Written by Simon Ractliffe, Regional General Manager – ANZ, Qualys.
Boards are increasingly concerned about security and risk following the significant investments they have made in digital services over the past few years and the recent high-profile breaches that have occurred here in Australia.
It is expected around 40 percent of boards will have established a dedicated information security and risk representative by 2025, according to Gartner. This compares with less than 10 percent in 2021.
This increased awareness of cyber risk should lead to increased investment for the implementation of improved business resilience practices. Securing support is however easier said than done, while current economic circumstances can lead to more pressure to achieve results with reduced budgets.
Security management and risk
Boards want to know that their teams are managing risk in an appropriate, effective and cost-efficient way. However, boards consider risk differently to IT alone. They look at financial performance of the company, economic trends such as consumer behaviour and market demand. Wider industry and political events that might affect the economy in general alongside technology are also considered.
Some risks can be predicted or planned for – for example, one risk might be business activity levels and performance during different seasons, where cash flow may be lower. These kinds of events can be anticipated. Others are less predictable, such as emergence of new vulnerabilities and threats, and unforeseen changes in business circumstances, so called ‘black swan’ events such as the pandemic.
Risk management involves looking at the distinct components that make up a business and its overall operating model. With these views in mind, boards must look at what level of risk they are comfortable with and where they will direct their efforts to prevent and reduce impact over time.
Vulnerability management and risk
For IT security teams, understanding where IT security risk sits within the broader array of potential business risks is critical. It shows how many other calls are on the board’s attention, and how the individuals involved view security and risk in general. Based on this insight, the cyber risk team can tailor an approach that is more in context with the board’s imperatives.
Boards will have varying levels of risk appetite for each element of the business – for example, to make a new investment in an unproven but potentially very profitable market versus using capital elsewhere in existing markets for lower but more reliable returns.
For the IT security team, it is necessary to put security into context within that risk management approach. Areas like vulnerability management are essential for IT security and, therefore will help the organisation manage its risk more effectively over time. Patching prevents attacks from succeeding, but the window between a software issue being found and the patch being deployed is problematic. According to Qualys’ recent Threat Research report, the time between a security issue being released and the patch being installed is just over thirty days, while the time taken to exploit those vulnerabilities is now nineteen days. This leaves plenty of time for threat actors to use the vulnerabilities to break into organisations.
While this may seem potentially disastrous, companies can now shrink that gap to manage their risk more effectively. This includes automation of patching for known good patches with a high reputational score and applying higher priority to exposed higher risk assets where active exploitation has already been observed. According to Qualys research, this is already the norm for ubiquitous software like Microsoft Windows and Google Chrome, being patched twice as fast and twice as often as other applications.
It’s also worth putting this into context. Of more than 25,000 software defects found in 2022 only 159 were weaponised, and only 23 were actually exploited by malware. Prioritising security issues will therefore help teams to focus their resources on critical issues first to prevent and protect their organisation from attack, while the other issues can be cleaned up or mitigated over time.
Reporting on risk
Reporting on security risk is increasing in importance for all and is now mandatory for some. The approach to reporting will need to suit its audience. What works for the security team will not be suitable for the board where a report on the number of vulnerabilities that are in place and require fixes might be useful for the security team, but management needs to understand how this affects the risk of business disruption. Demonstrating continuous improvement through appropriate reporting is also essential.
Although hard to measure, boards need to know how their current risk posture compares to their agreed risk appetite. For this reason, Security and Risk professionals are now working more closely with the board to understand how to best translate technical issues into business metrics that they can understand in the broader business context.
Organisations are pursuing digital transformation to remain competitive or gain competitive advantage. This is an important time for IT security teams to learn from the board, and educating the board on how to keep up the pace of innovation while remaining secure. Focusing on digital asset risk management and effectively demonstrating the value of security programs will ensure investment in these critical areas will continue.
