COMMENT
The context and metrics that drive risk assessments are constantly changing, as is our understanding of what progress looks like as a security team. You can’t measure everything, and just because you can measure it doesn’t mean it matters. This makes it easy to get lost in the details and miss the bigger picture: Are we improving direction?
Much of the problem is standard security policy, which strives for perfection while losing sight of achievable goals. In our industry we have policies that say, for example, “all high-risk vulnerabilities must be addressed within 10 days” or “all user access must be reviewed quarterly.” The assumption is that you will be 100% committed, without discussing whether this is achievable and what resources would be needed to achieve that goal.
Typically, a security team achieves its goal 70% of the time, which is considered a failure. A team often spends an enormous number of resources trying to close the gap, for example addressing 70% of critical vulnerabilities and the policy goal of 100%. They may end up straining resources to strive for perfection when those resources could be better spent elsewhere.
As an industry, we need to take a step back and reevaluate the policies and metrics that drive our programs, deciding whether they are realistic and whether they represent the right metrics. Here are three steps to take to achieve this goal.
1. Determine your risk tolerance
It is impossible to achieve perfection in all risk areas. Security teams can end up playing whack-a-mole and losing focus on more subtle risks. A company-wide dialogue is needed to define where the organization’s greatest security risks lie and where to dedicate resources, as well as the areas where its leaders feel comfortable with a certain level of risk. A critical vulnerability like MOVEit, for example, might pose an acceptable risk in one area of a business, but not in another area that has tier 1 systems with zero to minimal tolerance for business impact . CIA Triad of confidentiality, integrity and availability. Find out where the biggest vulnerabilities are in your industry and the types of attacks that commonly target companies in your industry to perform a risk assessment.
2. Set flexible and achievable goals
The next step is to set achievable security policies, based on risk assessment, focused on incremental progress. You can’t go from patching 50% of vulnerabilities to 95% overnight. It’s important to understand the resources you’ll need to reach your goal and what opportunities you’ll be giving up by aiming for full recovery versus 85%. It may not be worth the investment to close those last few stitches.
Instead of setting a static goal and aiming for perfection, focus on improving your program from where you were before. The questions you should ask yourself are: Are we moving in the right direction? Is the program improving? Are we reducing risk overall?
3. Reassess regularly
Because vulnerabilities and attack methods continually change, security leaders should have regular discussions with the broader business to reevaluate risk appetite and security policies. At a minimum, this should be done annually. Reassess whether goals align with known risks and risk tolerance and make informed decisions about tradeoffs.
For example, you may determine that 85% of critical vulnerabilities can be resolved within 10 days. To get to 90%, X quantity of resources, expressed in terms such as monetary investment, time or people, will be required. You may find 85% to be an acceptable level of risk when compared to those additional resources.
Aim for progress, not perfection
Decisions about risk should not be made in a vacuum. This is why security leaders need to have them conversations with other business leaders and the board of directors. Bottom line: Perfection is rarely achievable in this industry, and aiming for that absolute can do more harm than good. Instead, focus on making progress. Set realistic goals, take small steps to get there, and keep raising the bar until you reach the optimal level of risk mitigation.