5 key capabilities for effective cyber-risk management (original) (raw)
Faced with relentless cyberattacks, organizations need to shore up their cyber-risk management programs by updating legacy tools and checking out new vendor options.
By
- David Vance
- Enterprise Strategy Group
We provide market insights, research and advisory, and technical validations for tech buyers.
As organizations are increasingly bombarded with cyberattacks, and with CISOs' jobs on the line, there is increased focus on cyber-risk. In 2024 alone, large data breaches have involved millions of patient records exfiltrated from multiple U.S. healthcare providers and, more recently, AT&T where "nearly all" customer call and text records were stolen.
These are notable examples, but how many other cyberattacks have taken place that aren't publicly disclosed and fly under the radar? In this post, I will describe current pressures and the actions organizations need to take to successfully manage cyber-risk.
5 key areas to improve cyber-risk management
1. Asset visibility and management
Securing the environment starts with complete asset visibility because it is impossible to secure what you can't see. Common visibility challenges with IT assets include unified visibility across hybrid environments, duplicate IT asset data and siloed or out-of-date asset databases.
In fact, according to 2023 research from TechTarget's Enterprise Strategy Group, "Security Hygiene and Posture Management Remains Decentralized and Complex," nearly all (95%) respondents surveyed had challenges related to fully understanding their organization's IT asset inventory, and nearly one-third (32%) said they use at least 11 different databases, systems and tools for security asset management. This is common problem that needs to be fixed.
To gain a complete view of IT assets in order to secure them, organizations should adopt products that support a unified view, such as security asset management systems that gather data by connecting to configuration management databases, attack surface management tools, vulnerability management platforms and more through APIs. The best options add data analysis, risk scoring and flexible interfaces for role-based use cases.
David Vance
2. Business context
Building on asset visibility, it's crucial that security teams identify which IT assets and applications are the most important, of the highest value and, therefore, present the most risk to the business. To do this, security teams need to understand business context across all IT assets and applications. Historically, one of the major drawbacks legacy security tools have had is that they are blind to business context.
From the same research, more than half (56%) of organizations claimed they sometimes struggle to understand which assets are business-critical.
Fortunately, security vendors -- especially vulnerability management and application security posture management vendors -- have begun to incorporate business context capabilities by adding the ability to classify or categorize critical IT assets and applications that present the most risk to the business. Security teams need to employ products that support business context in order to prioritize securing the highest-value IT assets and applications.
3. Improving vulnerability prioritization
Legacy vulnerability assessment scanners and application testing tools (e.g., SAST, SCA and DAST) have traditionally had limitations for prioritizing discovered vulnerabilities. The process to prioritize vulnerabilities from these tools can be tedious, and it commonly requires manually exporting results to CSV files and using spreadsheets, which is slow and prone to human error. This process gets more challenging in larger enterprise environments with more IT assets and larger application codebases that generate more scan results.
Over the years, security vendors have improved capabilities in this area by adding support for prioritizing vulnerabilities by CVSS score. As recently as 2021, some vendors have further improved their products by adding vulnerability prioritization by Exploit Prediction Scoring System (EPSS) score to address the limitations of prioritizing by CVSS. Product advancements, such as the ability to prioritize vulnerabilities by CVSS and EPSS score, are a step in the right direction, but they are still not sufficient to keep pace with today's modern IT environments that have an increasing number of applications, IT assets and attack surfaces across hybrid and cloud environments.
Also from the research, 68% of respondents said that while they understand the importance of security hygiene and posture management, it's difficult to prioritize the actions that can have the biggest impact on risk reduction. Even though they might have products in place to provide alerts on vulnerabilities, security teams need to ensure they can prioritize and take remediation actions in time to stay ahead of attacks and threats.
With newer advancements in this area, security teams should look for options that incorporate other important aspects, including support for business context and threat intelligence showing active exploits. This enables security teams to make the most impact by addressing the highest-risk vulnerabilities on the most critical IT assets and applications instead of relying on legacy methods simply prioritizing vulnerabilities by criticality or severity.
4. Continuous automation
Historically, security processes have been built around legacy security tools and how they operated fundamentally. For example, security teams would perform point-in-time penetration tests or vulnerability scans on a periodic or ad hoc basis -- perhaps monthly or quarterly. Security teams would use those types of tools to perform scans, generate results, remediate discovered issues and repeat the process on an ongoing basis.
We've seen evolution in this area as security vendors have added the notion of continuous monitoring into their products. Instead of ad hoc or point-in-time scans, tools integrate into the environment and operate on a continuous basis. For example, penetration vendors have added the capability to continuously monitor the environment for the same tests that legacy point-in-time penetration testing has provided. The ability for tools to operate continuously and in an automated matter is important because it fundamentally eliminates the time gap between traditional scans. Overburdened security teams can benefit massively from products that include continuous monitoring since the inherent automation reduces the manual effort typically required for manual scans.
5. Cyber-risk quantification
CISOs are responsible for the organization's security posture and communicating associated cyber-risk to executive management and the board of directors. Quantifying cyber-risk in terms of monetary amounts can be extremely complicated and requires specialized expertise. Because of the complexities involved, organizations commonly use third-party risk assessments or consultants to assist with this process.
Cyber-risk quantification is an exciting and emerging new capability that security vendors are beginning to incorporate into security offerings. Security tools with this capability will have access to key data, such as IT asset data and associated vulnerabilities. They also correlate business context and costs associated with the business in order to calculate and quantify risk in terms of monetary amounts so business leaders can make informed decisions about whether to invest in resources that secure and protect the environment. Once adopted, this new capability can be a game changer since organizations can effectively manage and own their risk quantification data to make faster decisions without going through a laborious and expensive risk assessment on a periodic basis.
Addressing cyber-risk management continues to be a top concern for organizations. Legacy security tools and processes need to be updated to support today's modern IT environments. By addressing these areas, organizations can more successfully manage cyber-risk to support their business and enable growth.
David Vance is a senior analyst covering risk and vulnerability management for TechTarget's Enterprise Strategy Group. He has more than 25 years of IT and cybersecurity experience helping clients be more successful in the market.
Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.