Risk remediation: beware the silver bullet solution says National Trust security chief

There is no quick fix when it comes to tackling vulnerabilities, says Jon Townsend

You can't do much about threats but you can do something about vulnerabilities. That is the philosophy advanced by Jon Townsend, director of technology and information security at conservation charity the National Trust, during Computing's Enterprise Security Summit on Thursday.

"I can't control what's going on out there but I do have control over my systems. I try to focus on the simple things. Identifying vulnerabilities and fixing them," he said.

Townsend referred to the security analysis equation: risk = threat x vulnerability.
Since threats are beyond an organisation's control the way to reduce the risk is to fix vulnerabilities, but how to find vulnerabilities and which should be prioritised?

Generally a mixture of quantitative methods - such as annualised loss expectancy (ALE) or value at risk (VAR) - and qualitative methods works best, so that a number can be applied to a particular risk with outcomes such as reputational damage, which are harder to quantify, also included in the assessment.

"Generally people will try to put a score on it then add a bit of subjectivity as well," said Townsend. "It doesn't matter what method you use so long as it works for you, but the important thing is to be able to put a score on risks to allow them to be ranked."

The easiest way to reduce vulnerabilities is to keep systems up to date. However, this is not enough on its own. The vast majority of attacks exploit well known vulnerabilities, Townsend said, some of which have been known about for years.

"We'll run a pen test and find a vulnerability, then we'll replace systems, test again and we find it's still there," he said, adding that work-arounds need to go way beyond the obvious technical fix: almost all data breaches involve human agency.

"You need to think about the people and processes around those system vulnerabilities, because any work you do in the technical sphere can easily be undone by a simple action."

To communicate risk to employees IT people really need to focus on the message he said.

"We like a good abbreviation in security and technology so GDPR, PCI DSS, but that's completely opaque to the ordinary business."

However, Townsend added, simple user education is never enough. He give the example of a person clicking on a malicious link in an email.

"Why are we one click away from disaster? Generally it's because as technologists we've identified the risk but we haven't dealt with it. Education is important, but why should we put the burden on the end user? Sometimes I feel it is used by us in the technology sphere to avoid having to tackle the underlying ills."

Risk remediation can't be static, he went on. It needs to evolve through constant testing and iteration.

"Pick a system like CIS critical security controls or ISO and methodically work through the vulnerabilities, then revisit them."

He urged firms to be wary of ‘silver bullet' solutions proffered by vendors, as all companies are different and there is never a one size fits to cover all situations and business processes.

"Yes, there are things like machine learning that enable us to detect issues as they arise, great, but if we don't solve the underlying problems they're papering over the cracks."