CISO Risk Registry: Getting Risk Tolerance and Technology Capabilities in Equilibrium
Gigamon on Gigamon: Learn why it’s critical to sync your risk tolerance and technology capabilities to help prevent data breaches.
Breaches don’t often happen as the result of a single mistake; they usually happen because an organization’s risk tolerance is out of sync with its technological capabilities.
Of course, risk tolerance varies from company to company, especially as network behavior can differ dramatically from vertical to vertical. If you’re a hospital with sensitive patient records, you’re regulated by HIPAA. If you’re processing credit cards and financial information, you comply with SOX and PCI. For other companies, there may be a significant reputational component to risk tolerance. For example, a stock brokerage may base tolerance on how people – shareholders, CEO, board – perceive it. A breach that changes sentiment about the company could be potentially more damaging than one that results in data loss.
Still, no matter the vertical, every organization usually has numerous business units – for example, HR, marketing, sales, IT – with different criteria that require different technologies to support the business; and every one of these technologies comes with its own level of incremental risk.
Too often, these technologies are viewed in isolation, where the little bit of risk they add may not seem so bad. However, if these groups with hundreds of different applications and technologies are taking on incremental risk, you may end up with more risk than you can handle. What’s more, there’s the potential for compounded risks where one piece of software could inadvertently expose another – a perfect scenario for hackers who like to chain together exploitations and pivot.
What’s Your Tolerance for Risk?
Almost every recent large breach has been at companies that had some sort of compliance regulation. Target was PCI-certified, yet it was still breached. The Office of Personnel Management (OPM) almost certainly followed the NIST 800-53 standard, yet it was breached. In other words, controls alone do not equal security.
Fundamentally, your tolerance for risk needs to be in sync with your technical capabilities to manage and measure risk. The controls you put in place on paper must have matching technical support.
As a CISO, for instance, I should never issue a set of controls without having the technological wherewithal to support those controls. For example, if I were to say that passwords must be 25 characters long, of mixed case, changed every week and never written down, I’ve just created a control that requires a password manager. Therefore, I need to implement a tool that supports that control to ensure equilibrium.
Without the technology to support your controls, someone will circumvent or subvert those controls to get the job done. If that happens, you could end up with another set of risks that you don’t even know about because people are out there finding ways to bypass your controls – and there’s no hope of securing that kind of environment.
For example, if I were to block Dropbox, but not provide another file sharing solution, people might try to get around that restriction by putting files on USB drives, sharing them and getting infected.
Measure Incremental Risk in a Risk Registry
The amount of incremental risk you take on is important. If you’re not managing that across your organization and don’t know the total risk you carry, it’s hard to understand your level of exposure.
At Gigamon, we use a risk registry to measure incremental risk across business units. Every kind of risk we have – whether it’s the number of times a machine has been infected with malware, the fact that we don’t have two-factor authentication on some service or that the network is lacking segmentation – is assigned an owner who must sign off on it every quarter.
To learn more about risk registry reporting – and how tricky it can be – I invite you to tune into our webinar “How to Use a Risk Registry to Track Risk and Protect Assets.” While a risk registry contains great information, it’s another thing altogether to slice and dice and report on it.