CISOs are no longer only responsible for the cybersecurity of systems used internally. In many organizations they also focus on securing products and public-facing applications, and one way to do this well is through risk assessment.Assessing risk requires identifying baseline security criteria around key elements such as customer contracts and regulatory requirements, Neil Lappage, partner at LeadingEdgeCyber and ISACA member, tells CSO. \u201cFrom the start, you've got things you\u2019re committed to such as requirements in customer contracts and regulatory requirements and you have to work within those parameters. And you need to understand who your interested parties are, the stakes they've got in the game, and the security objectives.\u201dThe process of defining the risk profile of an organization also requires strong collaboration among IT, cybersecurity, and risk professionals. \u201cHow the organization knows the risk profile of the organization involves the cybersecurity team working with the IT and reporting to the business so these three things \u2014 cyber, IT and risk \u2014 work in unison,\u201d he says.\u00a0\u201cIf cyber sits isolated from the rest of the business, if it doesn't understand the business, the risk is not optimized.\u201dMap security objective to customer trust modelFor customer-oriented security, Lappage suggests mapping internal security objectives to the trust model the organization is looking to develop with its customers. \u201cIt\u2019s understanding the risk profile of all those solutions that we're providing to our customers.\u201dIf an asset is internet facing, that's a key component of the risk profile and stronger controls need to be applied where there\u2019s a higher risk profile. \u201cWhen those internet-facing systems are also ones that have got higher business impacts, then you've got to prioritize those systems,\u201d Lappage says. \u201cIt\u2019s following the protocol of prioritizing investment based on the inherent risk.\u201dLappage also suggests that in large organizations, CISOs could be assisted by a business information security officer (BISO) who reports to the CISO. Having somebody in the organization who's responsible for an area of security, that the CISO doesn\u2019t need to directly manage, could provide more of a dedicated focus. However, he cautions that it shouldn\u2019t lead to a situation where the CISO loses that complete view across the organization. \u201cYou've got people below them who can focus on those specific areas, but they must have the holistic view,\u201d he says.\u00a0Define external risk profilesWhen considering how to invest resources and budget in areas with the most risk everything must be looked at from a risk perspective to see where the most heightened risks are, says Lexmark CISO Bryan Willett.At the printers and imaging products business, teams need to maintain a secure business system just as they need to develop secure products. \u201cWe have back office systems and we have customer-facing portals that house customer data and company data, and it's a process of risk assessment,\u201d Willett tells CSO.Lexmark\u2019s security governance team handles cyber risk, while separate teams focus on supply chain risk, financial risk, and an enterprise risk management team looks at overall risk. Willett\u2019s focus is enterprise, because that\u2019s where they see critical risks emerging, while having oversight across the board.In securing products that go into the hands of consumers, there\u2019s a different set of considerations. \u201cDelivering a secure product in a repeatable fashion is not just by chance. You have to have a good process and a well-informed population who knows what it means to deliver a secure product,\u201d he says.Business systems needs to be set up for internal monitoring and alerts, whereas a product needs to be designed so that a customer can monitor it. \u201cThat responsibility turns over to the customer for them to do the monitoring of that system software environment, which includes everything from the patching, monitoring logs, firmware updates and so on.\u201dAt Lexmark, dedicated teams do outreach to work with customers subscribed to its services to help address security challenges and minimize security risks. \u201cIn the current environment, it's a shared responsibility with that customer for them to apply those patches to their environment,\u201d he says.\u201cMany times an organization will put a device in their environment, and as long as it works, they forget about it, which is not the posture we want our customers to have. We work hard on our side to make sure the software and firmware updates are available for those customers to update. And in the current environment, it's a shared responsibility with that customer for them to then apply those patches to their environment,\u201d Willett says.Selling hardware can involve providing related services, whether it\u2019s SaaS, PaaS or some kind of fulfillment service like toner in the case of printers. Whether it\u2019s B2B or B2C, a customer interface brings its own set of complex security considerations because customer devices that communicate with company networks need to do this in a secure way.Communicating with internet-connected customer devices means OS-level concerns that may include networking protocols and OS vulnerabilities as well as application-level concerns about making sure the API gateway is secure. \u201cThere\u2019s an emerging industry right now around API security that\u2019s looking for malicious signals within the API, some of them are prevention and some are detection solutions,\u201d he says.Risk analysis needs to consider the interface that devices use when communicating back to the company for firmware updates and the like. There can\u2019t be a completely open tunnel between the external product or system and the organization\u2019s environment and systems. It must have a way to validate everything that comes back while protecting from any malicious input, according to Willett.The role of academic partnerships in risk-based security solutionsIn some cases, strategic risk analysis can highlight particular security needs or gaps, and to help develop solutions, CISOs may turn to academic partnerships to apply dedicated research to the problem.Lappage sees many positives in organizations embracing academic collaboration such as being able to harness some of the brightest minds to provide input and to generate ideas. It allows organizations to take a contemporary\u00a0approach by bringing in young talent.It\u2019s also about developing the best solutions through strategic collaboration. Cybersecurity is a shared responsibility there\u2019s not any one person or any one company who's got the answers. It's a collective effort and collective defense, according to Lappage.Jill Slay, SmartSat CRC chair of cybersecurity at the University of South Australia, has worked across academia and industry engaging with vendors on solutions and in situations where there may be a sponsored company chair within the university setting.SmartSat is a cooperative research center that has academic-industry partnerships and Slay says the cooperative research center (CRC) model has the benefit of being able to foster relationships, getting the sort of niche training, or being able to develop niche products and concepts with one or two people who know an area well.But academics and researchers coming from academic settings need to know that businesses and vendors are less interested in an academic\u2019s papers and citations, Slay says. \u201cBusinesses are more focused on an area of expertise and being able to apply research, knowledge and problem solving to address a need and develop some kind of new tool or solution.\u201dIn her experience, academic partnerships work best when both sides have a strong idea of their agendas and what they want to get out of the relationship. However, she\u2019s found it\u2019s often done in an ad hoc way, where a company may know that a university has done a certain piece of work and ask them to do something similar.She says there\u2019s a need to develop a shared research question and agreed approach to collaborative research. \u201cFor it to work well, the CISO needs to be very clear about the company itself, its agenda and what it wants to explore or develop and its requirements,\u201d she says.One example of an academic-vendor arrangement is Intel\u2019s researcher in residence program, where an academic on sabbatical joins the security team, using its lab facilities and bringing their learnings back to students. Yossi Oren, senior lecturer at Ben Gurion University, is Intel\u2019s first researcher in residence.Oren says academics enjoy priority access to new or yet-to-be released products, cutting-edge test equipment and experienced lab technicians who know how to use this equipment. \u201cAnd most importantly, a deeper insight into the vendor\u2019s own security assurance processes, which helps academic research be more effective and impactful.\u201dAcademic security research teams have a unique character, which doesn\u2019t exist anywhere else, according to Oren. He cites the mix of curiosity, competitive nature and dedication, combined with the moral and ethical code of academia, that makes it a productive arrangement.\u201cSeasoned with the creative and fearless attitude of graduate students, it makes academic researchers ideal for performing security research with the sole purpose is making the world a better place,\u201d Oren tells CSO.