In the Eyes of Business Security is All About Risk Management

I know that there are many out there who will disagree with me, but I firmly believe that at the end of the day security is all about risk management. If we want to be seen by the business as a valuable partner within the organization, view security through the lens of risk is key. As I speak with small business owners regarding security, I have found it has been pivotal to do so in the context of risk management.

Risk management is about providing an organization with the ability to identify, mitigate, and transfer risk. To have a successful security program an understanding of risk is paramount. Without properly analyzing and prioritizing risk organizations may not implement the appropriate controls, thereby opening themselves up to potentially negative business impacts. This activity will allow a business to assign a monetary value and make the right risk-related business decision.

Security functions and Risk

Vulnerability Management is the process of identifying, classifying, prioritizing and mitigating vulnerabilities within an organization. Most of the time we look at these only regarding technology however, there can be vulnerabilities in processes and with people as well. The purpose of undertaking this activity from a security standpoint is the ensure that an organization has a clear picture of the potential risk that are in its environment. Once they understand this they can take action based on the business risk to the organization. Should they accept, avoid or transfer the risk related to the vulnerability? Whether an organization is using Rapid 7, Alien Vault, Qualys or Tenable, vulnerability management is a tool to assist a business in managing risk.

Penetration testing is the process of testing computer networks, applications and people (social engineering) to find and exploit vulnerabilities. Organizations need to know if the vulnerabilities within their systems can truly be exploited. There are several tools which can be used to facilitate these test, such as Metasploit, Kali or NetSparker. If these vulnerabilities can be exploited, it puts the business at significant risk. The reports produced from a pen test can provide security teams with the information they need to help the business under the security risk. This information is indispensable for helping business stakeholder understand the need to implement new security controls. If you want the business to invest give them a business reason to do so. Reducing the risk of a potentially negative event if the vulnerabilities are exploited is a primary value of pen-testing.

Incident Response is the organized activity businesses use to manage security incidents. LogRhythm, Carbon Black or Rapdid7 are some platforms used to support this function. The goal of incident response is to limit the impact and speed recovery. The larger the impact and the longer it takes to recover exposes an organization to more risk. It could be a financial, regulatory or reputational risk. Businesses are primarily concerned with ensuring that the risk to the organization is mitigated quickly.

Malware Reverse Engineering is a process used by security engineers to learn how malware works and what can be done to counteract it. The underlying reasons for understanding how malware works , are so that the right controls are implemented to reduce the risk of infection of business systems.

Security Engineering/Architecture is the process focused on secure systems design. The systems need to be designed in such a way that they reduce the risk of data exposure, malicious attacks, and other disruptions. Architects and engineers must understand what services are critical to the business and how to protect them. Security architects apply defense-in-depth when crafting solutions for businesses. Architects can use a variety of frameworks to accomplish this goal such as TOGAF and DODAF. These security professionals must develop an architecture that meets the business and security needs of an organization. To achieve the desired outcome understanding and managing risk is key.

I could go on and on providing the connection between the highly technical functions within security, and how they are all about mitigating risk. These different roles within security require a multitude of different tools and skills, but as far as the business is concerned security exists to support business processes. Often security professionals opine about how the business stakeholders don't understand security. Perhaps its time for us to look at whether we understand business and our roles within. While we are perspicacious in all things security we less percipient when it comes to business.

I am not implying that security professionals need to be an MBA. However, I do think that have a fundamental understanding of how the business you support daily, would aid in how you approach implementing security. When security professionals understand the business strategy and risk appetite, it can help them make more informed security decisions. This does not only apply to those in security leadership roles. Those who are in the trenches daily could gain valuable insight into how their roles reduce risk within an organization, by educating themselves on what really matters to the business.

I get it that highly skilled technical security professionals hate the idea of being labeled as risk managers. But at the end of the day managing risk is baked into the security cake.