In an ever-changing threat environment, companies deal with a lot of challenges, and risk management is one of them.
To better tackle this, organizations should identify the key security threats and vulnerabilities, and apply robust solutions that will protect their most valuable data.
We talked to Yury Chemerkin, a security expert at JSC Advanced Monitoring and speaker at the upcoming DefCamp #9, to find out his insights about the importance of risk management in organizations.
He explained some key aspects that companies need to focus on when they evaluate and manage risks in an effective way.
While planning ahead should be a top priority for businesses to prevent and mitigate a large number of potential threats before they occur, risk management is still perceived as a nice-to-have in companies.
Yury believes that “rapid software development and deployment determine everyone to prioritize security risks and help organizations become less vulnerable to threats.”
The risk management system was created to formalize the risk analysis process by an internal team or third-party consulting companies that, in turn, gave standardized structure and methodology. The problems and their impacts are supposed to be discovered before it occurs in various risk-handling activities.
During uncertain times and constant changes, organizations should make consistent efforts with limited resources to manage their risks. But how they can prioritize them in an effective, practical manner?
Yury emphasizes that companies need to narrow down the risks of the IT department and then focus on remediation for critical devices with the use of powerful ethical hacking tools.
To this, he adds:
The list of relevant risks should include new activities, software and hardware extensions, strategy updates and so on. It’s also essential to determine a relative priority for risks when compounding them: it is important not to exclude lower level risks. Instead, it’s useful to combine them with the aggregated risk.
Moreover, Yuri believes that every company should “define a list of risks for each piece of software, service, cloud app and so on into a knowledge database and share it with employees. It helps to show that the idea of ‘security is everyone’s job’ works.
We know that most infosec specialists are always informed about the latest threats, so they play a key role within organizations in helping them better understand cyber risks. However, security professionals can face an overwhelming number of risks that require them to stretch themselves and their resources thin.
In this context, we reached out to Yury and asked his opinion on how they can better cope with this, while having a significant impact on the overall security level of their organization.
Here’s a piece of advice from him:
Efficient risk management includes early risk identification through the collaboration and participation of pertinent stakeholders.
He also emphasized the importance of detecting threats in early stages, because it will be more comfortable, less costly and less disruptive.
One of Yuri’s recommendations was to “find the tools or extend existing ones to create ways to automate your incident response and provide useful alerts for each incident in accordance to your environment. Today, AI tools and Machine Learning tools are capable of defending many cyber risks and correlate with business decisions and knowledge databases.”
On a (more) personal level, we wanted to know how Yury organizes his work and focuses on monitoring the right risks and not get influenced by industry trends or the latest trendy vulnerabilities.
He talked about the time he worked as a consultant for various security projects and how it helped him use a list of fundamental risk principles such as:
- Defining risk taxonomy as a list of identified risks, including the context, conditions, and consequences of risk occurrence’.
- Defining a set of accepted risks according to the internal policy and additionally rely on security insurance strategies to prevent unexpected breaches in the future.
- Build a clear data flow between assets and threats to keep it relevant for the business.
- Define a list of risks per each piece of software, service, cloud app and so on as a knowledge database and share it with employees.
- Determine executives to get a dashboard that has a clear business-scoring model that allows them to engage and appreciate how security affects their business.
At the very end of the interview, we wanted to know what Yury thinks it will take to move from a reactive way of dealing with data security issues to a proactive one. How long could this process be?
He pointed out that the risk management team should have a proactive mindset and focus their efforts on mitigating risks.
In addition,
to make it clear: you have a system, a list of risks, and protection mechanisms. Threats and protection turn into costs to discover ups and downs: if the price of security is higher than the costs of attack in time, then it is ‘down’ to track. As soon as it counts many downs, you start fixing a system. The same for ‘ups,’ when you get a significant difference between the total costs of protection and attacks (when the attack cost is higher than security), you make changes in the appropriate systems.
If you found this interview useful, there are more surprises coming to you next month, at DefCamp #9, so grab your ticket for November 8 and 9 today!
This interview was made by Ioana Rijnetu. You can get in touch with her on LinkedIn or say hello on Twitter.
DefCamp is powered by Orange Romania and it’s organized by the Association “Research Center for Information Security in Romania” (CCSIR).
DefCamp 2018 is sponsored by Ixia, Keysight Business, SecureWorks and Intralinks as Platinum Partners and it’s supported by IPSX, Bit Sentinel, TAD Group, Enevo, Crowdstrike, CryptoCoin.pro, Siemens, Alef, UiPath, Atos and Kaspersky Lab.