cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Operational Risk a Top Concern for 2018?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Operational Risk a Top Concern for 2018?

Re: Operational Risk a Top Concern for 2018?

LyndsayT
ISC2 Former Staff

As it is January, I have been asking our EMEA Advisory Council and, whenever I get the chance, other members in our Region, about the big issues they anticipate for 2018. I haven’t asked for predictions necessarily, rather a view of what they believe will be dominating the day-to-day. Many of the top responses are to be expected:

 

  • They anticipate GDPR panic as too many organisations around the world are only just beginning to appreciate its reach and the enormity of the task;
  • A rise in IoT vulnerability, or “Internet of Threats” (as they liked to put it) will continue to put on the pressure as security requirements continue to lag in the assessment of development criteria and;
  • A rise in globally sophisticated attacks that take advantage of the above, with more automation and AI pushing the boat out for the bad guys.

 

One area, however, feels quite new to me:

 

  • The shift in Operational Risk – traditional resilience measures are becoming obsolete at a rapid rate leaving companies without the ability to actively monitor for security incidents, and/or understand how to cope with the dynamic infrastructure and scale they are developing as they move over to cloud infrastructures. Operational requirements are shifting with digital transformation and companies are asking not just how do we get more skilled talent; but also, how does the team need to evolve? 

What are your thoughts on this issue?  Are Security operations a Top concern?  Anything missing from the list?   Does it vary by region?

10 Comments
JoePete
Advocate I

@LyndsayT wrote:

 

 

  • The shift in Operational Risk – traditional resilience measures are becoming obsolete at a rapid rate leaving companies without the ability to actively monitor for security incidents, and/or understand how to cope with the dynamic infrastructure and scale they are developing as they move over to cloud infrastructures. Operational requirements are shifting with digital transformation and companies are asking not just how do we get more skilled talent; but also, how does the team need to evolve? 

This is an interesting question with a number of premises that could be challenged on their own:

  1. Traditional measures are becoming obsolete. Maybe but many of the attacks we see actually are old attacks/concerns continuing to rear their head.

  2. The change in the landscape leaves companies without the ability to monitor or cope security concerns. Perhaps, but is like saying someone who designs spends thousands on interior design only to have their leaking roof ruin it lacked the ability to monitor their roof. Leap before looking remains a business fundamental.
  3. Operational requirements are shifting. Operations may be shifting, but they aren't necessarily required. Too many business models rely on massive market share for success. That is inherently a high risk proposition.
  4. Organizations are asking how do we get the necessary talent and how do our human resources evolve to match. I don't think this is a new challenge.

Fundamentally, business leaders struggle to understand technological challenges and technologists struggle to understand business challenges. While higher education can take some of the blame in the shortcomings on both sides, I think the real risk profile is not with any of the "tech" but in the venture capital world that throws millions at half baked/half secure organizations. Equifax failed due to patch management. That is like the security guards at a brick and mortar bank failing to turn on the alarm and lock the door for a few months. Still, Equifax stock is now trading higher than it did a year ago and has made back much of what it lost in September. So from a risk standpoint,is there really much risk. Even as GDPR looms, taxing revenue is pennies compared to stock price. It appears as though financial analysts, executive management, and even the public as a whole don't care much about security. The pockets where there may be concern, I don't think you find any secret formula. It is basic business execution. I tell people that IT is not science; it's basically data plumbing. I suppose in that sense, cybersecurity is plumbing inspection. To do it well takes simplicity, attention to detail and some organizational redundancy. Instead, what we see from organizations is that every time a new type of pipe or fitting is developed, we are insistent on ripping out all the plumbing and replacing it.

DHerrmann
Contributor II

My hunch is that 2018 will be the year of GDPR and escalated cyber-crime by the North Koreans.   

 

But Operational Risk is a really big deal, especially as companies continue to try to do more with less.   Old-fashioned concepts like segregation of duties & single points of failure become almost impossible if staff levels are kept low.   

 

And, in that vein, risk treatment becomes even more important.   Can a company practicing due care, risk accept their own lack of GDPR-compliant controls (encryption, for example) on data covered by GDPR?  Of course they can, but they are likely in violation of GDPR.   To me, this speaks volumes to the need to carefully scrutinize risk acceptance requests, and perhaps to even go in with the thought that all will be denied unless very well argued and backed up with hard data.


The days of kicking risk down the road will hopefully be coming to an end.

canLG0501
Newcomer III

Operational risk sounds like an old challenge that is even more present now because of the shift in the hiring processes.  Information Security professionals are often left out of the Human Resources operational decisions until the final stages.  Recruitment happens via phone interviews and postings to attract diverse candidates have not been updated in 10 years.  I look forward to becoming more involved this year.

LyndsayT
ISC2 Former Staff

Interesting thread here. One of our EMEA Advisory Council members Tamar (Tom) Gamali will be hosting a CISO Round Table at Infosecurity Middle East in Abu Dhabi next week - Operational Risk and the Role of the CISO. I expect frank discussion on whether the CISO is truly positioned to manage the operational risk from cyber threats. 

 

Tom shared some of his views on the (ISC)2 blog last week.

 

By Tamer Gamali, CISSP, CISO and member, (ISC)² EMEA Advisory Council

As a Chief Information Security Officer (CISO) based in Dubai with 15 years working in financial services,  and a member of (ISC)²’s EMEA Advisory Council I am keen to help companies develop a deeper understanding of how operational risks are evolving with cyberthreats.  I have become aware of a growing body of opinion within cybersecurity circles that suggests the senior management tier represents a significant threat to their businesses today. They are a group that understands and works hard to mitigate risk, but, as more and more companies move forward with digital transformation strategies, not necessarily the risks that hold the greatest potential to harm their companies. This leaves a gap in the management of business and the management of business risk. ....

 

http://blog.isc2.org/isc2_blog/2018/02/the-focus-on-cyber-risk-is-it-time-to-stop-talking-security.h...

 

would be good to pull in a few views here as well. What do you think?

 

 

Beads
Advocate I

For one as a community we cannot continue to treat all of security as simply a technology issue but also as a business issue or we will forever be behind the threat curve.

 

We seem to pay some attention to risk management within the field only to treat said topic with lip service in actual practice. Move beyond simple ALE and take a broader look at your annual enterprise risk management surveys, identify your top risks and shore up your defenses. Much the same can be said for those facing new GDPR regulations. Its going to be an ugly, bumpy ride for the next year or so. No getting around the ramifications here.

 

With the explosion of unprotected IoT devices flooding your employee's homes we need to treat this risk as an extension of our own corporate networks. Why? Where's the connection between an unsecured dishwasher and my corporate network? Your employee's phone first of all. When working from home, a dual connection to both the corporate network, VPN and that all connected Wi-Fi is now indirectly your responsibility. Be on the lookout for new and inventive ways of compromising your network. Yes, already seen the dishwasher attacking my network via an unsecured, built in web server also connected to someone's personal Wi-fi. Shodan is your friend here.

 

2018 should prove to be as fascinating as all the other past years. Isn't that what drew you into the field in the first place? Please don't give us the fame and fortune excuse or your in the wrong field. Smiley LOL

 

 

DHerrmann
Contributor II
What do you mean by "shift in the hiring process"?
LyndsayT
ISC2 Former Staff

Good question - more detail on the shift in the hiring process would be good to understand. Our workfroce study research shows the reliance on personal networks and HR, and the continued deference to experience, and I do keep hearing about unreasonable job specs that ask for everything. 

 

What shifts are happening? should be happening? There is growing interest from governments on what is happening at the entry level, even if volumes are low. 

 

Lynds

 

mgoblue93
Contributor I

> What shifts are happening? should be happening? There

> is growing interest from governments on what is

> happening at the entry level, even if volumes are low. 

 

I see a shift in relevant experience . Well in some markets.  In my local Federal government region, they're still hiring people who have certs and experience in only hardening hosts or being able to quote policy.

 

Otherwise, I see a lot of activity hiring where organizations want candidates who can translate business to technical and technical to business.  Having a cert may be good to get your foot in the door from a 8570.1 perspective for example -- but that should really be just the start, not the reason for hiring someone.

 

I've observed employers are starting to look for more how can this candidate actually protect my business?  Finally people are seeing the need to move more past policy and governance shelfware because the adversaries don't play by those rules.  The adversaries get in, get out, and loot whatever they can however they can.  A true cyber team needs to be made of professionals that have relevant experience that directly translates to producing secure services rather than just talk about them.

 

Just my observation. 

canLG0501
Newcomer III

Rather than applying for positions and dealing directly with hiring managers, often new employees have to deal with recruiters that are less knowledgeable about the actual position.  Sometimes recruiters screen differently than actual hiring managers.

LyndsayT
ISC2 Former Staff

thank you to all