Our Blog

Explore our thought-provoking blogs for cutting-edge advancements and best practices, shaping trust and innovation at trustme.ai

Are Leaders Taking Too Narrow a View of the Risks they Face?

14 Aug 2023 1 PM
  • Published by Joseph Feiman
  • Of course, they are! You might find your own explanations for that narrowness of a view, but I will offer you mine.

    It is not surprising that the view is narrow.

    1. First of all, it is not one risk area, but many risk areas that should be viewed / observed / analyzed / strengthened.
    2. Moreover, the view should encompass not only risk areas, but security areas as well, thus increasing the range of a view and requiring additional efforts/skills/tools/resources/analytics.
    3. These numerous responsibilities to view-analyze-detect-act are spread across a broad variety of executives and their respective organizations.
      • Security Issues (such as Network Security, Application Security, Data Security, Cloud Security, Identity and Access Management) are the responsibilities of a Chief Information Security Officer (CISO).
      • Compliance risks are under the auspices of a Chief Risk Officer (e.g., issues of the company’s compliance with HIPAA, PCI, GDPR, etc. regulations).
      • Risk (Legal, Auditing, Ethics, Contract, Privacy, etc.) issues are under Chief Risk Officer.
      • Operational Risks are under Chief Operating Officer. 
      • Financial – under Chief Financial Officer.
    4. Those areas of risk, security and productivity do not have a single, generally adopted, well-defined scoring/measurement mechanism.
      • Having a view on a subject (e.g., a view on Application Security or Compliance Risk) means having a measuring/scoring mechanism that informs and indicates whether the security/risk values are within acceptable limits. Unfortunately, such measuring/scoring mechanisms are either vague, proprietary, or absent at all.
      • Let us take Application Security as an example. There is a well-developed mechanism for rating severity of vulnerabilities per OWASP guidelines (the so-called OWASP Top 10). Yet, severity alone is not sufficient for providing a CISO and his/her employees with an actional view. They must also know the probability/ease of detecting those vulnerabilities by hackers; mission-criticality of the vulnerable application; ease of fixing, etc. In other words, a complete assessment mechanism is proprietary and underdeveloped (or not developed at all).
      • Those mechanisms are not universally applicable either. For example, PCI Compliance Risk guidelines are quite-well defined, yet they are not applicable to Legal and Ethics Risks.
    5. Those security and risk areas are not correlated with each other. Neither are they correlated with a variety of parameters that define an enterprise’s IT ecosystem.
      • Using our Application Security example, the vulnerability severity should be correlated with the ease of vulnerability detection by hackers, as well as mission-criticality of a vulnerable application. Such correlation makes analytics actionable, setting priorities for remediation (the highest remediation priority should have a mission-critical application where vulnerability-detection is easiest for hackers).
      • Correlation between risk, security, and IT ecosystem characteristics enables contextual assessments, which, in its turn, enables actionable advice and remediation efforts.
    6. Shall we be surprised that so many executives do not have a comprehensive view of many areas of risk, security and productivity, but rather a siloed view into each area of ownership?
      • Shall we be surprised that not having a generally acceptable scoring/assessment mechanism for risk, security and productivity makes it challenging for those executives and experts to talk to each other and have meaningful exchange on the enterprise’s state of risk, security and productivity?
      • As a result of those deficiencies, executives see their own particular trees, but cannot see the forest for the trees. Should it be surprising then, that hackers find pathways between those trees to breach into the enterprise’s forest?

    We are concluding that absence of a comprehensive measure/scoring mechanism weakens an enterprise’s defenses and its ability to withstand attacks and cataclysms.

    There is a clear practical need for an introduction of a new, comprehensive category that:

    • Will serve as a composite characteristic for a variety of risk, security and productivity categories
    • Will give CxOs an instant, easy-to-comprehend indicator of the state of risk, security and productivity
    • Enable drilling down into each subcategory
    • Enable practical remediation/improvement actions

    That category should ensure trust into the enterprise’s operational environment that supports all business operations and transactions.