Cybersecurity Risk Management

What Is Cybersecurity Risk Management?

Cybersecurity risk management is a strategic approach to prioritizing threats. Organizations
implement cybersecurity risk management in order to ensure the most critical threats are handled
in a timely manner. This approach helps identify, analyze, evaluate, and address threats based on
the potential impact each threat poses.

A risk management strategy acknowledges that organizations cannot entirely eliminate all
system vulnerabilities or block all cyber attacks. Establishing a cybersecurity risk management
initiative helps organizations attend first to the most critical flaws, threat trends, and attacks.

Broadly speaking, the cybersecurity risk management process involves four stages:

 Identifying risk – evaluating the organization’s environment to identify current or

potential risks that could affect business operations
 Assess risk – analyzing identified risks to see how likely they are to impact the
organization, and what the impact could be
 Control risk – define methods, procedures, technologies, or other measures that can help
the organization mitigate the risks.
 Review controls – evaluating, on an ongoing basis, how effective controls are at
mitigating risks, and adding or adjusting controls as needed.

What is a Cybersecurity Risk Assessment?

A cybersecurity risk assessment is a process that helps organizations determine key business
objectives and then identify the appropriate IT assets required to realize their objectives.

It involves the identification of cyber attacks that may negatively impact these IT assets. The
organization is required to determine the likelihood of the occurrence of these attacks, and define
the impact each attack may incur.

A cybersecurity risk assessment should map out the entire threat environment and how it can
impact the organization’s business objectives.

The result of the assessment should assist security teams and relevant stakeholders in making
informed decisions about the implementation of security measures that mitigate these risks.

What Are Cyber Threats?

The term cyber threat generally applies to any vector that can be exploited in order to breach
security, cause damage to the organization, or exfiltrate data.

Common threat categories facing modern organizations include:

 Adversarial threats—including third-party vendors, insider threats, trusted insiders,

established hacker collectives, privileged insiders, ad hoc groups, suppliers, corporate
espionage, and nation-states. This category also includes malicious software (malware)
created by any of these entities. Large organizations mitigate these threats by establishing
a security operations center (SOC) with trained security staff and specialized tooling.
 Natural disasters—hurricanes, floods, earthquakes, fire, and lightning can cause as
much damage as a malicious cyber attacker. A natural disaster can result in loss of data,
disruption of services, and the destruction of an organization’s physical or digital
resources. The threat of natural disaster can be minimized by distributing an
organization’s operations over multiple physical sites or using distributed cloud
resources.
 System failure—when a system fails, it may cause data loss and also lead to a disruption
in business continuity. Make sure that your most critical systems are running on high-
quality equipment, have redundancy in place to ensure high availability, are backed up,
and your providers offer timely support.
 Human error—any user may accidentally download malware or get tricked by social
engineering schemes like phishing campaigns. A storage misconfiguration may expose
sensitive data. To prevent and mitigate these threats, you should establish an employee
training program and enforce strong security controls. For example, use password
managers and monitor critical systems for misconfigurations.

Here are key threat vectors that affect the majority of organizations:

 Unauthorized access—may be the result of malicious attackers, malware, and employee

error.
 Misuse of information by authorized users—an insider threat may misuse information
by altering, deleting, or using data without authorization.
 Data leaks—threat actors or cloud misconfiguration may lead to leaks of personally
identifiable information (PII) and other types of sensitive data.
 Loss of data—poorly configured replication and backup processes may lead to data loss
or accidental deletion.
 Service disruption—downtime may cause reputational damages and revenue losses. It
may be accidental, or the result of a denial of service (DoS) attack.

Cyber Risk Management Frameworks

There are several cyber risk management frameworks, each of which provides standards
organizations can use to identify and mitigate risks. Senior management and security leaders use
these frameworks to assess and improve the security posture of the organization.
A cyber risk management framework can help organizations effectively assess, mitigate, and
monitor risks; and define security processes and procedures to address them. Here are several
commonly used cyber risk management frameworks.

NIST CSF

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) is a
popular framework. The NIST CSF framework provides a comprehensive set of best practices
that standardize risk management. It defines a map of activities and outcomes related to the core
functions of cybersecurity risk management—protect, detect, identify, respond, and recover.

ISO 27001

The International Organization for Standardization (ISO) has created the ISO/IEC 270001 in
partnership with the International Electrotechnical Commission (IEC). The ISO/IEC 270001
cybersecurity framework offers a certifiable set of standards defined to systematically manage
risks posed by information systems. Organizations can also use the ISO 31000 standard, which
provides guidelines for enterprise risk management.

DoD RMF

The Department of Defense (DoD) Risk Management Framework (RMF) defines guidelines that
DoD agencies use when assessing and managing cybersecurity risks. RMF splits the cyber risk
management strategy into six key steps—categorize, select, implement, assess, authorize, and
monitor.

FAIR Framework

The Factor Analysis of Information Risk (FAIR) framework is defined for the purpose of helping
enterprises measure, analyze, and understand information risks. The goal is to guide enterprises
through the process of making well-informed decisions when creating cybersecurity best
practices.

Best Practices for Cybersecurity Risk Assessment

Build Cybersecurity into the Enterprise Risk Management Framework

Fully incorporate your risk-based cybersecurity program into the enterprise risk management
framework, which functions as the organizing principle for analyzing and classifying enterprise
risks. The framework should not be used as a general guideline, but rather as the organizing
principle. By framing cyber risk as a business risk, this approach makes cyber risk management
more intelligible to businesses.

Identify Value-Creating Workflows

Identify the workflows that generate the greatest business value and define their associated risks.
It is important to consider the potential impact of crucial workflows because these can also pose
a significant risk. For example, payment processes create value but present a business risk, as
they are vulnerable to fraud and data leakage.

Make sure the cybersecurity team knows which processes are regarded as valuable for your
organization, and define the components (data assets, tools, teams) involved in each process.
This allows you to apply the recommended controls. A collaborative approach involving both
cybersecurity and business personnel is more effective than the one-sided maturity-based
approach.

Prioritize Cyber Risks

Determine risk level based on the cost of prevention and value of information to inform your risk
management and mitigation procedures. High-level risks should be addressed as soon as
possible, while low-level risks can be addressed down the line or accepted as a tolerated risks. If
the cost of protecting an asset is higher than its value, the expense is not worthwhile unless the
risk may impact your reputation.

Implement Ongoing Risk Assessments

Perform continuous, adaptive, and actionable risk identification and assessment to keep up with
evolving cybersecurity threats and solutions. Regularly review risk management processes to
identify and remediate gaps. Cybersecurity teams rely on actionable insights from risk
assessments to secure digital environments and assets.

Cybersecurity Risk Management with Imperva

Imperva can help organizations identify and manage cybersecurity risks across two broad
categories – application security and data security.

Imperva Application Security

Imperva provides comprehensive protection for applications, APIs, and microservices:

Web Application Firewall – Prevent attacks with world-class analysis of web traffic to your
applications.

Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from
your application runtime environment goes wherever your applications go. Stop external attacks
and injections and reduce your vulnerability backlog.

API Security – Automated API protection ensures your API endpoints are protected as they are
published, shielding your applications from exploitation.
Advanced Bot Protection – Prevent business logic attacks from all access points – websites,
mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud
through account takeover or competitive price scraping.

DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed
uptime and no performance impact. Secure your on premises or cloud-based assets – whether
you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.

Attack Analytics – Ensures complete visibility with machine learning and domain expertise
across the application security stack to reveal patterns in the noise and detect application attacks,
enabling you to isolate and prevent attack campaigns.

Client-Side Protection – Gain visibility and control over third-party JavaScript code to reduce the
risk of supply chain fraud, prevent data breaches, and client-side attacks.

Imperva Data Security

Imperva protects all cloud-based data stores to ensure compliance and preserve the agility and
cost benefits you get from your cloud investments

Cloud Data Security – Simplify securing your cloud databases to catch up and keep up with
DevOps. Imperva’s solution enables cloud-managed services users to rapidly gain visibility and
control of cloud data.

Database Security – Imperva delivers analytics, protection and response across your data assets,
on-premise and in the cloud – giving you the risk visibility to prevent data breaches and avoid
compliance incidents. Integrate with any database to gain instant visibility, implement universal
policies, and speed time to value.

Data Risk Analysis – Automate the detection of non-compliant, risky, or malicious data access
behavior across all of your databases enterprise-wide to accelerate remediation.

DevSecOps
What is DevSecOps?
DevSecOps is a joint effort by development, security and operations personnel to ensure that
products are released efficiently and securely from the start. The model was developed to address
security vulnerabilities that arise when security is introduced too late in the development process.
This requires rewriting the unsecure code, delays release to production, and risks deployment of
software with severe security issues.
DevSecOps mandates shifting left security in the development lifecycle. Instead of happening at
the end of the cycle, security starts from day one. Tools and processes are provided to operations
and development teams to help them make security decisions, from the planning stage, through
development, testing and deployment. At the same time, the security team adjusts these tools and
processes according to development and operational requirements to maintain an agile work
environment.

The process of transitioning to a DevSecOps team is not easy, but using the right tools can
simplify adoption of the process and collaboration among dev, ops, and security teams.

How Can DevSecOps Improve Both Security and Velocity in

Software Development Pipelines?
The goal of DevSecOps is to bridge the gap between IT and security by adding security practices
to the already fast and agile software delivery process. Organizations using the DevSecOps
model understand that security cannot be considered at the end of the delivery pipeline, so they
make it an integral part of the entire software development lifecycle (SDLC).

DevSecOps collaboration is much more difficult than DevOps because it requires the
organization to achieve two contradicting goals:

 Trying to speed up the delivery process

 Ensuring code is safe from vulnerabilities or security gaps

Traditionally there were two schools of thought: some thought security was not so crucial and
could be pushed aside in favor of releasing software faster. Others believed that it is better to
bring products to market slowly, but ensure maximal security. DevSecOps tries to combine these
two approaches and deliver high velocity with a high level of security.

To implement DevSecOps without compromising product quality, organizations are building a

culture of “security as code”, encouraging developers to consider security issues and
encouraging security teams to automate tasks. In addition, the organization is committed to
flexible and continuous collaboration between IT engineers, software developers, and security
teams, by facilitating communication and collaboration.

DevOps vs DevSecOps: What Is the Difference?

The primary difference between DevOps and DevSecOps is that the former is a convergence of
development, operations, and application delivery, while the latter converges all of these with
security.

DevOps vs. DevSecOps

DevOps focuses on technologies and techniques that can help developers and operations teams
work together to achieve common goals, while DevSecOps is focused on practices that can add
security considerations to an existing DevOps pipeline.

DevOps Elements
Microservices

In a DevOps team, developers often use a microservices architecture, building software as a set
of independent services, each providing a separate function. Each microservice can run
autonomously in a container or virtual machine (VM), and it is easier to identify and resolve
production issues in a single microservice or container, rather than in a large, complex system.

Infrastructure as Code (IaC)

Infrastructure as Code is a method of using code to manage and automate computing resources
such as hosts, virtual machines and containers. Developers use IaC to perform IT operations
automatically, eliminating the need for IT assistance and supervision with infrastructure-related
tasks. Operations staff can also use IaC to spin up environments on demand and provide self-
service functionality for developers.

Policy as Code (PaC)

Policy as Code is a way to use code to manage policies, such as an organizational decision to use
specific types of technologies, security standards or IT practices. Policies are provided in code
format, making it possible to automatically enforce policies across the organization in all stages
of development.

DevSecOps Elements
Shifting security left

“Shifting left” is moving a task to an earlier stage in the development cycle. Moving security “to
the left” ensures that security standards are met from the time the codebase is first developed.
Development tasks are considered “done” not only when functional requirements are met, but
also when the codebase is tested to be free of security flaws and vulnerabilities.

Continuous feedback loop

The continuous feedback loop regularly encourages all team members to improve their
development and maintenance practices. Continuous feedback is backed by an automated
process that can continuously monitor for security vulnerabilities and provide real-time alerts to
developers and security experts, as soon as a security issue is introduced into the development
pipeline, allowing all teams to collaborate and fix it immediately.
Security automation

Automation is a key factor in ensuring that DevSecOps standards and practices are met at all
stages of the development lifecycle. Automation allows DevSecOps teams to quickly take on
more security responsibilities, including automated code analysis, compliance monitoring, and
threat investigation.

DevSecOps Implementation: Challenges and Solutions

Like any organizational or cultural change, implementing DevSecOps introduces significant
challenges. Here are some of the common challenges and how your organization can deal with
them.

Resistance to Change
It is natural for people to resist a change from a familiar state or process. For people who did not
“grow up” in DevOps teams, collaboration between departments can be more difficult to adjust
to. Teams who have been working independently in “silos” now need to work together with
others and adjust their work process. This requires planning and patience. In other cases, teams
may embrace the change, but administration functions or executives can oppose it.

To make the transition as smooth as possible, get support from stakeholders. Clearly outline the
“business case” of the transition in terms of improved productivity, financial benefits and
improvement of consumer confidence.

When planning your migration to DevSecOps, you should include management and members of
development, security, and operations teams. This allows you to keep everyone’s needs and
priorities in mind when planning your strategy. It also provides an opportunity to let everyone
practice communication and negotiation, which is essential for the future.

Mismatched Tools and Processes

There are more and more tools developed to meet the needs of DevSecOps, but these tools may
not be suitable for all teams. Some of the tools and processes already in use may remain useful
after the transition. Others need to be retrofitted or replaced.

Integration of automated security testing tools is often the first step—for example, static
application security testing (SAST) and dynamic application security testing (DAST) tools can
be used throughout the development process.

When deciding which tools and processes to use, teams must make joint decisions. If a tool is
difficult to use or directly hinders productivity, it will get in the way of the organizational
change. Ideally, the tools and processes you choose should be transparently integrated and
streamlined for all parties involved. These tools and processes should focus and automate your
workflow as much as possible, to make collaboration easier and improve productivity.
Developers are Not Security Specialists
DevSecOps requires operations and development teams to share security responsibilities. In
addition, the team must incorporate security processes into their workflow. A related issue is the
complexity of the security process and security requirements.

The fact is that at the outset, only security personnel will have knowledge and skills related to
security. This is especially a problem for developers. They will need to learn more about secure
coding methods and incorporate security testing into their daily workflow. This integration
significantly reduces productivity, especially in the early stages.

To minimize these drawbacks, it is mandatory to provide security training for everyone involved
in a DevSecOps project. Training should educate non-security members about security best
practices and their importance, and also educate security teams about tools and practices in use
by the DevOps organization.

Careful use of tooling will also help in this regard—for example, integrating security information
and alerts into the Integrated Development Environment (IDE) can help developers learn safe
coding skills and make safe choices while coding.

Communication Requirements
In any work environment communication is key, and this is doubly important for DevSecOps
teams. When individuals from different backgrounds collaborate on shared projects and
schedules, there will be communication failures and disagreements.

Various experts have their own terminology, way of thinking, and expectations. These should be
aligned and clarified. Team members should be willing to admit they do not understand a
requirement or a system and there should be an openness to share information.

Training can also be important to improve communications. Training courses provided to teams
should include an explanation of the current working process, responsibilities and key concepts.
By building a unified knowledge base, conflicts can be avoided. Additionally, team members can
educate each other to lay the groundwork for the DevSecOps collaboration.

How Imperva Helps DevSecOps Teams

Imperva offers a broad portfolio of security tools and capabilities, several of which are of interest
to DevSecOps teams. Imperva can increase application security and reduce risk across new and
legacy applications without getting in the way of developer productivity.

Imperva RASP (Runtime Application Self-Protection)

Protects applications from being exploited at runtime, while integrating with tools in the CI/CD
pipeline. Imperva RASP delivers increased security without adding overhead to the development
process. It reports vulnerabilities in the codebase, and performs ongoing runtime application
traffic monitoring to show how attacks are resolved.

Imperva Web Application Firewall (WAF)

Offers defense-in-depth capabilities to the network edge. At the perimeter, the Web Application
Firewall solution profiles incoming application layer traffic and blocks any known exploits from
malicious clients or botnets. The WAF service is usually installed by operations teams on a ‘set it
and forget it’, security-by-default basis.