By Matt Carroll<\/a>, Senior Manager, Technology Governance, Risk, & Compliance<\/h2>\n\n\n\n\n\n<\/p>\n\n\n\n![\"Renae](\"https:\/\/miro.medium.com\/v2\/resize:fill:88:88\/1*_2c2rNBYDHH7262294wRcA.jpeg\")
<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/a><\/p>\n\n\n\n\n![\"Adobe](\"https:\/\/miro.medium.com\/v2\/resize:fill:48:48\/1*riyFijvwTfGcWNf1guRNtg.png\")
<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/a><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n![\"\"]()
<\/picture><\/div>\n<\/div>\n<\/figure>\nGetting dressed is a routine example of everyday life that is packed full of choices. Should I wear pants or shorts? Do I need a sweater? Shoes or sandals? <\/em>While we may make these choices subconsciously, I would argue that even actions that don\u2019t appear as choices include several microscopic risk-based calculations.<\/p>\nWe exercise similar judgments on behalf of the organizations that employ us. Each judgment we make corresponds to a level of risk and, in the cybersecurity industry, what is believed to be safe today may no longer be safe tomorrow (or possibly even within the hour). Given this unique challenge, how do you establish a process that allows you to identify, analyze, prioritize, and treat security risks that are constantly evolving and where the threat is persistently adapting?<\/p>\n
The ability to clearly express and coordinate accumulated security risk within the organization allows us to focus on addressing the most critical organizational risks. In this blog, I will demonstrate the risk methodologies and best practices we\u2019ve developed at Adobe that have helped us rapidly measure security risk in a constantly changing security landscape.<\/p>\n
Defining the Scope of a Risk Program<\/strong><\/h2>\nFor the purposes of baselining the term \u201crisk,\u201d let\u2019s use the National Institute of Standards and Technology (NIST)<\/a> definition, which defines a risk as \u201ca measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.\u201d<\/em><\/p>\nThe goal of an effective risk management program is to build an active function in which risks are identified, triaged in a consistent manner, and presented to leadership for action via risk-based decisions. However, a common pitfall to reaching this goal is maintaining a risk management program that ends up with hundreds \u2014 or even thousands \u2014 of tracked risks without any real action.<\/p>\n
To understand this better, let\u2019s walk through an example:<\/p>\n
Let\u2019s say you perform a vulnerability scan against your environment and receive back a report of 500 identified vulnerabilities. Technically, each individual vulnerability represents a unique risk to the organization.<\/p>\n
Rather than adding a list of vulnerabilities to the risk register, it\u2019s important to note that existing capabilities and processes in your security organization can be leveraged to mitigate those risks. For example, a well-established vulnerability management program may proactively address the risks associated with identified vulnerabilities by directly issuing tickets to offending teams for mitigation, thereby removing the need to add each individual vulnerability risk to your register.<\/p>\n
Given this understanding, Adobe primarily registers risks in our program under the following two (2) conditions:<\/p>\n
\n- An identified issue where no process currently exists to address the issue (e.g., an issue is identified that is beyond the scope of the vulnerability management program) or,<\/li>\n
- An identified issue where the risk in a given process is high enough that it is no longer reasonably functioning (e.g., a team is not meeting their vulnerability SLAs)<\/li>\n<\/ol>\n
Performing a Risk Assessment<\/h2>\n
Once you start identifying and collecting risks in your register, the next step is to triage (or assess) the level of risk to the organization. The assessment\u2019s results will provide guidance on which risks to prioritize and treat first, versus risks that may pose a less severe threat and grant you some flexibility.<\/p>\n
Two (2) industry standards prevail when it comes to performing risk assessments:<\/p>\n
\n- Qualitative<\/strong>: Non-numerical estimates of a given risk (i.e., Critical, High, Likely, Unlikely)<\/li>\n
- Quantitative<\/strong>: Numerical estimates of a given risk (e.g., 40% likelihood of occurrence resulting in the potential loss of $1M)<\/li>\n<\/ul>\n
Our team uses both methods, with qualitative methods indicating speed, agility, and ease of understanding backed by quantitative data and numerical calculations determining the risk prioritization. This assessment process allows Adobe to remain agile and provide leadership the right information to make critical decisions. Organizations must evolve from point-in-time, compliance-driven, annual risk assessments to a continuous, real-time risk and threat evaluation.<\/p>\n
Rating Inherent Risks<\/em><\/strong><\/p>\nTo demonstrate our agile approach to strategic risk management, let\u2019s use the following industry standard risk measurements:<\/p>\n
\n- Inherent Risk<\/strong>: the likelihood and impact of a specific risk event occurring absent of security posture<\/li>\n<\/ul>\n
Inherent Risk = Likelihood x Impact<\/span><\/pre>\n\n- Residual Risk<\/strong>: the remaining risk after taking action to alter the risk\u2019s likelihood or impact<\/li>\n<\/ul>\n
Residual Risk = Inherent Risk - Security Posture<\/span><\/pre>\nBefore starting a risk assessment, it is vital to ensure the risk itself is sufficiently documented in description and in detail \u2014 both technical and non-technical.<\/p>\n
To develop a system that can consistently evaluate information and rapidly determine the likelihood and impact of any risk, we formulated a listing of boolean (Yes\/No<\/em>) questions during the risk intake process.<\/p>\nQuestion Examples:<\/p>\n
\n- Likelihood:<\/strong> Is the risk publicly exposed?<\/li>\n
- Impact:<\/strong> If the risk is exploited, will there be internal [or external] consequences?<\/li>\n<\/ul>\n
All risk ratings start at \u201cLow,\u201d or a score of 0, and increase as triage questions are answered with a \u201cYes<\/em>\u201d response. The same set of questions are used to assess each ingested risk, allowing for rapid apples-to-apples comparison regardless of risk domain, category, or type. This uniform intake measurement process allows us to quickly identify the most significant inherent risks to our organization.<\/p>\nDetermining Security Posture & Residual Risk<\/em><\/strong><\/p>\nOnce we\u2019ve determined inherent risk, we evaluate our security posture in relation to the risk. Security posture refers to an organization\u2019s overall cybersecurity strength and how well it can predict, prevent, and respond to security threats and risks.<\/p>\n
At Adobe, we utilize the Adobe Common Controls Framework (CCF)<\/a> as the foundation of our security posture. The CCF is applied across the enterprise to ensure a standard baseline of risk mitigation security controls are applied. In addition to our CCF controls, we also consider the following in relation to overall security posture:<\/p>\n\n- Security policies, standards, or standard operating procedures<\/li>\n
- Consistency, level of adoption, and effectiveness of security processes, tooling, and controls<\/li>\n
- Level of automation regarding security processes, tooling, and controls<\/li>\n
- Current state of vulnerabilities and patches (i.e., up to date vs. pending release)<\/li>\n<\/ul>\n
To help determine the overall security posture for a given risk, we\u2019ve established a Security Risk Operating Committee comprised of subject matter experts. These experts meet frequently with the security risk management team to provide expert insight, knowledge, and guidance to be considered during the risk evaluation process. Once we determine security posture, we can calculate the remaining residual risk.<\/p>\n
It\u2019s important to define your organization\u2019s residual risk thresholds. These thresholds may be either quantitative (e.g., a score above 75, impacting X $\u2019s of annualized revenue) or qualitative (e.g., High or above) in nature. Any risk resulting in a residual risk at or above the threshold is reported to the Risk Steering Committee or appropriate leadership team in the organization for risk-response prioritization and decision-making.<\/p>\n
By establishing clear, documented processes for assessing security risks, we can create an agile methodology that quickly arms leadership with the appropriate information to make decisions on the highest, and most critical, risk issues facing the organization.<\/p>\n\n\n![\"\"]()
<\/picture><\/div>\n<\/div>\n<\/figure>\nConclusion<\/h2>\n
Security risk management can quickly become a convoluted process, often requiring input from multiple teams and resulting in delayed decision-making. To ensure their resources are continually focused on addressing the most critical issues, it is crucial for organizations to establish agile and continuous risk evaluation programs. Threats are evolving and attacks are constantly changing. Are you evolving your risk program to keep up?<\/p>\n
If you\u2019re interested in having a deeper conversation or joining a risk knowledge-sharing session, please contact us at securityrisk@adobe.com<\/a>.<\/p>\n<\/div>\n
<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/a><\/p>\n <\/a><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n Getting dressed is a routine example of everyday life that is packed full of choices. Should I wear pants or shorts? Do I need a sweater? Shoes or sandals? <\/em>While we may make these choices subconsciously, I would argue that even actions that don\u2019t appear as choices include several microscopic risk-based calculations.<\/p>\n We exercise similar judgments on behalf of the organizations that employ us. Each judgment we make corresponds to a level of risk and, in the cybersecurity industry, what is believed to be safe today may no longer be safe tomorrow (or possibly even within the hour). Given this unique challenge, how do you establish a process that allows you to identify, analyze, prioritize, and treat security risks that are constantly evolving and where the threat is persistently adapting?<\/p>\n The ability to clearly express and coordinate accumulated security risk within the organization allows us to focus on addressing the most critical organizational risks. In this blog, I will demonstrate the risk methodologies and best practices we\u2019ve developed at Adobe that have helped us rapidly measure security risk in a constantly changing security landscape.<\/p>\n For the purposes of baselining the term \u201crisk,\u201d let\u2019s use the National Institute of Standards and Technology (NIST)<\/a> definition, which defines a risk as \u201ca measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.\u201d<\/em><\/p>\n The goal of an effective risk management program is to build an active function in which risks are identified, triaged in a consistent manner, and presented to leadership for action via risk-based decisions. However, a common pitfall to reaching this goal is maintaining a risk management program that ends up with hundreds \u2014 or even thousands \u2014 of tracked risks without any real action.<\/p>\n To understand this better, let\u2019s walk through an example:<\/p>\n Let\u2019s say you perform a vulnerability scan against your environment and receive back a report of 500 identified vulnerabilities. Technically, each individual vulnerability represents a unique risk to the organization.<\/p>\n Rather than adding a list of vulnerabilities to the risk register, it\u2019s important to note that existing capabilities and processes in your security organization can be leveraged to mitigate those risks. For example, a well-established vulnerability management program may proactively address the risks associated with identified vulnerabilities by directly issuing tickets to offending teams for mitigation, thereby removing the need to add each individual vulnerability risk to your register.<\/p>\n Given this understanding, Adobe primarily registers risks in our program under the following two (2) conditions:<\/p>\n Once you start identifying and collecting risks in your register, the next step is to triage (or assess) the level of risk to the organization. The assessment\u2019s results will provide guidance on which risks to prioritize and treat first, versus risks that may pose a less severe threat and grant you some flexibility.<\/p>\n Two (2) industry standards prevail when it comes to performing risk assessments:<\/p>\n Our team uses both methods, with qualitative methods indicating speed, agility, and ease of understanding backed by quantitative data and numerical calculations determining the risk prioritization. This assessment process allows Adobe to remain agile and provide leadership the right information to make critical decisions. Organizations must evolve from point-in-time, compliance-driven, annual risk assessments to a continuous, real-time risk and threat evaluation.<\/p>\n Rating Inherent Risks<\/em><\/strong><\/p>\n To demonstrate our agile approach to strategic risk management, let\u2019s use the following industry standard risk measurements:<\/p>\n Before starting a risk assessment, it is vital to ensure the risk itself is sufficiently documented in description and in detail \u2014 both technical and non-technical.<\/p>\n To develop a system that can consistently evaluate information and rapidly determine the likelihood and impact of any risk, we formulated a listing of boolean (Yes\/No<\/em>) questions during the risk intake process.<\/p>\n Question Examples:<\/p>\n All risk ratings start at \u201cLow,\u201d or a score of 0, and increase as triage questions are answered with a \u201cYes<\/em>\u201d response. The same set of questions are used to assess each ingested risk, allowing for rapid apples-to-apples comparison regardless of risk domain, category, or type. This uniform intake measurement process allows us to quickly identify the most significant inherent risks to our organization.<\/p>\n Determining Security Posture & Residual Risk<\/em><\/strong><\/p>\n Once we\u2019ve determined inherent risk, we evaluate our security posture in relation to the risk. Security posture refers to an organization\u2019s overall cybersecurity strength and how well it can predict, prevent, and respond to security threats and risks.<\/p>\n At Adobe, we utilize the Adobe Common Controls Framework (CCF)<\/a> as the foundation of our security posture. The CCF is applied across the enterprise to ensure a standard baseline of risk mitigation security controls are applied. In addition to our CCF controls, we also consider the following in relation to overall security posture:<\/p>\n To help determine the overall security posture for a given risk, we\u2019ve established a Security Risk Operating Committee comprised of subject matter experts. These experts meet frequently with the security risk management team to provide expert insight, knowledge, and guidance to be considered during the risk evaluation process. Once we determine security posture, we can calculate the remaining residual risk.<\/p>\n It\u2019s important to define your organization\u2019s residual risk thresholds. These thresholds may be either quantitative (e.g., a score above 75, impacting X $\u2019s of annualized revenue) or qualitative (e.g., High or above) in nature. Any risk resulting in a residual risk at or above the threshold is reported to the Risk Steering Committee or appropriate leadership team in the organization for risk-response prioritization and decision-making.<\/p>\n By establishing clear, documented processes for assessing security risks, we can create an agile methodology that quickly arms leadership with the appropriate information to make decisions on the highest, and most critical, risk issues facing the organization.<\/p>\n Security risk management can quickly become a convoluted process, often requiring input from multiple teams and resulting in delayed decision-making. To ensure their resources are continually focused on addressing the most critical issues, it is crucial for organizations to establish agile and continuous risk evaluation programs. Threats are evolving and attacks are constantly changing. Are you evolving your risk program to keep up?<\/p>\n If you\u2019re interested in having a deeper conversation or joining a risk knowledge-sharing session, please contact us at securityrisk@adobe.com<\/a>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n![\"\"](\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/format:webp\/1*Dhjv5bw2d9F7iEa6YR-3gQ.jpeg)
Defining the Scope of a Risk Program<\/strong><\/h2>\n
\n
Performing a Risk Assessment<\/h2>\n
\n
\n
Inherent Risk = Likelihood x Impact<\/span><\/pre>\n\n
Residual Risk = Inherent Risk - Security Posture<\/span><\/pre>\n\n
\n
![\"\"](\"https:\/\/miro.medium.com\/v2\/resize:fit:640\/format:webp\/1*8U1M5ltyVWesjI8hcebusA.png)
Conclusion<\/h2>\n