This year’s RSA Conference focused on a critical topic that is near and dear to our hearts at ThreatConnect: Prioritizing and aligning cybersecurity initiatives to key business objectives and risks.
Even the best vulnerability management program isn’t really addressing cyber risk. More than 13% of all Common Vulnerabilities and Exposures (CVEs) have a severity score between 9.0 and 10.0 (the highest possible value). Of those 13%, 7,628 (or about 47%) are scored at 10.0. The bottom line is that most vulnerability management teams are overwhelmed and are likely not focusing on the risks that matter most to their organization.
John Manchester, Cybersecurity Program Manager at the Johns Hopkins School of Public Health, said focusing on what matters most in cybersecurity doesn’t only mean focusing on what cybersecurity thinks matters most.
“There’s a tendency to sometimes focus on what matters most to you as the most important thing,” said Manchester. “And on the flip side of that, we often recognize that business leaders and other stakeholders have a different perspective, and what matters most to them is different. I think sometimes we can be tempted to fill that gap with our own understanding of what we think matters most to them, and then building a program based on that.”
Manchester cited last year’s release of an interagency report by the National Institute of Standards and Technology (NIST) titled, Integrating Cybersecurity and Enterprise Risk Management, which identified significant shortfalls in enterprise cyber risk quantification efforts.
“Most enterprises do not communicate their cybersecurity risk guidance or risk responses in consistent, repeatable ways,” the report states. “Methods such as quantifying cybersecurity risk in dollars and aggregating cybersecurity risks are largely ad hoc and are sometimes not performed with the same rigor as methods for quantifying other types of risk within the enterprise.”
“That kind of summarizes the problem that we have to overcome,” Manchester said. “We have to put some structure around our programs and address all of it in a meaningful way. Otherwise, we’re just leaving ourselves exposed in one area or another, and it’s going to cause us harm at some point in the future.”
Leilani Lauger, Chief Information Security Officer (CISO) at Lauger Consulting, said the Enterprise Risk Management and Reporting Framework is currently driving how enterprises are reporting cybersecurity risk to their boards of directors. Detailed reporting, however, can be audience-specific, she said.
“You want to get the metrics on your vulnerability management results into the hands of the system administrators, the system managers, and owners so that they can be empowered to react to those things. And then that can be reported in a more narrative format, maybe to your board via your risk register,” Lauger said.
Lauger also said she supports the use of scorecards and heat maps.
“Nobody wants to be last in my experience,” she said, adding that a scorecard “gamifies” the risk management effort. “It’s really effective with things like vulnerability management, security awareness, training compliance, or anything where wide adoption or compliance is necessary.”
Lauger said heat maps are effective tools to communicate risk to the board, particularly your progress in mitigating risk over time.
“It’s really important to show over time how you’re reducing the risks. And you may not get the risk from red to green, however, you want to display how you’ve moved the bar to the right, that you’ve reduced risk, and you’re moving in the right direction.”