It is often said that security professionals aren’t in the job of security. Their job is managing risk.

But understanding what your risk is and managing it seems so amorphous. How are business activities introducing risk? What is your risk tolerance? What security controls should you apply to lower the risk? How do you even know if any of your actions are doing their job of lowering and maintaining risk levels?

That very last question could be the barometer of how well security is doing its job providing value to the business. Here’s some advice on how to do just that.

Thanks to our sponsor, Reciprocity

ZenGRC - Reciprocity - Information security risk management
ZenGRC by Reciprocity is an award-winning, cloud-based GRC software that automates and simplifies compliance and risk management, solving critical problems at scale while customizing to your business needs. Adhering to the majority of regulations is a snap with pre-built templates and a unified system of record. Learn more about information security risk management at reciprocitylabs.com.

Editor’s note: This article is part of CISO Series’ “Topic Takeover” program. While the article sponsor, Reciprocity, and our editors agreed on the topic of risk management, all production and editorial is fully controlled by CISO Series’ editorial staff.

Got feedback? Join the conversation on LinkedIn.

1: Do not pass “GO” until you know your risk tolerance

“Without understanding, at the most basic level, just how many computers can be out and for how long before it seriously impacts the bottom line financially then how on earth can the organization even begin to think about their risk in terms of contingency planning and other aspects,” asked Nick Espinosa (@NickAEsp), CIO, Security Fanatics.  “Every organization needs to understand their risk tolerance.”

2: Build a foundation first. It holds everything else up.

“Think of it like building a house,” said Nir Rothenberg, CISO, Rapyd. “You always start with the foundations and invest heavily in them, since they hold the whole thing up. Then with additional money you can invest in some curtains or decorations.”

The 20 CIS controls follow the same pattern. If you were to address each one in order, they begin with foundational items and then the recommendations get more specific, and potentially more elective.

3: Remove business blinders and embrace the critical mission

“Security practitioners occasionally can live in our own echo chamber and can lose sight of what matters most to our company,” admitted Chris Hymes (@secwrks), vp, InfoSec and enterprise IT, Riot Games.

“Restate the challenge into a business risk perspective,” said Steve Zalewski, deputy CISO, Levi Strauss. “In our case: ‘How are the cyber attackers impacting my ability to sell jeans?’”

Go beyond the overview response and drill down by adding context. How would each specific business line (e.g., wholesale, retail, ecommerce) suffer from a security incident, asked Zalewski.

Hymes said his security team gets a better understanding through conversations with senior leadership. To get the conversation going, security presents a list of 10 significant risks and they ask the executives to stack rank which ones are the most important to mitigate. This often introduces risks the security team hadn’t even though of.

“This exercise has several benefits,” said Hymes. “It forces the security team to think of risk in business terms. It reminds senior leadership why they invest in a security team.”

But what’s most valuable, noted Hymes, is it unifies business and security. They form a joint action plan with security no longer being viewed in a silo.

4: Don’t measure anything until you agree on the formulas and variables

Not only are there no absolutes in risk, there are also different formulas to measure risk.

“Define how your organization is going to determine risk and what data then feeds into that equation,” said Peter Liebert, former CISO, state of California and now CEO, Liebert Security.

While there are different risk equations, there are also different ways to feed variables into each equation, plus different ways to measure outcomes. It all adds up to a multitude of issues that everyone has to agree upon. There are ways though to tell if you’re picking the right variables and measurements.

“Identify key risk indicators (KRIs) for each of your risks. These are things that would indicate to you whether that risk is getting better, or getting worse,” said Marnie Wilking (@mhwilking), global head of security & technology risk management, Wayfair. “They have to be measurable such as number of vulnerabilities, number of confirmed incidents, number of regrettable developer losses, and number of password resets.” 

5: Metrics should demonstrate how you’re battling risk

“How are you showing that this tool is buying down the risk,” asked Ross Young, CISO, Caterpillar Financial Services Corporation. “If you’re not able to paint that the tool is working then the tool is not working or the metric is not working.”

“Measurements are critical to ensure your understanding of the scope of a control is actually its scope and the control prevents or detects the things you think it should,” said Taylor Lehmann (@BostonCyberGuy), co-founder, SideChannel Security.

Mark Butler (@mbinc), advisory CISO, Trace3 suggested looking at risks such as dwell time and mean time to detect/to respond/to recover. Once you have that, you should be able to measure and set goals against risk reduction over time.

6: Measure specific to your industry

Mitch Parker (@mitchparkerciso), CISO, Indiana University Health, uses patient engagement as a key risk metric.

“Healthcare is based upon repeat customers for many services,” said Parker. “An adverse action such as a breach could result in patients deciding to take their business elsewhere.”

“How do these capabilities compare relative to our peers? We want to be better than our peers in all areas,” said Adrian Ludwig, CISO, Atlassian.

For example, for Atlassian, they might ask how do their vulnerability remediation timelines (based on CVSS scores) compare to other SaaS-based companies? While getting feedback from his own security staff is valuable, Ludwig looks to outside consultancies that are better equipped to pinpoint gaps that need remediation.

7: Prioritize since there isn’t a lot of you or your money to go around

“Even though the goal is to deploy a strategic framework, you need to start somewhere, and that starting place is obviously at the most crucial business asset,” said Mike D. Kail (@mdkail), CTO, Everest.org in an article on Medium.

“Ensure that you have completed a crown jewels assessment and that you disproportionately focus your resources and budget on protecting crown jewel assets,” said Rich Mason, president and CSO, Critical Infrastructure.

“Have peers from the other business units involved in helping you prioritize which risks you work on first,” said Gary Hayslip (@ghayslip), CISO, Softbank Investment Advisers. “Which ones provide the most value to the business?”

8: Be a cyber cartographer – always be reading the landscape

“Identification, to assessment, to classification of a given risk dictates the service level agreement (SLA) of mitigating and/or remediating the risk,” said Scott McCormick, CISO, Reciprocity. “By maintaining a risk register it gives you a top-down view and allows historical tracking of whether the company is managing risk effectively.”

“We need more security mapmakers,” said Critical Infrastructure’s Mason. “We need people who can answer the questions: Where are we? What is the terrain and the noteworthy resources to leverage? Where are we heading? What is the shortest/best path? Are we there yet? How do we know?”

“Risks must be documented in one place to ensure you’re allocating resources against known risk in a prioritized manner,” noted Nina Wyatt, CISO, Sunflower Bank.

“Allocating resources against risk posture starts with making sure you have a complete view of your risk posture beyond purely questionnaire/interview style assessments,” said Chris Hatter, CISO, Nielsen.

9: Measure. Wait. Measure again.

“Anything related to risk management should be considered a living entity,” said Security Fantatics’ Espinosa.

“Once an investment has been justified financially, we track more closely the tactical effects of the changes to make sure we’re actually moving the needle, and then we re-run the risk analysis to measure whether the expected risk reduction we planned for is actually materializing,” said Ian Amit (@iiamit), CSO, Cimpress.

You will know if you’re effectively managing risk if risks are documented with associated remediation plans, said Espinosa. Plus, those plans will have a maturity program aligned with personnel, skills, budget, and corporate priorities.

“This is a ‘rinse and repeat’ type of operation,” said Atlassian’s Ludiwg. “We never want our level of risk management (in any area) to decline over time.”

10: Ask yourself, “What’s the ROI in risk reduction?”

“Identify a total cost around each key safeguard activity (people, licensing costs, and IT infrastructure costs) you need to perform,” said Caterpillar Financial’s Young.

“Apply the ‘good enough’ lens to the analysis to determine what is the minimum we can do to bring the risk to a tolerable level,” suggested Levi Strauss’ Zalewski.

“If the cost is higher than the risk reduction, that initiative is obviously weighted unfavorably and either a different approach is needed, or the risk reduction isn’t worth investing in,” added Cimpress’ Amit.

11: Align risk management with resource allocation

As you’re identifying areas of weakness, Trace3’s Butler recommends reallocating resources based on skills analysis and potentially other roles. If the resources are insufficient should you bring in third party partners to help execute?

12: Know your baseline and test against it… repeatedly

“If risk is accurately quantified for the organization, the gaps are understood and can be remediated,” said Security Fanatics’ Espinosa. “Periodically stress test to ensure the validity of plan (and its solutions).”

“Without baselines or starting points, you are just throwing resources against tools and hoping that the data is relevant,” added Trace3’s Butler.

Utilize continuous attack surface testing (CAST), recommended Critical Infastructure’s Mason.

“Testing validates whether or not our investments and actions are having the desired effect,” said Nielsen’s Hatter.

13: Don’t rely on questionnaires. Test with a third party.

If you engage with a third party, recommended by many CISOs, the process will begin with a number of questions about technologies currently deployed.

You may provide a list of tools, but you can’t just accept an answer on a questionnaire.

“Put these answers to the test through technical validation,” said Nielsen’s Hatter who works with a third party to run a battery of tests of their security program’s efficacy.

“An external view (third party) is critical here else because it’s very easy to get locked into siloed thinking and start to focus on things that while you may consider them to be important in the grand scheme of things they may not be,” added Quentyn Taylor, director of information security, Canon for Europe.

14: Change only one parameter at a time

“Risk is a complex function, and trying to change too many parameters may leave you with uncertainty as to the efficacy of the actions associated with the changes. You optimally want to be able to change one parameter at a time, quickly validate its effect, and move on to the next – giving you a more specific ROI for each parameter, as well as to the overall efforts around that risk,” said Cimpress’ Amit.

15: Set up a maturity roadmap for everyone to see

“The plan isn’t a secret – it is to be shared with anyone and everyone that will support the follow-through and success,” noted Sunflower Bank’s Wyatt. “Relating resources to maturity objectives is essential… any indication of ineffective resource management should prompt you to pivot, redirect, reprioritize, recommunicate, or recalibrate maturity targets and plans.”

16: Psst… Your risk is also not a secret

“Don’t shy away from sharing risk information. Risks should be viewed more as opportunities than weaknesses,” said Sunflower Bank’s Wyatt. “People shy away from sharing the why. Why is this important? Why does this need addressed? Why does it need to be done at this time? Why will this bring value to our organization, stakeholders, or customers? Sharing the ‘why’ will garner commitment beyond your team, raise the organization’s level of awareness, all the while ensuring supportive resources can plan and prioritize accordingly to expend resources to effectively reduce or mitigate risk.” 

17: Don’t try to figure this out yourself

Lean on your community. Companies that use your product, sister companies, and even competitors all are gathering threat intelligence. If their business is similar to yours, much of what’s in their risk portfolio will be similar to yours.

“We meet bi-weekly with CISOs from our companies to share threat intel, best practices, and lessons learned,” said Alex Manea, CISO, Georgian. “This community-focused approach helps us efficiently allocate resources and determine how effectively they help our companies not only manage risk, but ultimately continue to grow and prosper.”

18: Set controls against specific threats and test

Each business has its own internal value, its value to its customers, and different attacks that can threaten that value.

“For example, a ransomware attack is a form of threat that can impact the availability of a hospital to provide care,” noted Yaron Levi (@0xL3v1), CISO, Blue Cross and Blue Shield of Kansas City. “If the hospital is not available to treat patients or if the data integrity is compromised (wrong allergy or blood type information), people can die!”

Although its operations were reportedly shuttered recently, Maze ransomware is a high threat targeting hospitals. Fortunately, the characteristics or tactics, techniques, and procedures (TTPs) of Maze ransomware are fairly well known.

“For each TTP, there is a countermeasure (a.k.a. control). This control is mapped to a capability which is how the control will be implemented via people, process, and technology,” said Levi. “After the controls are implemented, one should continuously run attack simulations to test the controls efficacy.”

19: Run Monte Carlo Risk Analysis

“The future cannot be predicted with certainty, it is all about probabilities,” said Suzie Smibert, former CISO, Finning International.

Smibert likes using Monte Carlo simulations as they’re designed to perform risk analysis by building models of possible results by substituting a range of values for any factors that have inherent uncertainty. That ‘range of values’ likens itself to a probability distribution or bell curve.

From her experience, Smibert found this to be a more realistic way of describing uncertainty as opposed to just asking people for their gut response.

“I found [using Monte Carlo simulations for risk analysis] removes a lot of the ‘feelings’ associated with quantifying risks,” added Smibert. “You say the very best and very worst potential outcomes and then run probability analysis. I found that it brings more credibility as it is rooted in math and isn’t so subjective.”

20: Sell the threat/remediation package to obtain funding to mitigate

“Sell the threat, cost, and metric to the organization to obtain funding,” said Caterpillar Financial’s Young. “If the business accepts the risk of not having this counter measure, it’s important to get that in writing.”

21: Begin not with the biggest problem, but the most persistent

“I’ve focused more on addressing risks that have high and moderate impact but high frequencies, these are typically ‘noise’ that if you can eliminate you get time back from not having to fight fire drills,” said SideChannel Security’s Lehmann. “Generally speaking, the ‘noisiest’ areas are weak email hygiene, weak authentication, and weak vulnerability management… Once noise is under control, you can shift tactics to focus resources more on high impact, low frequency events, and move those off the table accordingly.”

22: Can you accurately answer the economic and ethical questions?

“IT is economics and security is ethics,” said Davi Ottenheimer (@daviottenheimer), vp, trust and digital ethics, Inrupt. “Calculating risk spend is an economics exercise and therefore is better handled under the IT umbrella. Questions like ‘How many systems are offline and for how long because of attacks?’ are the sort of thing that should be constantly documented by the IT team. They have an economic interest in lowering downtime, yet also an economic interest in reducing uptime. The security team however should help the business answer more difficult questions like ‘Is the number of unavailable systems at an acceptable level for requirements set by authorities?’ where an authority has to be defined and could be anyone from the CEO to a customer.”

CONCLUSION: Risk is an inevitability, but confusion is not

“Risk management should never create overwhelming overhead in time, energy, and financial/technical resources,” said Security Fanatics’ Espinosa. “Keep it simple.”

The point of the risk management exercise is to simplify operations and to prepare for the expected and unexpected.

“The only way that you can start to identify if you are effectively managing risk is by end results,” said Canon’s Taylor. “That doesn’t mean to say that incidents do not happen but that if an incident does happen it does not take a path that was unexpected, or a path that consumes significantly more resources than you had anticipated.”

Risk management is all about knowing what you’re in for and making sure the business understands and prepares for it.


The opinions expressed within this article by Nina Wyatt are hers alone and are not associated or representative of her professional network, associations, or her employer, Sunflower Bank.

Creative Commons attribution to Bill Selak.