The research team at security & risk data aggregator (and more) Risk-Based Security (RBS) published a couple of their observations this month — observations that should be a reminder to all of us involved in global Financial Services risk management. RBS catalogs & analyzes thousands of breaches every year. They suggest that ad-hoc, personality-based, or other types of company-unique security practices put companies at a self-inflicted and avoidable level of risk. RBS researchers summarize their findings into a couple central themes:
- “Breaches can happen at even the most security-conscious organizations.”
- “The tenacity and skill of attackers when it comes to searching out weaknesses in organizational practices and processes is unrelenting.”
There are a couple key components to their follow-on recommendation:
- Employ a methodical and risk-based approach to security management, where risk assessments incorporate both:
- The organization’s security practices, and
- Downstream risk posed by vendors, suppliers and other third parties.
To address these risks and add structure to day-to-day risk management work, RBS researchers recommend that we:
- Define security objectives and
- Select and implement security controls.
The content of the memo describing RBS research observations is useful at the most high levels as a reminder in global Financial Services. While this seem a little like recommending we all continue to breath, eat well, and sleep enough. Their guidance to leverage mature security frameworks “to create robust security programs based on security best practice” is a long bumper sticker. In Financial Services at global scale, we all know that and our various constituencies regularly remind us of those types of requirements. Sometimes they even show up in our sales literature, contracts, and SEC filings.
Bumper stickers may still have their place. RBS observations and recommendations may not be what we need for implementation, but they can help with our elevator speeches & the tag-lines required in a number of frequently encountered risk management interactions.
Here is one way to use summarize their observations and recommendations:
Breaches continue to happen. Attackers are tenacious and unrelenting. Employ risk-appropriate levels of rigor and risk-based prioritization in the application your security practices, as well as in downstream risk posed by vendors, suppliers and other third parties.
“Risk Based Security, NIST and University of Maryland Team Up To Tackle Security Effectiveness.”
February 17, 2017; By RBS
Another key message in the blog was to highlight a joint research project by “NIST’s Computer Security Resource Center and the University of Maryland, known as the Predictive Analytics Modeling Project (http://csrc.nist.gov/scrm/pamp-assessment-faqs.htm). The aim of the project is to conduct the primary research needed in order to build tools that can measure the effectiveness of security controls.” The project web site also says their mission includes seeing “how your organization compares to peers in your industry.” For more on this project see “CyberChain” at: https://cyberchain.rhsmith.umd.edu/.