Cybersecurity is a broad specialization intending to protect computer systems, networks, and sensitive information from digital attacks. Over time, however, we realized that unbreakable security was not achievable, and our main objective became reducing the risk and the impact of digital attacks. Consequently, understanding risks has become a pivotal component for all cybersecurity professionals.
When a penetration tester or red teamer is working on an engagement, their time and resources are almost always limited, and the security professional has to use them wisely to find the most critical risks for the business. A good practice example might be spending extra time analyzing the critical assets identified with the customer rather than trying to exploit a potential vulnerability on an isolated web server that does not have sensitive data. However, being able to properly allocate resources in order to identify the most serious threats is often not enough. Each of the discovered risks must be thoroughly understood by the security professional to be subsequently aptly transmitted to another individual with no background in cybersecurity. An incorrect understanding and presentation of a certain risk may result in overlooking and not resolving a problem that requires attention, or conversely, in the use of resources to handle an issue that posed no serious threat to the company.
Let’s move on from offensive roles to defensive ones. Security engineers who defend computer systems, networks, and sensitive data against digital attacks also have limited time and resources. They should utilize them to lower the highest number of risks with the least amount of resources. It is especially true for cybersecurity specialists who work for small and medium-sized enterprises with limited cybersecurity budgets. For example, spending time explaining and enabling two-factor authentication to users is likely to reduce risk more effectively and at a lower cost than devoting hours attempting to bypass the newly implemented EDR (despite how cool it may seem) or buying an expensive Data Loss Prevention (DLP) solution.
Also, when working on security projects that affect other departments, like most of them do, it is crucial to properly explain to all departments concerned what risk is being reduced. You want to make sure they comprehend the said risk, and you should also demonstrate how reducing it is beneficial to everyone. It is very challenging to implement changes that are outside of compliance frameworks when most of the changes and improvements are imposed solely for compliance reasons without the affected parties understanding the reasoning behind them. Moreover, we need to do this because compliance frameworks can’t keep up with the speed of cybersecurity and IT in general. Furthermore, by doing so, we can discover that because of something we overlooked, the risk we thought was significant, in reality, was not as serious as we thought or that a risk we assumed was minor is actually critical.
Understanding the risk is also essential for proper security department management and not panicking or doing so when necessary. We must recognize that businesses face a variety of risks, and these include: legal, financial, operational, human ones, and so on, with security risk being just one of them. The company will most likely increase the risk in other areas if security professionals overestimate their risks. It can be caused by, for example, treating all single vulnerabilities as critical, investing more money than necessary in security tools, giving security projects top priority over all other projects, stopping releases or essential services without a proper cause, etc. Similarly, if security risks are underestimated and vulnerabilities are not patched, there is no investment in security tools, security projects are always neglected, no actions are taken against systems that may have been compromised, or releases with critical vulnerabilities are allowed, etc., the security risk may be so high that the entire business might be jeopardized.
For all of the reasons stated above, I believe that understanding risks is one of the most significant skills of any cybersecurity professional. Although risk management may appear to some to be only part of a GRC (Governance, Risk, and Compliance) role, risks exist throughout the specialization, and managing and understanding them is critical to success.
