By Matt Carroll, Senior Manager, Technology Governance, Risk, & Compliance
Getting dressed is a routine example of everyday life that is packed full of choices. Should I wear pants or shorts? Do I need a sweater? Shoes or sandals? While we may make these choices subconsciously, I would argue that even actions that don’t appear as choices include several microscopic risk-based calculations.
We exercise similar judgments on behalf of the organizations that employ us. Each judgment we make corresponds to a level of risk and, in the cybersecurity industry, what is believed to be safe today may no longer be safe tomorrow (or possibly even within the hour). Given this unique challenge, how do you establish a process that allows you to identify, analyze, prioritize, and treat security risks that are constantly evolving and where the threat is persistently adapting?
The ability to clearly express and coordinate accumulated security risk within the organization allows us to focus on addressing the most critical organizational risks. In this blog, I will demonstrate the risk methodologies and best practices we’ve developed at Adobe that have helped us rapidly measure security risk in a constantly changing security landscape.
Defining the Scope of a Risk Program
For the purposes of baselining the term “risk,” let’s use the National Institute of Standards and Technology (NIST) definition, which defines a risk as “a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.”
The goal of an effective risk management program is to build an active function in which risks are identified, triaged in a consistent manner, and presented to leadership for action via risk-based decisions. However, a common pitfall to reaching this goal is maintaining a risk management program that ends up with hundreds — or even thousands — of tracked risks without any real action.
To understand this better, let’s walk through an example:
Let’s say you perform a vulnerability scan against your environment and receive back a report of 500 identified vulnerabilities. Technically, each individual vulnerability represents a unique risk to the organization.
Rather than adding a list of vulnerabilities to the risk register, it’s important to note that existing capabilities and processes in your security organization can be leveraged to mitigate those risks. For example, a well-established vulnerability management program may proactively address the risks associated with identified vulnerabilities by directly issuing tickets to offending teams for mitigation, thereby removing the need to add each individual vulnerability risk to your register.
Given this understanding, Adobe primarily registers risks in our program under the following two (2) conditions:
- An identified issue where no process currently exists to address the issue (e.g., an issue is identified that is beyond the scope of the vulnerability management program) or,
- An identified issue where the risk in a given process is high enough that it is no longer reasonably functioning (e.g., a team is not meeting their vulnerability SLAs)
Performing a Risk Assessment
Once you start identifying and collecting risks in your register, the next step is to triage (or assess) the level of risk to the organization. The assessment’s results will provide guidance on which risks to prioritize and treat first, versus risks that may pose a less severe threat and grant you some flexibility.
Two (2) industry standards prevail when it comes to performing risk assessments:
- Qualitative: Non-numerical estimates of a given risk (i.e., Critical, High, Likely, Unlikely)
- Quantitative: Numerical estimates of a given risk (e.g., 40% likelihood of occurrence resulting in the potential loss of $1M)
Our team uses both methods, with qualitative methods indicating speed, agility, and ease of understanding backed by quantitative data and numerical calculations determining the risk prioritization. This assessment process allows Adobe to remain agile and provide leadership the right information to make critical decisions. Organizations must evolve from point-in-time, compliance-driven, annual risk assessments to a continuous, real-time risk and threat evaluation.
Rating Inherent Risks
To demonstrate our agile approach to strategic risk management, let’s use the following industry standard risk measurements:
- Inherent Risk: the likelihood and impact of a specific risk event occurring absent of security posture
Inherent Risk = Likelihood x Impact
- Residual Risk: the remaining risk after taking action to alter the risk’s likelihood or impact
Residual Risk = Inherent Risk - Security Posture
Before starting a risk assessment, it is vital to ensure the risk itself is sufficiently documented in description and in detail — both technical and non-technical.
To develop a system that can consistently evaluate information and rapidly determine the likelihood and impact of any risk, we formulated a listing of boolean (Yes/No) questions during the risk intake process.
Question Examples:
- Likelihood: Is the risk publicly exposed?
- Impact: If the risk is exploited, will there be internal [or external] consequences?
All risk ratings start at “Low,” or a score of 0, and increase as triage questions are answered with a “Yes” response. The same set of questions are used to assess each ingested risk, allowing for rapid apples-to-apples comparison regardless of risk domain, category, or type. This uniform intake measurement process allows us to quickly identify the most significant inherent risks to our organization.
Determining Security Posture & Residual Risk
Once we’ve determined inherent risk, we evaluate our security posture in relation to the risk. Security posture refers to an organization’s overall cybersecurity strength and how well it can predict, prevent, and respond to security threats and risks.
At Adobe, we utilize the Adobe Common Controls Framework (CCF) as the foundation of our security posture. The CCF is applied across the enterprise to ensure a standard baseline of risk mitigation security controls are applied. In addition to our CCF controls, we also consider the following in relation to overall security posture:
- Security policies, standards, or standard operating procedures
- Consistency, level of adoption, and effectiveness of security processes, tooling, and controls
- Level of automation regarding security processes, tooling, and controls
- Current state of vulnerabilities and patches (i.e., up to date vs. pending release)
To help determine the overall security posture for a given risk, we’ve established a Security Risk Operating Committee comprised of subject matter experts. These experts meet frequently with the security risk management team to provide expert insight, knowledge, and guidance to be considered during the risk evaluation process. Once we determine security posture, we can calculate the remaining residual risk.
It’s important to define your organization’s residual risk thresholds. These thresholds may be either quantitative (e.g., a score above 75, impacting X $’s of annualized revenue) or qualitative (e.g., High or above) in nature. Any risk resulting in a residual risk at or above the threshold is reported to the Risk Steering Committee or appropriate leadership team in the organization for risk-response prioritization and decision-making.
By establishing clear, documented processes for assessing security risks, we can create an agile methodology that quickly arms leadership with the appropriate information to make decisions on the highest, and most critical, risk issues facing the organization.
Conclusion
Security risk management can quickly become a convoluted process, often requiring input from multiple teams and resulting in delayed decision-making. To ensure their resources are continually focused on addressing the most critical issues, it is crucial for organizations to establish agile and continuous risk evaluation programs. Threats are evolving and attacks are constantly changing. Are you evolving your risk program to keep up?
If you’re interested in having a deeper conversation or joining a risk knowledge-sharing session, please contact us at securityrisk@adobe.com.