“You can’t protect what you don’t see.” We all know the saying, but along the way we forgot to ask: “Can we protect what we do see?” The phrase “You can’t protect…” kept us searching for risk visibility, and as a result we willed a “risk analysis” function into existence, albeit a passive function – one that looks for risk as opposed to ways to reduce risk. Well, it’s time to shift our thinking and start transitioning the way we communicate and operate. It’s time to start talking more about “risk reduction” and less about “risk analysis.”
With “visibility” as the goal, the vulnerability and risk management industry tried to improve product and service visibility capabilities over the years to address the three “R’s and aid our risk analysis process:
- Relevancy: Is all that data our tools surfaced relevant to us? If not, what part of it is? For instance, knowing about “one more asset” does not help us. Knowing that a newly-discovered asset has been exposed to the internet, contains sensitive data and has not been patched – well, that’s relevant and we need to take notice.
- Reading it right: It’s easy to read security data incorrectly. There’s a simple reason: we’re often so deep in the data, we fail to see the full picture. It’s a tricky skill, even for data nerds. For instance, consider a scenario where an anti-virus company releases their data which indicates that the number of viruses have gone down that quarter. Looking into the data, they see their engines indeed spot fewer viruses. However, it’s not always indicative of the situation because they don’t notice the flipside: the viruses that they weren’t seeing – which were on the rise.
- Responding: Once the team knows what’s relevant and reads it right, what’s next? How does the organization benefit from that data? Going back to the example of “one more risky asset” that was surfaced – security teams must deal with the asset. They need to know the owner of the asset, see if it’s being used and how, what type of data it contains, and then decide whether to remove internet access, to limit access, or place any other controls on it.
Flash forward to today and we can rightly claim that as an industry, we’ve made progress by focusing on those R’s: We have more accurate and contextual findings data. Of course, those findings still land on the CISOs plate. While we’ve produced higher quality data, it’s still a daunting volume. And, as security pros and remediation teams know, CISOs and their security operations staff aren’t the ones who remediate the findings.
So, if visibility was lacking, and now it’s much better, but we still have a mountain of unactioned findings, we need to ask ourselves what’s the next evolution? The answer: making visibility actionable.
Knowing what action to take transitions a “risk analysis” discussion to one of risk reduction. That’s where we want the industry to move. Don’t think of risk analysis as a business process – it’s an assessment of the current state of risk, with no key perfomance indicator (KPI) measurements associated with it. Think of risk reduction on the other hand as an action that the team can and should measure. Risk reduction lets us see how we’re progressing, and offers a path to process improvement. It sets KPIs, monitors our state of security over time against those KPIs, and helps us improve. It offers the business process upon which we can then decide which technology we need to implement.
A risk reduction process lets us communicate to all process stakeholders – from the board to the lines of business to development teams and DevOps. We can demonstrate exactly how we’re taking action, and not just share our tool output. Furthermore, it underscores that risk reduction requires a multi-team effort and shines a light on each team’s accountability to the process.
A good risk reduction program, together with communication and collaboration, makes the organization more resilient and leads to less firefighting.
Vulnerability and risk management practitioners have driven an important transformation, going from demanding more visibility to getting it. Now it’s time to take action on this visibility. Shifting from a focus on “risk findings” to a focus on “risk reduction” evolves the state of the art even further.
Ravid Circus, co-founder and CPO, Seemplicity
