In post ‘Experts: Cyber risk management requires teamwork, preparation’ Sharon Shea reports about the 2014 Advanced Cyber Security Center conference.

“‘You are not going to eliminate the risk of attacks, you are going to manage the risk’ said Michael Chertoff, former secretary of the U.S. Department of Homeland Security and executive chairman and co-founder of the Chertoff Group, during his keynote presentation at the 2014 Advanced Cyber Security Center conference.”

Well said, I fully agree. The four ways to treat risks are to transfer, eliminate, accept, or mitigate them.

To eliminate a risk is more of academic value. Eliminating the risk means eliminating the function, thus, in the worst case, eliminating the business.

The fifth option, ignore, is not acceptable for an enterprise because the hours until you are out of business could be counted on the fingers of one hand.

Risk management always starts with identifying and evaluating the risk. This is the responsibility of the business groups, with support of IT. Once you have evaluated the risk you could start managing it. Managing the risk means to bring the risk to an acceptable level, e. g. by applying mitigation measures or accepting it.

For risk evaluation it’s very important to treat attacks by malicious insiders with the same probability as attacks at servers on the perimeter of your network. If this assumption is taken into account during risk evaluation you will come to a balanced approach.

The concept of the attack surface is perfectly suited to make this clear. Even a single, not hardened, server operated inside your network increases the attack surface of your IT system dramatically because it could be used by an attacker as a gateway into your system.

Risk management should always keep the overall attack surface of a company on an acceptable level.

Minimize your attack surface, and have a good day.