Measure Efficiency, Measure Risk, Measure Better
One of my goals as an advisor to InfoSec World is to know what's most important to attendees. At this year's conference, risk emerged as a common theme - in particular how to improve methods of measuring, reducing, and managing risk. There were more talks, roundtables, and workshops on risk than any other subject matter. We have not been using a single consolidated model of measuring risk - and many of the models we currently use are outdated, lack meaning or otherwise fail to optimize efficiency in the wider business context.
In my panel entitled ‘Gathering of the Vulnerability Wranglers’, the need for information security professionals to change their approach became evident. Fellow vulnerability wranglers (and friends) on the panel - Adrian Sanabria (Nopsec), Jake Kouns (Risk Based Security), Jonathan Cran (Kenna Security), and Alex Moss (Conventus) - joined me to consider the issues, using the historical definition of wrangling as a backdrop to shed light on current challenges and complexities that security vulnerabilities pose. In the context of the American cowboy, wranglers were responsible for the herd of horses (known as a ‘remuda’) used by cowboys to round up cattle; they were constrained by time and a fixed number of mounts (each time a fresh horse was deployed) in the course of an arduous trail, often leading to fatigue.
In the context of information security, vulnerability managers are arguably the 21st century wranglers, herding information through security hurdles; they are also constrained by time and limited resources, particularly given the huge volumes of vulnerabilities. Whether the risk relates to data protection or maintaining the integrity of a network, panelists opined that most of us are fatigued, given our focus on severity of risk. In order to wrangle threats more effectively, we should improve our methods of measuring security risk. We often fail to fully comprehend what we are measuring (e.g. common vulnerability exposures (CVE)) and the method of measurement (e.g. common vulnerability scoring system (CVSS)) - and efficiency is measured in remediation numbers as opposed to risk.
Our panel concluded that current methods of risk assessment need enhancement - such as GRC, ITSM, Software Bill of Sales (SBoM) and containerization - to measure better. Pete Lindstrom echoed similar sentiments in his closing keynote, "Innovate or die! If you think you know how to do security and haven't measured the outcomes, you are probably fooling yourself."
P.S. - I hosted a webinar on this topic recently. You can view it on-demand here.