/jun 26, 2024

Strategic Risk Management for CISOs: A Holistic and Consolidated Approach

By Sohail Iqbal

As Chief Information Security Officers (CISOs), it's crucial to manage risks in a holistic and consolidated manner as the landscape of threats, particularly those targeting applications, continues to evolve and expand. With the increasing reliance on digital technologies, artificial intelligence (AI), and cloud-based services, the attack surface for potential cyber threats is growing and changing. Here’s what you need to know about a holistic and consolidated approach to risk management for 2024 and beyond. 

Where to Focus Strategic Risk Management in 2024 and Beyond 

Strategic risk management in cybersecurity is about anticipating and preparing for potential risks and threats, rather than simply reacting to them. Looking ahead, instead of building core competency in individual segments, the focus of strategic risk management will be from the organization level. It will be about what impacts the organization from the lens of overall risk rather than about finding gaps in individual segments. Let’s go deeper into the ways the lens of overall risk is being influenced. 

Critical Ways the Risk Landscape is Evolving 

With the rise of digital transformation and the increasing reliance on cloud-based services, the number of applications being used by organizations is only going to continue to grow. This means that the attack surface for cybercriminals will also continue to grow, making it critical for CISO’s to find a way to consolidate information and look at things holistically. 

Also, applications are increasingly being targeted. The Verizon 2024 Data Breach Investigations Report states: "Our ways-in analysis witnessed a substantial growth of attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach when compared to previous years. It almost tripled (180% increase) from last year, which will come as no surprise to anyone who has been following the effect of MOVEit and similar zero-day vulnerabilities."  

The Historical Context and Its Limitations 

But let's face it: application security is hard. Traditionally, application security programs have been reactive. Many organizations, as observed, would conduct Dynamic Analysis and Penetration Tests at the time of application release, followed by periodic vulnerability management.  

This approach, while compliant, often resulted in security measures that were merely point-in-time assessments. They lacked continuity and adaptability, which are critical in today's fast-evolving threat landscape. According to research, a staggering 79% of third-party libraries are never updated after being included in the codebase, underscoring a prevalent neglect in continuous security practices. 

The Shift Towards Continuous and Integrated Risk Management 

Recent industry shifts, driven by high-profile security breaches and regulatory pressures, have underscored the need for a more continuous approach. The introduction of frameworks and executive orders focusing heavily on application security has been a forcing function of ongoing accountability. For instance, the emphasis has moved towards understanding the 'DNA' of applications—not just at a single point but continuously.  

Tools and practices integrated into the development environment that provide continuous feedback and allow for real-time risk assessment become invaluable in this context. Just because a software system is secure today, doesn’t guarantee that it’s secure tomorrow. If your program isn’t continuous, you won’t have visibility into the current state of the application. We'll discuss more about visibility after bringing up another critical factor: AI. 

How AI is Adding to this Shift 

We’re seeing more code generated using Generative AI, and this poses a velocity and scale problem. If you’re writing or assembling applications at AI’s speed, then you need to remediate at that speed. When this is done continuously with a tool integrated in the developer environment, it gets you ahead of risk. 

AI can be an incredible ally in the remediation of risk; AI that’s trained on patches for vulnerabilities based on credible security research takes a massive security burden off a developer’s shoulders. On average, Veracode Fix can address 74% of Java vulnerabilities discovered by Veracode SAST, without your developers writing a single line of new code. 

What’s Needed for a Holistic and Consolidated Approach 

Visibility is one of the key benefits of the integrated and continuous security implementation, but how can we consolidate the magnitude of information coming from all the tools and prioritize what teams focus on? 

Longbow, powered by Veracode, builds you a risk management dashboard that aggregates siloed data and provides unified, usable context about if the risk matters to the business. This means moving beyond “vulnerabilities” and siloed data to a single, panoramic view of the risk picture from code to cloud.  

You’re able to answer vital questions like: 

  • What’s exposed?  

  • What has risk, and what's contributing the greatest amount of risk? 

  • What actions are MOST impactful? 

Actions based on the answers to these questions not only enhance your security posture but also align action more closely with business objectives – allowing you to reduce the maximum amount of risk with the least effort.  

See the risk management dashboard in action by scheduling a demo

Conclusion: The Road Ahead for CISOs 

By embracing a holistic and consolidated view of risk management, CISOs can ensure that their organizations are better equipped to face the challenges of an increasingly complex cyber environment, thereby safeguarding their critical assets and supporting their business objectives.

For the critical capabilities needed to begin a proactive application risk management program, read my recent blog

Related Posts

By Sohail Iqbal

Sohail Iqbal is Veracode's Chief Information Security Officer. He has been instrumental in developing and maturing security practices as Head of Cybersecurity Operations at Dow Jones / WSJ, CISO at J2 Global, and recently Head of Information Security at CarGurus. Sohail is an active member of many security conferences and seminars, and contributes frequently to the cybersecurity community. Sohail is also an avid cricketer and has been playing for the Cricket League of NJ for the past 20 years.