New ways to think and speak risk

Since we are all creatures of habit, we sometimes need a little reminder that change is good. Though we often benefit from trying something a little different, a little outside of our comfort zones, it’s not usually our first inclination to mix things up a bit, especially in cybersecurity.

But, many in the industry, including Steve Grossman, vice president strategy and enablement at Bay Dynamics, are realizing that security practitioners need to find a new way to think about security. They need to get out of the technology mindset and learn the new language of risk.

“As security practitioners who came out of technical organizations, which is how it happened way back when, most of us think of security in terms of technology. How many firewalls? Packets? Incidents?” Grossman said.

In reality, security is really a risk management problem. There are too many incidents and too many attackers for the defenders who hope to close every vulnerability and stop every threat.

So what new strategies can security practitioners use to help them think and speak risk? Here are five tips from Grossman:

1. Learn and internalize the definition of risk. Risk is the intersection of threat, vulnerability, and impact. If all three are not present, there is no risk. If they have an open safe, the safe is vulnerable because it’s open, but they also need someone to rob it, or there is no threat. Similarly, if nothing is in the safe, there’s no vulnerability because unless there is something of high value, they don’t worry about someone getting in. 

It’s about prioritization versus absolutes. So many people want to stop every threat and close every vulnerability, but the name of game is prioritizing so that they know where to invest their resources. First, focus on those things that have the greatest risk.

2. Focus on business impact first. Know their assets and the impact to their business if those assets and their confidentiality, integrity, or availability is compromised. The marketing website has a much lower impact on the business than losing their trading system. Knowing the assets will help those technically oriented practitioner focus on the full picture of risk because they are already thinking in technical terms of threats and vulnerabilities. What is most often left out is business impact.

3. Speak in terms of risk. When talking to business stake holders, don’t talk about the number of vulnerabilities that have been patched. Talk about the amount of risk that has been reduced. If there were 100 critical vulnerabilities patched on the marketing system, but they have not patched one medium risk on the trading system, then those numbers don’t really mean anything. Pure numbers in the absence of context don’t really matter, so the best thing they can do is talk in terms of dollars and sense. 

4. When making decisions don’t think in silos but think about the alignment of threat and vulnerability. If they are not vulnerable to a threat, then they need to worry a lot less about that threat. I’m not saying don’t patch a vulnerability, but they are going to protect their most valuable assets. If they are rolling out a data loss prevention system, start with those departments that handle valuable data. If they are asking what is the most important thing for them to do today, the answer is going to be what will reduce their risk the most. 

If they only have laptops that don’t have USB ports, then don’t worry about end point protection that stops USB exploits.

5. Measure, measure, measure. If they are not measuring, they might be looking at the wrong thing. They can’t know how they are doing if they aren’t measuring, and that has to be done in the context of business impact and threats. Always be measuring, thinking and talking in the context of risk.