Risk management is the backbone of any security program, yet many organizations struggle to assess, prioritize, and act on the risks they face. Parul Khanna, a Senior Consultant in information risk management with a background in incident response, cybersecurity investigations, and software engineering, breaks down the fundamentals. A former core team member of the Cybersecurity Operations Center at one of Canada’s Big Five banks, Parul holds CISSP, CCSP, and CRISC certifications and serves as Vice President of the ISC2 Toronto chapter.
You can read the complete transcript of the episode here >
How should organizations approach risk assessment and prioritization?
Parul emphasizes two core principles for approaching risk effectively:
- Shift left security: Move testing, quality checks, and security validation early in the software development lifecycle. Catching vulnerabilities during requirements or design is far cheaper than fixing them post-deployment.
- Use the risk matrix: A risk matrix maps likelihood against impact and assigns severity ratings. Address high-likelihood, high-impact risks first. Medium and low risks can sit in the backlog, but they need periodic attention.
A practical example of shift left in action is the CI/CD pipeline. Continuous integration validates code through automated security gates, and continuous deployment only pushes code that has passed those checks. The key is engaging risk partners and security teams during the requirements and design phases, not waiting until development or testing.
What is security debt and how should teams manage it?
Security debt is the accumulation of unaddressed vulnerabilities within software, similar to technical debt. It builds up when teams lack the resources or time to fix issues, and it compounds over time.
- Root cause: Organizations deprioritize medium and low-severity findings, pushing them into backlogs that grow unchecked for months.
- Prevention: Bake security into early SDLC stages. If vulnerabilities are caught and fixed during development, the debt never accumulates.
- Prioritization: When debt exists, balance three factors: cost of remediation, available resources, and potential damage. Some debts carry significantly more risk than others.
The takeaway is straightforward: prioritizing vulnerabilities based on business risk early prevents the painful and expensive process of triaging a massive backlog later.
What are the essential components of an incident response plan?
Parul grounds her approach in the CIA triad (confidentiality, integrity, availability) and the NIST incident response framework:
- Preparation: Maintain an inventory of all IT assets, networks, servers, and endpoints. Identify which are critical.
- Detection and analysis: Set up rules and policies that trigger alerts on anomalous behavior. Establish baselines for normal activity and correlate events to identify deviations.
- Containment, eradication, and recovery: Contain the damage first (like applying a bandage), then remove all elements of the incident from the environment. This includes identifying affected hosts, removing malware, and resetting compromised credentials.
- Post-incident activity: Conduct lessons-learned sessions. Ask what could have been done differently, whether the team is equipped to prevent similar incidents, and document new indicators to watch for.
The same structured approach applies to vulnerability management. Identify vulnerabilities through scanning, evaluate whether they are true or false positives, assess exploitability, and remediate based on CVSS scores.
How can organizations defend against phishing, social engineering, and doxing?
Parul draws on her published research on doxing, a form of social engineering where attackers harvest personal information from social media to launch targeted attacks. Doxing can expose phone numbers, Social Security numbers, home addresses, and financial details.
Defensive measures include:
- Use VPNs to protect IP addresses from exposure
- Enforce strong, unique passwords across different platforms
- Enable multi-factor authentication on all accounts, especially banking and social media
- Maximize privacy settings on social media to limit what strangers can see
- Train employees to recognize oversharing and suspicious information requests
The broader lesson applies to all social engineering threats: technical controls matter, but human awareness is the first line of defense. Organizations need regular training and awareness programs that make these practices second nature.
What metrics should organizations track for data loss prevention?
An effective DLP program requires measurable indicators to gauge its health:
- Number of policy exceptions: Temporary permissions granted on a case-by-case basis. If untracked, they become potential vulnerabilities. Keep them minimal and time-bound.
- False positive rate: Too many false positives erode trust in the DLP system and impede business operations. This metric indicates the effectiveness of data classification and DLP rule sets.
- Mean time to respond: How quickly the team acts on DLP alerts. A gap of days or weeks between an alert and investigation creates exposure windows for insider threats.
- Unmanaged devices handling sensitive data: Every unmanaged endpoint, file share, or server processing sensitive data is a potential access point. A mature DLP program covers all of them.
For data classification, Parul recommends a tiered approach: external, internal, confidential, and highly confidential. Correct classification ensures DLP alerts trigger appropriately and teams can focus on what matters most.
How should startups protect sensitive financial and health data?
For startups in fintech or healthcare handling PII, encryption alone is not sufficient. Parul advocates for defense in depth, layering multiple controls to protect sensitive data:
- Authentication: Strong passwords, two-factor authentication, biometrics
- Data management: Regular encrypted backups with tested restoration procedures
- Secure disposal: Safely destroy old media containing personal data
- Network security: Use secure wireless networks, avoid public WiFi for sensitive operations
- Physical security: Prevent shoulder surfing, tailgating, and dumpster diving
- Patch management: Keep all systems up to date with the latest security patches
The principle is simple: no single control is sufficient. Each layer compensates for potential failures in others. This approach aligns with how mature organizations think about database activity monitoring and broader data protection strategies.
