Bridging the Gaps in Your Cyber Risk Management Strategy

Cyber risk management is a complex process that involves identifying, assessing, and mitigating risks that could potentially disrupt an organization’s operations. The stakes are high, and the consequences of failing to manage these risks can be catastrophic. Yet, despite the availability of numerous tools designed to help organizations in this endeavor, many cyber risk management programs still have critical gaps.

The Tools of Technical Control Cyber Risk Management

At the core of any robust cyber risk management program are tools designed to gather insights and build intelligence that informs decision-making. Tools like Security Information and Event Management (SIEM) systems, vulnerability scanners, and automated risk management platforms are commonplace. They are invaluable for identifying technical control vulnerabilities and indicators of compromise (IoCs) in systems.

SIEMs, for example, collect and analyze security-related data from various sources, allowing organizations to detect and respond to potential threats in real time. Vulnerability scanners systematically check systems for known weaknesses that could be exploited by attackers. Automated risk management tools aggregate these insights, providing risk managers with a comprehensive view of the technical landscape, allowing them to prioritize and address the most pressing technical vulnerabilities.

Additional Technical Control Vulnerability Solutions

In addition to SIEMs, vulnerability scanners, and automated risk management platforms, organizations often use several other tools to address technical control vulnerabilities:

• Endpoint Detection and Response (EDR): Tools like CrowdStrike Falcon and Microsoft Defender for Endpoint monitor and respond to threats on endpoints in real-time, helping to mitigate vulnerabilities at the device level.
• Intrusion Detection and Prevention Systems (IDPS): Tools such as Snort and Suricata monitor network traffic for suspicious activities, detecting and blocking potential threats in real-time.
• Cloud Security Posture Management (CSPM): For cloud environments, CSPM tools like Prisma Cloud and AWS Security Hub continuously monitor for misconfigurations, ensuring adherence to security best practices.
• Application Security Testing (AST): Tools like Veracode and Burp Suite identify vulnerabilities in application code during development, catching issues before they can be exploited in production.

While these tools are critical in addressing vulnerabilities across various aspects of an organization’s infrastructure, they predominantly focus on technical controls, ignoring administrative control vulnerabilities.

Why Aren't Technical Controls Enough?

There is a stark disparity in the number of solutions available for addressing technical control vulnerabilities compared to those for administrative controls. While the market is saturated with tools to manage and monitor technical controls, the solutions for identifying and mitigating administrative control vulnerabilities are far more limited. This imbalance has contributed to persistently high rates of human-enabled breaches—incidents where human errors or failures in administrative processes lead to significant security risks.

Audits and Penetration Testing

Two of the most common alternatives for assessing administrative control effectiveness are broadly scoped audits and penetration testing. These methods can provide deep insights into both technical and non-technical vulnerabilities within an organization.

Audits involve a systematic review of an organization’s policies, procedures, and practices to ensure compliance with established standards and identify any gaps. Penetration testing (pen testing) simulates attacks on an organization’s systems to uncover vulnerabilities that could be exploited by real-world attackers. When applied comprehensively, these approaches can help uncover issues with administrative controls.

However, both audits and pen testing have a significant limitation: they are point-in-time solutions. They provide a snapshot of the organization’s risk landscape at a particular moment but do not offer continuous oversight or engagement. Once the audit or pen test is complete, the organization is responsible for maintaining and updating the controls, often without ongoing support or insights until the next scheduled review.

Shared Responsibility: An Ongoing Solution

This is where Federated Cyber-Risk Management (FCR) and tools like the Sibylity Platform by SibylSoft (https://www.sibylsoft.com/) stand out. Unlike audits and pen testing, FCR is an ongoing methodology that enables shared responsibility for cybersecurity across an organization. FCR distributes the ownership of cyber risks to resource owners and their designated teams, ensuring that risk management is a continuous, collaborative process rather than a one-time event.

The Sibylity Platform is designed to enable FCR and acts as a persistent vulnerability scanner for administrative controls. Through broad participation, Sibylity continuously helps organizations identify gaps in their processes and procedures, offering real-time insights that go beyond the point-in-time results of audits and pen tests. By providing a structured, ongoing approach to assessing administrative controls, Sibylity supports organizations in maintaining a comprehensive and up-to-date understanding of their risk landscape, beyond technical controls alone.

Closing the Gaps in Cyber Risk Management

For cyber risk management to be truly effective, it must encompass the full spectrum of vulnerabilities—both technical and non-technical. The disparity between the abundance of tools for technical controls and the limited options for administrative controls underscores the challenges organizations face in achieving comprehensive risk management.

To truly safeguard your organization from evolving threats, it's crucial to close the most glaring gaps in your cyber risk management program by integrating comprehensive solutions like the Sibylity Platform and adopting methodologies such as FCR. It’s important to understand that no single tool can provide a complete solution. The most critical and often overlooked gap is in measuring the effectiveness of administrative controls. Without addressing this, organizations may find themselves vulnerable to the very human-enabled breaches they seek to prevent.

About the Author

Sonya Lowry is the creator of Federated Cyber-Risk Management (FCR), a revolutionary approach that transforms how organizations handle cybersecurity by fostering a culture of shared responsibility. Sonya’s work centers on empowering organizations to move beyond traditional, centralized security models by engaging every stakeholder in managing cyber risks and making cybersecurity a collective effort.

With a deep conviction that cybersecurity is as much about people as it is about technology, Sonya helps organizations implement FCR to build security-engaged cultures. In these environments, every employee understands the risks and is equipped with the knowledge and authority to take action, ensuring a more resilient and proactive defense against threats.

Sonya’s innovative approach to cybersecurity is built on over two decades of experience in information technology, data analytics, and risk management, including significant leadership roles in both the private and public sectors. However, her recent focus on integrating human-centered strategies with technical solutions through FCR is what truly sets her apart as a leader in the field. Sonya is dedicated to reshaping the cybersecurity landscape by ensuring that organizations are not only protected but also empowered to adapt and thrive in the face of ever-evolving threats.