This Week...
View web version
September 20 2023
SC Media | The CyberSecurity Source
 How to have the right conversations about risk
You already know that risk assessment is a critical part of securing your organisation. But are your risk analyses too narrowly focused on IT? SC Media's Steve Mansfield-Devine explores how to get risk management right...
Your risk management needs to have a broad scope. In its recent basic risk management guidelines update, the National Cyber Security Centre stated: "Improving business outcomes should be the primary driver for cybersecurity risk management. We advocate meaningful cybersecurity risk management that illuminates the real cyber risks that are applicable to your organisation and how it operates, rather than the use of techniques which just seek to satisfy compliance requirements."
Never-ending task
Your business, the market in which it operates and the threats you face all constantly evolve, and this environment makes risk management an apparently Sisyphean task. But if you are not constantly reviewing your activities, you risk wasting your time completely.
"Most risk assessments are large, monolithic and point-in-time efforts – the value diminishes instantly," says Robert Huber, Tenable's chief security officer and head of research.

He adds: "Businesses should be continuously monitoring for risks via multiple mechanisms. These include: enterprise risk assessments, business impact assessments, risk registers and issues logs, regular cybersecurity surveys across the enterprise, input from audits, third-party assessments, regulatory updates, cyber-related activity in the news, as well as input from exposure management platforms that monitor 24x7 for vulnerabilities."
Reaching out
However, your burden is going to be eased – and your results improved – if you reach out to the rest of the business.
"Anyone could have valuable input," says Brian Jack, CISO at KnowBe4. "The CISO and the CEO must foster a culture of open communication and solicit feedback often from all up and down the organisational chart. Often risks come from the newest observers to the business."
The CFO, whose job is to manage business risk, is someone with whom you need to maintain a particularly close relationship.
"CISOs and CFOs must be closely involved in the rationalisation of top business risks and the presentation of these risks, responsibilities and high-level mitigation plans with the board," explains Curtis Simpson, CISO at Armis. "CISOs who are able to convey a meaningful business narrative will find it easier to engage with such partners, let alone the board, and will encounter far less friction when securing the resources required to fund the cyber security programmes and better protect their businesses."
Take your time
The same goes for any executive who owns some aspect of risk within the organisation. Taking the time to understand their challenges – and deploying the tools that you have within the IT department to assess their risk profiles – can have huge benefits for the organisation.
"If we take the time to understand how we can use such capabilities to not only mitigate risks but also, address key issues affecting business partners, the impact can be significant," says Simpson. "As an example, let's talk about technical debt. CFOs, CIOs, and CISOs are all trying to reduce the footprint and cost of legacy, high-risk systems both as a result of and in support of continuing to fund innovation.
“These efforts have commonly been slower and less impactful than expected due to the fact that none of the three parties have the data required to paint the way. However, when each leader's data is consolidated and rationalised, the path to risk and operational cost reduction becomes clear."

People know best
However, don't get too focused on technological solutions. Other people in the organisation may prove to be the best assets you have.
"You don't need a fancy tool to generate heatmaps and other charts to do risk management well," says Jack. "All you need is some critical thinking, open communication and ensuring you make decisions on the data that is available.
“Asking stakeholders what keeps them up at night and if they currently do or plan to do anything to help them sleep better is the easiest risk management exercise you could do."
Missed this last week? 'Probably' the best IT rollout in the world...

Tal Arad, vice president of global security and technology at Carlsberg, reveals the challenges of implementing standardised IT service delivery across over 200 locations at the world’s third largest brewer.

 Read the story here
Quote of the week

"Threat actors appeared to either have a) passwords to privileged user accounts or b) be able to manipulate the delegated authentication flow via Active Directory prior to calling the IT service desk at a targeted org, requesting a reset of all MFA factors in the target account. In the case of Okta customers, the threat actor targeted users assigned with Super Administrator permissions."

Okta on how hackers deceived IT service desk of the MGM Resorts with just a phone call.

 More than half of UK firms know they aren’t protected against cyber threats

Just 49% of business leaders report that their organisation is well or very well protected against cyber threats, according to a new survey from Red Helix.
Out of those who considered their organisation to be very well protected, 60% had bought directly from a cybersecurity vendor.
In contrast, those who had bought their cybersecurity as part of a managed service including other IT services, such as Office 365, made up just 23% of this group.
This finding suggests that those who procure their cyber security from generalist IT providers do so in the knowledge that their protection will be less secure than that offered by a cyber security specialist.
Nearly two-thirds of respondents (63%) also revealed that they wanted to work with an external cyber security partner, either by fully managing their cybersecurity or managing some of it, indicating a significant desire for collaboration and expert guidance.

© 2020 Haymarket Media Group
Bridge House, 69 London Road, Twickenham , TW1 3SP
This bulletin has been sent to