The first step to managing risk is to know exactly what it is that you want to secure. Your organization may need to protect customer data, payment information, or intellectual property. Once you know what's important and why, then you can start to tailor your risk management approach.
Do you know all the ways in which the bad guys can potentially access or compromise your firm’s most valuable assets? You can find out using tools, consultants, or a crowdsourced security platform. Make sure your testing covers the entire application portfolio, so your largest risk is not the risk you don't know about.
Penetration testing and bug bounty programs simulate the attacker perspective. You want the good guys to hack you so you can be aware of the risks and address them as needed - before the bad guys exploit vulnerabilities and potentially compromise the crown jewels.
Risk management has a tendency to be more activity than outcome driven. Use metrics to evaluate the effectiveness of risk management controls. For example, finding new security issues through code review or penetration testing does not actually improve an organization's risk posture - fixing them does. Count fixes, not just tests and findings.
Prioritization is a key component to managing risk because budgets are limited and vulnerabilities can seem endless. The reality is you can’t do everything. It’s just as important to explicitly decide what you will not do as what you will do. Coming up with prioritization criteria can help you stay consistent when tough decisions need to be made.
Public bug bounties get news headlines, but how effective are they at actually reducing risk for your organization? Consider what your desired objective is for any risk management control, and make sure you're accomplishing it with your risk management strategy. For example, a better fit for finding and fixing web application vulnerabilities might be a crowdsourced penetration test or a private bug bounty.
As businesses change the way they build products, attackers evolve the way they attempt to breach applications. As IT departments move their operations into the cloud, risk management needs to focus more on applications than networks. Keep up by testing frequently and embracing new risk management approaches, like crowdsourced security.