Why is risk prioritisation such a challenge for enterprise security teams?
March 11, 2020
Time-strapped security teams have to focus their efforts on high-priority risks, but the complexity of modern IT estates is making risk prioritisation harder than ever.
Most enterprise organisations will have thousands of known and unknown risks on their network. Many of these risks will be low impact and low priority. But hidden among them may be critical risks that, if not addressed, could affect the smooth running of the business or expose sensitive data. These could include systems storing PII or relating to payment processes and trading systems.
Security teams need to understand which risks have serious consequences and which risks don’t. Identifying and isolating high-priority risks helps security teams to focus on the risks that matter most to the organisation and its stakeholders. It also helps the team to make the most of its resources.
But prioritising risk in an enterprise environment can be challenging. The complexity of modern IT systems makes it difficult to establish a unified view of risk across the organisation. This makes it hard to understand the relationships between mission-critical processes, locations and systems and their associated assets and controls. Without this understanding, it’s very difficult to prioritise risk based on impact to the business.
Also, security teams will often have to report on risk to multiple internal and external stakeholders, with metrics aligned to whatever framework those stakeholders prefer, creating additional work for a team that’s already short on time.
The complexity of modern IT systems
The scale and complexity of enterprise IT estates is always expanding – a trend which is unlikely to reverse anytime soon.
As the business looks to IT to facilitate and unlock greater productivity and better ways of working, security teams have to play catch up, trying to manage an ever-increasing inventory of servers, network devices and endpoints. All of these things have to be inventoried and monitored for potential threats, malware and vulnerabilities.
At the same time, IT estates are fragmenting. Most enterprises have adopted a hybrid or multi-cloud set up, which can lead to siloed visibility, gaps in coverage and grey areas regarding who is responsible for what.
As the size and complexity of the attack surface grows, so do the number of risks, which makes risk prioritisation even more important, while also making it harder to achieve.
The volume of tools
In an effort to manage the increasing attack surface, security teams invest in a wide range of security tools. In fact, our research has found that the average security team is running more than 50 different tools.
Unfortunately, these tools can end up solving some problems while also creating new ones.
For instance, let’s imagine a security team wants to find out whether systems that host PII have EDR deployed and operational.
They might have to pull data from more than half a dozen tools to get the raw information and then merge that data to get the full picture. This kind of manual data gathering and processing is time-consuming and error-prone.
Reporting to multiple stakeholders
Reporting on risk is a key aspect of enterprise cybersecurity and security teams have to provide metrics on risk to various different stakeholders.
Vulnerability managers need actionable security metrics that will enable them to pin-down and remediate mission-critical risks. CISOs need metrics that can help direct their team’s resources to key problem areas. The board needs metrics that focus on wider organisational priorities, communicated in an accessible way. And GRC teams look for help addressing questions from regulators, auditors and other external stakeholders.
These different groups have different reporting requirements and levels of technical expertise. Some will be looking for a high-level view, some need detail. Some expect metrics aligned to NIST, others to CIS. As a result, security teams may have to report on the same set of data multiple times in multiple formats, as they tailor it to the needs of different groups.
How can security teams improve risk prioritisation?
We recently caught up with Mike MacIntyre, Panaseer’s VP of Product, to discuss why risk prioritisation is such a challenge for security teams and how Panaseer’s new capability, Business Risk Perspectives, can help.