You may not be able to plug up every hole, but there are ways to keep the dam from caving.
What is risk management? Any time you have something of value (like a corporate network, a website, or a mobile application), there will be risk to manage in order to protect it. As organizations innovate and change the way they use technology, the risks change too. Traditional approaches and controls are no longer good enough. Caroline Wong, vice president of security strategy at Cobalt, provides a fewtips for managing risk in today’s modern business environment.
The first step to managing risk is to know exactly what it is that you want to secure. Your organization may need to protect customer data, payment information, or intellectual property. Once you know what's important and why, then you can start to tailor your risk management approach.
Do you know all the ways in which the bad guys can potentially access or compromise your firm’s most valuable assets? You can find out using tools, consultants, or a crowdsourced security platform. Make sure your testing covers the entire application portfolio, so your largest risk is not the risk you don't know about.
Penetration testing and bug bounty programs simulate the attacker perspective. You want the good guys to hack you so you can be aware of the risks and address them as needed - before the bad guys exploit vulnerabilities and potentially compromise the crown jewels.
There is a lot of great technology available to help organizations secure their networks and applications. Tools don't run themselves, however, and issues identified by tools usually can't be fixed without human intervention. Human creativity is needed to identify the most interesting security defects (e.g. application business logic flaws), rank them by probability of exploit and potential impact, and address them accordingly.
Risk management has a tendency to be more activity than outcome driven. Use metrics to evaluate the effectiveness of risk management controls. For example, finding new security issues through code review or penetration testing does not actually improve an organization's risk posture - fixing them does. Count fixes, not just tests and findings.
Prioritization is a key component to managing risk because budgets are limited and vulnerabilities can seem endless. The reality is you can’t do everything. It’s just as important to explicitly decide what you will not do as what you will do. Coming up with prioritization criteria can help you stay consistent when tough decisions need to be made.
As businesses change the way they build products, attackers evolve the way they attempt to breach applications. As IT departments move their operations into the cloud, risk management needs to focus more on applications than networks. Keep up by testing frequently and embracing new risk management approaches, like crowdsourced security.