Demo of the CyCognito Platform

See the CyCognito platform in action to understand how it can help you identify, prioritize and eliminate your most critical risks. 

State of External Exposure Management, Summer 2024 Edition

Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024. 

The Total Economic Impact™ of The CyCognito Platform

Read The Total Economic Impact™ of The CyCognito Platform — a Forrester study. Cost Savings And Business Benefits Enabled By The CyCognito Platform. 

 
Perspectives

You Can’t Just Walk Away from Subsidiary IT Risk

CyCognito
By CyCognito Staff
Rule Your Risk
May 22, 2020

If a product can help you evaluate third-party IT risk, it’s not a huge stretch to imagine that same product could help you assess the security risk of your subsidiaries. But many of the chief information security officers (CISOs) we talk to who have tried to apply a security ratings service  to the challenge of monitoring their subsidiaries’ security tell us this approach really hasn’t worked for them. Here’s why:

There’s a big difference in your level of responsibility for a subsidiary owned by your parent company and a third-party you are considering doing business with.

Network connections with either can introduce your organization to risk, of course, but you can’t just walk away from the security issues of your subsidiaries the way you can from an independent vendor. Ultimately your organization has the responsibility for addressing the IT risks in your subsidiaries. Thus, you’re not just looking to score the level of risk at your subsidiaries, you are looking to remediate and manage issues.

Deep security expertise must be built into your subsidiary risk management approach.

Expertise that helps you prioritize the many exposures identified and guides subsidiary teams to quickly remediate those exposures. The lack of useful remediation guidance in security ratings products is perhaps the biggest complaint we hear from CISOs who have tried unsuccessfully to use a security ratings service to manage their subsidiary or corporate risk and are now looking for a better way to do it. A product that is built for managing subsidiary risk should be able to identify:

  • which attack surface assets in the subsidiary are most critical to protect
  • which assets will be most desirable to attackers
  • which paths into the attack surface attackers are most likely to exploit
  • precisely how and where subsidiary security teams can remediate any identified attack vectors

Many corporate IT security teams oversee subsidiary risk but do not have hands-on engagement. CISOs tell us that they prefer being able to identify the highest priority risks at their subsidiaries and then offer the subsidiary security teams detailed remediation guidance about how and where to eliminate those risks. That increases the effectiveness and efficiency of all their security teams and improves their overall security. 

Managing subsidiary risk is a matter of both scale and frequency. 

Many organizations grow by acquisition, so their attack surfaces are ever expanding, which presents additional overload for already over-burdened and finite corporate security teams. A product that is purpose-built for managing subsidiaries should include efficiencies that scale, with a process that works for one subsidiary — or a thousand. 

CISOs want an overall view of their security posture as an organization/conglomerate, as well as the detailed risk view of each subsidiary and the ability to track and report on the same. And monitoring subsidiary risk has to be an ongoing process that can easily absorb oversight of new subsidiaries and the ever-changing attack surfaces of each of them without substantial additional overhead.  


Topics



Search the Blog



Recent Posts






Tim Matthews
How to Budget for EASM
By Tim Matthews
November 18, 2024


Top Tags



CyCognito Research Report

State of External Exposure Management, Summer 2024 Edition

State of External Exposure Management, Summer 2024 Edition

Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.

O'Reilly Report

Moving from Vulnerability Management to Exposure Management

Moving from Vulnerability Management to Exposure Management

Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.

Request a Free Scan

See Exactly What Attackers See

Get a Free Scan of Your Attack Surface

Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.