Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

What Adjustable Dumbbells Can Teach Us About Risk Management

A new workout leads to five smart lessons about the importance of converging security and fraud into a unified risk function.

Joshua Goldfarb, Field CISO

August 8, 2022

4 Min Read
Set of adjustable dumbbells isolated on tan and brown background. Weights for working out at home.
Source: Jordan McLeland via Alamy Stock Photo

Recently, I found inspiration in a set of adjustable dumbbells. I purchased these dumbbells in an effort to get into better shape. When they arrived, I found the four weight-adjusting mechanisms to be very intuitive and easy to use. I was soon on my way to a bit of strength training.

There was only one complication. A few days into using the dumbbells, I found that one of the four mechanisms wasn't quite working properly. In an effort to troubleshoot the issue, I tried a few different things — a trial and error of sorts. It took a few iterations — trying different combinations of placing the adjustable dumbbells in their holders in different orientations, along with swapping the dumbbells.

At last, having visibility into both the dumbbells and their holders, I isolated the issue. A small metal tab on the holder that presses on a piece on the dumbbell that releases the lock was slightly bent. Thus, it was not releasing the lock properly, which prevented me from adjusting the weight on the dumbbell. Once isolated, it was a quick and easy fix — I bent the small tab ever so slightly so that it released the lock properly.

You might be asking yourself what this story has to do with security and fraud. Allow me to share with you the lesson I learned from this: the importance of the convergence of security and fraud.

Just as I could not have troubleshot the dumbbell issue without having visibility into both the dumbbells and their holders, enterprises cannot properly manage risk without having a converged view into both security and fraud. In other words, enterprises must have a unified view of risk, across security and fraud.

5 Ways Combining Security and Fraud Reduces Risk

To help illustrate the importance of a converged risk program, let's take a look at five ways in which security and fraud work together to reduce risk across the enterprise:

1. Shattering silos: Effectively managing risk across an enterprise requires teamwork across a variety of groups and functions. Combining security and fraud under a converged risk umbrella sends a signal that everyone is on the same team and working toward the same goals. It also sends the message that silos and the turf wars, politics, and inefficiencies they bring have no place in the enterprise.

2. Less biased risk metrics: Most enterprises maintain a risk register and regularly review, evaluate, and audit both inherent and residual risk. Risks are assigned to different groups within the enterprise, and the management, monitoring, and mitigation of those risks is delegated to those groups. Sounds logical, right? The problem is that there isn't a perfect 1:1 mapping here. As a result, there is overlap — some risks wind up assigned and delegated to multiple groups. Thus begins the double (or multiple) counting of exposure, which translates to inaccurate and biased risk metrics. While combining risk and fraud will not eliminate this problem entirely, it will help reduce the bias of risk metrics.

3. Better monitoring: As you can imagine, visibility into what is happening across the enterprise on the network, within applications, and in cloud environments is critical to proper security and fraud monitoring. There are many other important factors, of course, though visibility is one of several very important ones. When kept separate, security and fraud will naturally develop their own technology stacks. They will have different visibility across the enterprise, different risks they are concerned about, different skill sets developing alerting and eventing content, and different processes and procedures. But what happens when a threat actor jumps from one monitoring silo to another? Chances are that neither group will be able to piece together the bigger picture, and that introduces risk. Combining security and fraud reduces the risk of this happening and facilitates improved monitoring across the enterprise.

4. More complete investigation: When security and fraud are converged, not only is monitoring improved, but so is investigation. In the event that there is a security or fraud incident, analysts (whether their expertise is security, fraud, or both) will need to query and analyze data from a wide variety of sources. When security and fraud are siloed, this is more complex than it needs to be. A converged risk function, on the other hand, should ideally have access to all of the requisite visibility in order to properly and fully investigate the incident.

5. More efficient response: Given that a large amount of fraud happens in digital channels, the line between areas of responsibility for security and fraud is blurred to begin with. And that's all the more so when it comes time to respond to a potential incident. Coordination and collaboration is required across security, fraud, IT, and other areas of the business. Having security and fraud converged at the outset makes the response more efficient and smooth. If multiple responses are going on at the same time, those efficiency gains can really begin to add up.

Strategic thinking, determination, and resources are required to converge security and fraud. It is a worthwhile investment, however, that pays immediate dividends. Converging security and fraud into a unified risk function enables and empowers enterprises to more efficiently and effectively mitigate risk.

About the Author

Joshua Goldfarb

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights