Tracking risk to manage it: the 7th Annual Virtual Cybersecurity Conference for Executives.

Darren Lacey, CISO for Johns Hopkins University and Johns Hopkins Medicine, closed this year's conference, addressing ways for organizations to track and manage their risk.

Look at likely cyber threats, not just valuable assets.

Lacey said organizations should structure their penetration testing programs not only based on their assets, but also by looking at the most likely types of attacks outlined by the MITRE ATT&CK framework.

“You can decompose your adversarial testing program not just according to, ‘what are all my assets?’ You can also decompose it by ‘what are all the kinds of attacks?’” he said. “And you can build testing mechanisms – both preventive and detecting mechanisms – that go against both....The purpose of this is so that everyone on the security team understands a metric from which they’re trying to work from. That we are protecting data, we’re protecting assets, those types of things, but we’re protecting assets against something.”

Risks associated with security controls.

Lacey noted that security controls themselves have a certain level of risk associated with them, particularly due to disruption, and this should be taken into account as well.

“Every risk intervention that you have, or security control, contains, in itself, risk,” he said. “And so, what people outside the security business don’t really understand what the risks are of the specific interventions. And you’ll often hear people say, well, that will make us more secure, why don’t we do that?...And you may have good reasons not to do that, or at least not to do that right away. When people ask me what I do for a living, I say I manage these kinds of risks – I try to keep my security technologies from killing each other, or my security controls from rendering the environment uninhabitable.”

And privacy and autonomy are at risk, too.

Lacey added that privacy and autonomy are also an important part of the equation. 

“We have to balance our security controls against what the legitimate expectations of privacy are and autonomy, that is, that they can do what they want to do with the technology tools that they have in order to accomplish their specific objectives in the enterprise,” he said. “Especially in an academic environment, that individual autonomy is one of the reasons you become an academic. It’s also one of the glories of the academic enterprise, is lots of people can try different things and some of them fail and some of them work, but you don’t have Big Brother – you don’t have me – chasing everybody down saying, why didn’t you do X as securely as you could? And they’re like, well, I was too busy advancing the state of science.”