Strategic risk analysis is key to ensure customer trust in product, customer-facing app security

CISOs are no longer only responsible for the cybersecurity of systems used internally. In many organizations they also focus on securing products and public-facing applications, and one way to do this well is through risk assessment.

Assessing risk requires identifying baseline security criteria around key elements such as customer contracts and regulatory requirements, Neil Lappage, partner at LeadingEdgeCyber and ISACA member, tells CSO. “From the start, you’ve got things you’re committed to such as requirements in customer contracts and regulatory requirements and you have to work within those parameters. And you need to understand who your interested parties are, the stakes they’ve got in the game, and the security objectives.”

The process of defining the risk profile of an organization also requires strong collaboration among IT, cybersecurity, and risk professionals. “How the organization knows the risk profile of the organization involves the cybersecurity team working with the IT and reporting to the business so these three things — cyber, IT and risk — work in unison,” he says. “If cyber sits isolated from the rest of the business, if it doesn’t understand the business, the risk is not optimized.”

Map security objective to customer trust model

For customer-oriented security, Lappage suggests mapping internal security objectives to the trust model the organization is looking to develop with its customers. “It’s understanding the risk profile of all those solutions that we’re providing to our customers.”

If an asset is internet facing, that’s a key component of the risk profile and stronger controls need to be applied where there’s a higher risk profile. “When those internet-facing systems are also ones that have got higher business impacts, then you’ve got to prioritize those systems,” Lappage says. “It’s following the protocol of prioritizing investment based on the inherent risk.”

Lappage also suggests that in large organizations, CISOs could be assisted by a business information security officer (BISO) who reports to the CISO. Having somebody in the organization who’s responsible for an area of security, that the CISO doesn’t need to directly manage, could provide more of a dedicated focus. However, he cautions that it shouldn’t lead to a situation where the CISO loses that complete view across the organization. “You’ve got people below them who can focus on those specific areas, but they must have the holistic view,” he says. 

Define external risk profiles

When considering how to invest resources and budget in areas with the most risk everything must be looked at from a risk perspective to see where the most heightened risks are, says Lexmark CISO Bryan Willett.

At the printers and imaging products business, teams need to maintain a secure business system just as they need to develop secure products. “We have back office systems and we have customer-facing portals that house customer data and company data, and it’s a process of risk assessment,” Willett tells CSO.

Lexmark’s security governance team handles cyber risk, while separate teams focus on supply chain risk, financial risk, and an enterprise risk management team looks at overall risk. Willett’s focus is enterprise, because that’s where they see critical risks emerging, while having oversight across the board.

In securing products that go into the hands of consumers, there’s a different set of considerations. “Delivering a secure product in a repeatable fashion is not just by chance. You have to have a good process and a well-informed population who knows what it means to deliver a secure product,” he says.

Business systems needs to be set up for internal monitoring and alerts, whereas a product needs to be designed so that a customer can monitor it. “That responsibility turns over to the customer for them to do the monitoring of that system software environment, which includes everything from the patching, monitoring logs, firmware updates and so on.”

At Lexmark, dedicated teams do outreach to work with customers subscribed to its services to help address security challenges and minimize security risks. “In the current environment, it’s a shared responsibility with that customer for them to apply those patches to their environment,” he says.

“Many times an organization will put a device in their environment, and as long as it works, they forget about it, which is not the posture we want our customers to have. We work hard on our side to make sure the software and firmware updates are available for those customers to update. And in the current environment, it’s a shared responsibility with that customer for them to then apply those patches to their environment,” Willett says.

Selling hardware can involve providing related services, whether it’s SaaS, PaaS or some kind of fulfillment service like toner in the case of printers. Whether it’s B2B or B2C, a customer interface brings its own set of complex security considerations because customer devices that communicate with company networks need to do this in a secure way.

Communicating with internet-connected customer devices means OS-level concerns that may include networking protocols and OS vulnerabilities as well as application-level concerns about making sure the API gateway is secure. “There’s an emerging industry right now around API security that’s looking for malicious signals within the API, some of them are prevention and some are detection solutions,” he says.

Risk analysis needs to consider the interface that devices use when communicating back to the company for firmware updates and the like. There can’t be a completely open tunnel between the external product or system and the organization’s environment and systems. It must have a way to validate everything that comes back while protecting from any malicious input, according to Willett.

The role of academic partnerships in risk-based security solutions

In some cases, strategic risk analysis can highlight particular security needs or gaps, and to help develop solutions, CISOs may turn to academic partnerships to apply dedicated research to the problem.

Lappage sees many positives in organizations embracing academic collaboration such as being able to harness some of the brightest minds to provide input and to generate ideas. It allows organizations to take a contemporary approach by bringing in young talent.

It’s also about developing the best solutions through strategic collaboration. Cybersecurity is a shared responsibility there’s not any one person or any one company who’s got the answers. It’s a collective effort and collective defense, according to Lappage.

Jill Slay, SmartSat CRC chair of cybersecurity at the University of South Australia, has worked across academia and industry engaging with vendors on solutions and in situations where there may be a sponsored company chair within the university setting.

SmartSat is a cooperative research center that has academic-industry partnerships and Slay says the cooperative research center (CRC) model has the benefit of being able to foster relationships, getting the sort of niche training, or being able to develop niche products and concepts with one or two people who know an area well.

But academics and researchers coming from academic settings need to know that businesses and vendors are less interested in an academic’s papers and citations, Slay says. “Businesses are more focused on an area of expertise and being able to apply research, knowledge and problem solving to address a need and develop some kind of new tool or solution.”

In her experience, academic partnerships work best when both sides have a strong idea of their agendas and what they want to get out of the relationship. However, she’s found it’s often done in an ad hoc way, where a company may know that a university has done a certain piece of work and ask them to do something similar.

She says there’s a need to develop a shared research question and agreed approach to collaborative research. “For it to work well, the CISO needs to be very clear about the company itself, its agenda and what it wants to explore or develop and its requirements,” she says.

One example of an academic-vendor arrangement is Intel’s researcher in residence program, where an academic on sabbatical joins the security team, using its lab facilities and bringing their learnings back to students. Yossi Oren, senior lecturer at Ben Gurion University, is Intel’s first researcher in residence.

Oren says academics enjoy priority access to new or yet-to-be released products, cutting-edge test equipment and experienced lab technicians who know how to use this equipment. “And most importantly, a deeper insight into the vendor’s own security assurance processes, which helps academic research be more effective and impactful.”

Academic security research teams have a unique character, which doesn’t exist anywhere else, according to Oren. He cites the mix of curiosity, competitive nature and dedication, combined with the moral and ethical code of academia, that makes it a productive arrangement.

“Seasoned with the creative and fearless attitude of graduate students, it makes academic researchers ideal for performing security research with the sole purpose is making the world a better place,” Oren tells CSO.