What’s Missing in Most CISO’s Security Risk Management Strategies

Informationsportal Cybersicherheit interne Portal Nachrichten

TSEC NEWS (572 Quellen): 11.08.22 Perofrmance fix. Download Android App Android App von Team IT Security

Informationsportal Cybersecurity Chronologie für Nachrichtenthemen

What’s Missing in Most CISO’s Security Risk Management Strategies


By Dr. May Wang, CTO of IoT Security at Palo Alto Networks and the Co-founder, Chief Technology Officer (CTO), and board member of Zingbox

At the foundation of cybersecurity is the need to understand your risks and how to minimize them. Individuals and organizations often think about risk in terms of what they’re trying to protect. When talking about risk in the IT world, we mainly talk about data, with terms like data privacy, data leakage and data loss. But there is more to cybersecurity risk than just protecting data. So, what should our security risk management strategies consider? Protecting data and blocking known vulnerabilities are good tactics for cybersecurity, but those activities are not the only components of what CISOs should be considering and doing. What’s often missing is a comprehensive approach to risk management and a strategy that considers more than just data.

The modern IT enterprise certainly consumes and generates data, but it also has myriad devices, including IoT devices, which are often not under the direct supervision or control of central IT operations. While data loss is a risk, so too are service interruptions, especially as IoT and OT devices continue to play critical roles across society. For a healthcare operation for example, a failure of a medical device could lead to life or death consequences.

Challenges of Security Risk Management

Attacks are changing all the time, and device configurations can often be in flux. Just like IT itself is always in motion, it’s important to emphasize that risk management is not static.

In fact, risk management is a very dynamic thing, so thinking about risk as a point-in-time exercise is missing the mark. There is a need to consider multiple dimensions of the IT and IoT landscape when evaluating risk. There are different users, applications, deployment locations and usage patterns that organizations need to manage risk for, and those things can and will change often and regularly.

There are a number of challenges with security risk management, not the least of which is sheer size and complexity of the IT and IoT estate. CISOs today can easily be overwhelmed by information and by data, coming from an increasing volume of devices. Alongside the volume is a large variety of different types of devices, each with its own particular attack surface. Awareness of all IT and IoT assets and the particular risk each one can represent is not an easy thing for a human to accurately document. The complexity of managing a diverse array of policies, devices and access controls across a distributed enterprise, in an approach that minimizes risk, is not a trivial task.

A Better Strategy to Manage Security Risks

Security risk management is not a single task, or a single tool. It’s a strategy that involves several key components that can help CISOs to eliminate gaps and better set the groundwork for positive outcomes.

Establishing visibility. To eliminate gaps, organizations need to first know what they have. IT and IoT asset management isn’t just about knowing what managed devices are present, but also knowing unmanaged IoT devices and understanding what operating systems and application versions are present at all times.

Ensuring continuous monitoring. Risk is not static, and monitoring shouldn’t be either. Continuous monitoring of all the changes, including who is accessing the network, where devices are connecting and what applications are doing, is critical to managing risk.

Focusing on network segmentation. Reducing risk in the event of a potential security incident can often be achieved by reducing the “blast radius” of a threat. With network segmentation, where different services and devices only run on specific segments of a network, the attack surface can be minimized and we can avoid unseen and unmanaged IoT devices as springboards for attacks for other areas of the network. So, instead of an exploit in one system impacting an entire organization, the impact can be limited to just the network segment that was attacked.

Prioritizing threat prevention. Threat prevention technologies such as endpoint and network protection are also foundational components of an effective security risk management strategy. Equally important for threat prevention is having the right policy configuration and least-privileged access in place on endpoints including IoT devices and network protection technologies to prevent potential attacks from happening.

Executing the strategic components above at scale can be optimally achieved with machine learning and automation. With the growing volume of data, network traffic and devices, it’s just not possible for any one human, or even group of humans to keep up. By making use of machine learning-based automation, it’s possible to rapidly identify all IT, IoT, OT and BYOD devices to improve visibility, correlate activity in continuous monitoring, recommend the right policies for least-privileged access, suggest optimized configuration for network segmentation and add an additional layer of security with proactive threat prevention.

About Dr. May Wang:

Dr. May Wang is the CTO of IoT Security at Palo Alto Networks and the Co-founder, Chief Technology Officer (CTO), and board member of Zingbox, which was acquired by Palo Alto Networks in 2019 for its security solutions to Internet of Things (IoT).

IT Leadership, Security

Komplette Nachricht lesen

Zur Startseite

➤ Ähnliche Beiträge für 'What’s Missing in Most CISO’s Security Risk Management Strategies'

Krane - Kubernetes RBAC Static Analysis And Visualisation Tool

vom 199.8 Punkte
Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them. Krane dashboard presents current RBAC security posture and lets you navigate through its

Top 11 change management certifications to boost your IT career

vom 193.82 Punkte
Businesses are constantly evolving their use of technology, resulting in almost constant organizational change. Whenever an organization implements a new process, updates an existing process, deploys new technology, or fine-tunes services, its leaders mus

The sadly neglected Risk Treatment Plan

vom 175.63 Punkte
 For some curious reason, the Statement of Applicability steals the limelight in the ISO27k world, despite being little more than a formality. Having recently blogged about the dreaded SoA, 'nuff said on that.Today I'm picking up on the SoA's shy little brother, the Risk Treatment Plan. There's a lot to say and think about here, so coffe

What’s Missing in Most CISO’s Security Risk Management Strategies

vom 165.97 Punkte
By Dr. May Wang, CTO of IoT Security at Palo Alto Networks and the Co-founder, Chief Technology Officer (CTO), and board member of Zingbox At the foundation of cybersecurity is the need to understand your risks and how to minimize them. Individuals and organizations

The dreaded Statement of Applicability

vom 164.74 Punkte
Subclause 6.1.3 of ISO/IEC 27001:2013 requires compliant organisations to define and apply an information security risk treatment process to:a) select appropriate information security risk treatment options, taking account of the risk assessment results;The 'risk treatment options' (including the information

1650Ti Nvidia Kernel upgrade failure

vom 154.02 Punkte
apt upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done 0 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade. 3 not fully installed or removed. After this operati

EU to standardise on ISO 31000 and ISO/IEC 27005?

vom 140.97 Punkte
"Risk management procedures are fundamental processes to prepare organisations for a future cybersecurity attack, to evaluate products and services for their resistance to potential attacks before placing them on the market, and to prevent supply chain fraud" says ENISA in the report "RISK MANAGEMENT STANDARDS - Analysis of standardisat

Azure Cost Management updates – October 2019

vom 140.45 Punkte
Whether you're a new student, thriving startup, or the largest enterprise, you have financial constraints and you need to know what you're spending, where, and how to plan for the future. Nobody wants a surprise when it comes to the bill, and this is

No more weekend war rooms: Shift from reactive to proactive security

vom 138.44 Punkte
Cyber attackers worldwide are displaying an increasing level of sophistication. This is a major issue for Australian CISOs and their teams who often lack the resources required to deal with more frequent and complex attacks by well-resourced cyber cr

RSA 2022: You’re the New CISO. Want to Fix the Problem? Start by Simply Listening!

vom 138.4 Punkte
The new security boss needs to listen if they hope to win over a myriad of new constituencies in their first 90 days You just took over as the CISO, ready to dig in and make the most of this fantastic opportunity. With so much needing to be fixed, w

Vendor management: The key to productive partnerships

vom 135.84 Punkte
What is vendor management? Vendor management helps organizations take third-party vendor relationships from a passive business transaction to a proactive collaborative partnership. While working with IT vendors can help ease the burden on IT, it also rais

NBlog Aug 19 - IAAC Directors' Guides

vom 130.01 Punkte
Some time back I bumped into a handy management guide on information risk - a double-sided leaflet from the Information Assurance Advisory Council. In 2015, it inspired a security awareness briefing explaining that colourful process diagram, which has no

Team Security Diskussion über What’s Missing in Most CISO’s Security Risk Management Strategies