Navigating risk in a complex world

Security is a subset of reliability and risk is a consequence of dependence. These simple truths are often overlooked during times of disruption and crisis. But really understanding them and how they relate to achieving resilience is crucial when businesses have to operate in present uncertain, dynamic and contested environments.

Organisations naturally want systems that support their mission-critical workflows and revenue-generating activities. Framing security in that context – the operating environment they’ve designed and the systems that need to work for them to function well – is particularly important when they are grappling with a virtually countless and growing set of external risks.

With remote working suddenly so commonplace, modern enterprises have become even more dependent on their internal networks and a wide range of internet-enabled services. Many are realising they need to update investments in IT and operational technology to ensure they can safely and confidently run their business in a decentralised and unprecedented way. This is proving to be more difficult and important than ever before.

The threat environment hasn’t recently changed in terms of who the bad actors are or the tactics and techniques they’re using, but as more employees are at home and worried about current events, they are more susceptible to phishing attacks.

Meanwhile, a huge amount of traffic is flowing through devices and networks that don’t have the same corporate visibility or security controls they do when accessed in many core networks in office environments. This is all happening at a time when companies are more dependent on IT, creating a perfect storm for hackers, especially ransomware groups.

In light of this, Jason Crabtree, co-founder and chief executive of technology company QOMPLX, says it’s vital organisations catalogue the range of vulnerabilities they have and the degree to which they think they are a target for different threat actors. In doing so, they can better understand the potential frequency and severity for the design scenarios they wish to consider. Those design scenarios provide a mechanism to enumerate an appropriate set of risks and create a risk register that identifies what risks exist, both before and after mitigation.

“You can’t mitigate everything and you’re never going to just ‘fix’ cybersecurity. It’s not as simple as buying security tools as if they are a virtual lock on the door,” he says. “You’ve got to have a holistic response, not to just remediate the actual deficiency if one were to occur, but also to understand the secondary and tertiary effects on the business, such as brand reputation, customer confidence, mandatory notifications or regulatory requirements, and how to estimate event severity and frequency to assign a risk level.

“A key aspect is looking at the landscape of different failures and incidents along with an objective assessment of the likelihood to remediate an incident quickly. The risk register process facilitates this, categorising the high risk and high effort, high risk but low effort, low risk but high effort and low risk but low effort.

“But it’s also really important for executives to spot check this work because we commonly see risk inventories that have a lot of hand-waving and a lot of lipstick on the pig. That can be an extraordinarily dangerous way for organisations to live, especially if they are already in a stressed state, such as during the ongoing pandemic. Risk registries are too important to be treated like a checkbox. They must be pursued earnestly to have any value.”

Companies often turn to traditional consultancy firms to build their risk register, but that can result in it not being truly reflective of the business as surveys by consultants are very different to real inspections.

QOMPLX dives into an organisation and leverages sensors on the network to enumerate the active directory environment, pulling back every single user account in every group, looking at the attack paths on real data and then evaluating how privilege and access is being managed. Often what this approach shows is that reality will not match with the company’s own perception of its security posture or resilience.

QOMPLX’s software-as-a-service products predominantly focus on gaining tremendously accurate and direct visibility about security resiliency and network configuration. They begin by extracting all active directory information and integrating data sources to develop a ground truth map of privileges.

Next the company aids clients in gaining control over authentication via validation of all Kerberos messages, before introducing additional detections and use-cases leveraging Windows event logs and other existing sensors. The company also provides special situations services to aid in developing security metrics programmes, supporting mergers and acquisitions, advanced open-source intelligence and integration of security programmes into an enterprise risk management or organisational resilience initiative.

“You’ve got to have that real-world mapping of your network,” says Crabtree. “What is the topology? What logs are available? How do privileges, vulnerabilities, exploits and threat actor profiles come together and relate to business processes? If this key service goes down, does it impact everything? Is there an elegant failure mode where you move from your primary to your alternate to your contingent to emergency kinds of functions?
“The only way to answer all of that and have an effective risk register is to do business-process mapping, understand critical dependency and implement monitoring software that keeps you as close to ground truth as you can at any given time.”

In an enterprise landscape with unprecedented uncertainty and unknowns, it’s crucial organisations are able to understand how prepared they are to weather successive shocks of disruption to their business. QOMPLX provides tools that allow them to evaluate critical assumptions, which are fundamental to managing risk.

“Great risk managers and executives experienced in leading through crisis focus on what must be true for everything else to continue to be valid,” says Crabtree. “They understand which critical IT and operational technology systems must be uninterrupted for the business to continue to function.
“If you work backwards from this lens, you can make sure things like maturity models and compliance are supporting that, but too many organisations lack the discipline required to navigate crises successfully and just assume they are fine because they are compliant and score well on a maturity model.

“Compliance should be about more than being afraid of your auditor. Maturity models must be about more than being laughed at by your peers. They are best when they mutually support security, which is about ensuring your unique business processes and obligations to your customers and other vested parties are fulfilled.

“Security is enabled by the technology, people, processes and data flows you can maintain, not just when the sun is shining and everyone’s at their desks, but when the worst case happens. That’s the world we live in. It’s a complex environment, but QOMPLX helps organisations navigate this with a bit more poise and elegance so they can be more successful.”

For more information please visit