Are we focused on the wrong things?

Successfully building your security strategy requires effective risk management. All too often though, security programs focus on the wrong things, chasing after headline-grabbing threats while fundamentals proven to keep organizations secure remain neglected, leaving businesses vulnerable to major risks.

As an industry, we have well-established practices for managing risk effectively - methodologies for assessments, an understanding of systems thinking, and multiple methods for threat modeling. Despite having these tools at our disposal, many organizations still struggle to effectively prioritize security efforts. This begs the question: why do we continue to miss the mark?

This disconnect can be attributed to several factors, each contributing to a misalignment between perceived and actual risks and in aggregate, leading to businesses taking on much more risk than they need to, often without even realizing it.

Some examples:

💎 Shiny objects have a special pull on those interested in technology, including security professionals. Media covers dramatic incidents, state-sponsored attacks using 0-days and vendors constantly present new acronyms to register in the Gartner Dictionary of Security Tools You Need.  This can lead teams to prioritize high-profile threats or new tools over more mundane but more significant risks, like unpatched vulnerabilities or weak authentication.

🧠 Cognitive biases significantly influence decision-making and unless your team actively accounts for their effects, they’ll affect how you consider risks. Availability bias causes overestimation of the likelihood of a class of attack if it happened recently and received significant attention. Confirmation bias leads teams to focus on confirming existing beliefs, discounting contradictory evidence. Optimism bias, the illusion of control and the sunk cost fallacy are a few more thatcloud decision making if you don’t work to counter them.

🎱 Quantifying the value of preventative measures to businesses was a difficult challenge long before the complexity of technological systems was added. Traditional ROI calculations rely on assumptions which vary widely depending on the methodology. When they’re generated without extensive collaboration or not communicated well, executives won’t have confidence in the results. To overcome this, make your risk assessment processes transparent and collaborative. By enabling participation, you build trust across the org, setting the foundation for a shared understanding of the organization's security posture.

🗺️ Dry statistics don’t convey risk in terms that the human brain can easily absorb and decision makers need to understand the business value of your recommendations. Translate statistics to a compelling story that maps the risks to critical business goals. Don’t underestimate the value of stories to make numbers more real. Make sure they're grounded in real life though 👇🏼

👹  While it's crucial to communicate potential consequences, don’t rely on fear-based tactics or overhyped statistics. Using generic figures, like the average cost of a breach from some report is a quick way to show you don’t understand statistics and undermines credibility. Instead, provide realistic, specific-to-your-org assessments of the potential impacts to help drive informed decisions about risk tolerance and resource allocation.

Continuous Improvement and Adaptability

When it comes to risk, you can’t and won’t win every bet.

What you can do is build a culture that constantly learns from successes and losses.

👩🏻‍🏫  Learning from incidents - When something goes wrong, it's essential to have a culture that embraces blameless reflection. Beyond looking at what caused the incident, evaluate how what happened matched up (or not) with your risk assessments.

Was the risk underestimated and not prioritized? Totally missed as a risk? Did a control fail due to inadequate operationalization? Not enough depth to your defense-in-depth? Dig in to find out how you can learn from every incident.

By examining incidents from the perspective of how you managed the risk leading up to it, you identify areas for improvement and refine your processes.

🃏  Not every incident is the result of a flawed risk assessment or inadequate controls. Like pulling a bad draw in poker, sometimes, despite making the best choices based on available information, you’ll still have a negative outcome.

An insider stealing documents might have been deemed a lower risk so detections weren’t prioritized. Reassess the assumptions and determine if any adjustments to the process need to be made. It’s entirely possible though, that your decision at the time was correct even though The Bad Thing™ happened.

The important part is that you reflect back, always looking for room for improvement.

⭐  Conversely, just because you weren’t breached last year doesn’t mean you’re running a perfect game. Critique assumptions as if you just had an incident to ensure they still hold and that you focus on the right problems.

When things are going well, you’ve got to push even harder for improvement. The alternative is complacency.

🔟  Nothing in life is binary. You don’t have to completely avoid a risk to be able to address it. You might not be able to prevent a project using sensitive PII but by collaborating ahead of time with product and engineering teams, you can lower the probability or impact of an incident.

⚛️  Risk management is based on probabilities, and even the most well-informed decisions can lead to undesired outcomes. Recognize that the goal isn’t 100% success at prevention but rather to drive smart management of risks.

Don’t underplay culture in risk management. Teams that constructively question assumptions and seek new information to pull lessons from set the stage for success in the long game.

The Value of Collaboration and Diverse Perspectives

🫱🏻‍🫲🏾  Effective risk management requires a collaborative approach that incorporates diverse perspectives from across the organization. When assessing risk, it's essential to involve stakeholders from various departments, including IT, operations, legal, and business units. Each of these groups brings unique insights and expertise that can help identify risks that may not be immediately apparent to the security team.

🌐  For example, an IT team member might be aware of a critical system integration that could introduce unexpected vulnerabilities, while a business unit leader may highlight a key process that relies on a system the security team wasn't fully aware of. Open communication and collaboration enables a more comprehensive understanding of their risk landscape and more informed decisions about prioritization and resource allocation. Do everything you can to incentivize it and gather feedback from outside your team to gauge how you’re doing.