Folashayo Abiodun, a seasoned Nigerian-trained attorney and Cybersecurity Analyst, has harped on the need for robust policy in cybersecurity, advocating for effective governance frameworks.
Disclosing this in a media statement recently, she underscored the importance of implementing robust governance frameworks to mitigate the risks associated with security exceptions.
She stated that, 63% of organizations have at least five unexpired high-risk exceptions in their environment at any given time, highlighting the pervasiveness of this issue.
She further noted that nearly 60% of organizations that suffered a breach had at least one unaddressed security exception at the time of the incident, citing a 2023 Verizon Data Breach Investigations Report (DBIR).
“Despite this alarming statistic, exceptions frequently remain unmonitored, creating a silent accumulation of risk,” she added.
Organizational dynamics and cognitive biases also play a significant role in exception approval.
The 72-Hour Rule, for instance, shows that 68% of exceptions are approved under “urgent business need” with less than 72-hour review.
She asserts, security teams approve 42% more exceptions during fiscal quarter-ends, highlighting the Approval Paradox.
The Normalization of Deviance in Cybersecurity is another critical concern.
Initial exception criteria become progressively looser, and “If Team X has this exception, we should too” becomes a justification for further exceptions.
Outcome Bias also plays a role, where “No breaches yet” justifies continued exception use.
Abiodun emphasized the need for organizations to adopt a proactive approach to managing security exceptions, highlighting the DIMER Framework.
This framework includes defining clear exception taxonomy and thresholds, inventorying all exceptions, measuring continuous ERI calculation, enforcing hard expiration dates and automatic controls, and reviewing monthly cross-functional exception boards.
Implementing the DIMER Framework can yield significant benefits.
A European bank, for example, reduced active exceptions by 58%, exception-related incidents by 73%, and mean time to exception closure by 82% after adopting this framework, according to a Gartner 2023 report.
Abiodun also highlighted the importance of quantifying exception risk exposure using the Exception Risk Index (ERI).
Organizations with ERI > 7.5 experienced 5.2× more security incidents, 3.1× longer mean time to detect (MTTD), and 2.4× higher recovery costs, she noted, citing a Ponemon 2023 report.
Exception-induced attack surface expansion is another vital concern.
One firewall exception can expose 3.2 internal services on average, while vulnerability density increases by 40% in affected systems.
61% of exceptions have higher-than-permitted permeability, according to NIST IR 8408.
Technological solutions can also play a key role in exception monitoring.
Exception Graph Modeling, ML-based Anomaly Detection, and Policy-as-Code can help organizations detect and respond to exceptions more effectively.
Abiodun is a seasoned cybersecurity expert, providing professional insights to organizations on managing security exceptions and building resilient cybersecurity postures.