25 years of experience in IT and cybersecurity, helping clients succeed in the marketplace.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.