In this Help Net Security interview, Yoav Nathaniel, CEO at Silk Security, discusses the evolution of cyber risk management strategies and practices, uncovering common mistakes and highlighting key components for successful risk resolution.
Nathaniel anticipates a growing pressure on organizations to implement effective cyber risk management programs, driven by regulations such as the SEC's Cybersecurity Disclosure Rule.
For over 25 years, cybersecurity professionals systematically relied on spreadsheets, emails, and extensive manual risk assessments to resolve cyber risks based on their impact and likelihood to exploit.
The most common mistake is lacking standardization for cyber risk resolution processes, leading to various security teams duplicating their remediation efforts.
Centralizing risk resolution processes creates organizational clarity, and can save security teams up to 50% of their time.
Another common mistake is not implementing effective processes to factor both threat context and environmental context into cyber risk prioritizations.
We hope to find the 'golden' indicator for which risk will eventually lead to a breach, but until that day, security teams need to holistically incorporate several layers of risk factors to determine business risk and drive justifiable communications.
Effective cyber risk management involves discovering risks and doing something proactively about those risks.
Scanning for more types of IT risks is always recommended, but it's just as important to implement continuous distributed processes to resolve those detected risks.
The key pillars of risk resolution are prioritization, ownership and communication workflows, as well as accurate tracking and comprehensive reporting of all relevant metrics.
Resolving risk has been the most challenging journey for security teams working in distributed environments - this is what has been known as 'the last mile of security.
' Newer approaches include unifying risk models and embedding advanced resolution workflows into collaboration systems for more effective communication with IT stakeholders.
Industry analysts at Gartner and Forrester have formulated frameworks that encompass the phases of this risk resolution lifecycle.
Cyber risk management is a team sport - everyone needs to be aware and actively engaged with their own potential risks in order for the organization to have a winning program.
Such cultures are more receptive to metrics and processes that promote cyber risk reduction.
The most successful risk resolution programs incorporate both executive and low-level alignment on security posture and risk appetite.
Executive buy-in, clarity on cyber risk, and scalable processes can improve resolution by more than 50 times and resolve tens of thousands of risks per week.
I've personally led successful F100 cyber risk resolution programs and am now providing a platform for all organizations to manage their cyber risks more effectively.
Regulations such as the SEC's Cybersecurity Disclosure Rule are adding pressure and urgency for organizations to adopt more effective cyber risk management programs, or face material repercussions.
We anticipate cyber risk resolution to gain a lot more attention and for unifying risk resolution platforms to address this.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Mon, 15 Jan 2024 05:13:06 +0000