2022 RSAC takeaways: Risk management vs compliance

I attended the 2022 RSA Conference (RSAC) last month and am pleased to see that our industry remains robust and innovative and continues to percolate new ideas to solve persistent challenges. RSA picked “Transform” as a theme this year, reflecting the quickening pace of the digitization of business processes and the zero-day and supply-chain threats posed against them.

These evolving trends in modern business are important, but so is risk.

At the RSAC, I started to see strong evidence that the industry is finally shifting away from a compliance mindset and talking more about external risk management, risk detection and risk reduction. Make no mistake, compliance is an industry imperative, but far from a silver bullet.

The Risk Catalyst for Change

I’m not advocating against compliance but rather the adoption of risk management as a new major component in an organization’s cybersecurity arsenal.

Today’s IT stack is better described as an ecosystem rather than a single entity. Subsidiaries, supply chains and third parties have expanded an organization’s external attack surface exponentially. The consequence is that security teams are asked to do the seemingly impossible: manage an amorphous attack surface that changes with every merger, acquisition and new cloud-based asset.

Chief information security officers (CISOs), chief executive officers (CEOs) and board members I talked to at RSA said that risk management is now a priority for them. When I asked them how they plan to tackle top challenges in this area tied to asset visibility, scanning coverage and remediation prioritization - most said they’re still seeking the best solution. They added that current vendors had tried fruitlessly to solve these challenges for the past decade. From their point of view, solutions that come the closest are built for compliance, not risk management. This is the problem.

When asked about their external attack surface and security risks, CISOs shared five areas they need to improve:

Attack surface visibility is limited and lacks business context.
Discovery evidence is nearly non-existent.
Security testing coverage is partial and full of false positives.
Attributing subsidiary or third-party ownership of a vulnerable digital asset is inadequate.
Prioritizing what needs to be fixed first is too hard. Why? IT operations can resolve just a small portion of the thousands of “severe issues” their scanners deem today as such.

You can map a direct course from these bullet points to reduce the mean time to remediation (MTTR) of open and high-risk vulnerabilities. Two months is the average MTTR for organizations that handle thousands of alleged critical issues. CyCognito studies have revealed many organizations are unable to handle more than 10-50 critical issues per month. This creates enormous mitigation debt and highlights the need to identify and prioritize efforts around fixing an organization’s highest-severity issues.

When risk is a determining factor in mitigating vulnerabilities, it helps organizations prioritize a security team’s resources on critical assets first. Prioritization opens new doors for an organization to see digital assets in the context of their business and not as ancillary issues. When risk is the priority, security teams shift their attack-surface perspective and more heavily weigh mitigation efforts based on whether a vulnerability is being exploited in the wild by a relevant threat group.

Compliance Is Important, But Risk Management Is Paramount

Adversaries know how daily compliance-driven cybersecurity works. They leverage the burnout security teams face via alert fatigue. It only takes one attack surface weak spot, exposing a critical high-risk asset, to increase risk exponentially.

If Log4j taught us anything, it was that we don’t have the type of visibility into our external attack surface we need. Taking an outside-looking-in approach allows you to see your attack surface the way an adversary does. From a risk management perspective, this allows for quick surgically-precise fixes to just the digital assets exposing the most valuable crown jewels of your business. This can supercharge MTTR efforts.

The roadmap for compliance is arduous, but familiar. The road to risk management has not yet been clearly mapped for many companies. CISOs at RSA shared that vulnerability scanners and dynamic application security testing (DAST) tools can’t get the job done. They are either too expensive, too noisy, have limited external attack surface visibility, don’t understand where the sensitive data exposure is and can’t untangle who owns each asset.

Emphasizing risk needs to be a differentiator within the external attack surface management space. The best approach includes honing in on identifying the attacker’s path of least resistance into the entire network. And when we also consider risk first and foremost in that approach, it helps an organization juggle potentially vulnerable digital assets with attackers who are tirelessly looking for external attack surface weak spots.

Intelligence agencies, where many of us come from, do not prioritize IT compliance over an attacker’s “path of least resistance.” We didn’t receive gold medals for earning a certificate. To be successful, the goal is to move the fastest (and safest). A risk management approach is the most useful to enterprise cybersecurity teams and the most interesting, relevant and differentiated.

Compliance is vital. But when it justifies the status quo, in a rapidly evolving threat landscape, a compliance-only approach to cybersecurity can be counterproductive.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.