The discussion has moved from ‘How do I make sure a cyber attack never happens?’ to ‘How do I assess and manage my cyber risk?’
As the question has evolved, we need to rethink our approach towards Cyber Risk Management.
Traditionally, security leaders and their teams followed a well-worn path of discovering a new “point in time” threat and bought products to mitigate it. Then, when the next threat came along, they did the same. It is an expensive, reactive and unsustainable strategy in today’s world of complex internal environments and dynamic cyber threats.’
Now, the right questions to ask are: What is my attack surface?; How do I collect signals from my attack surface?; How do I correlate these signals with the external threat environment to predict and quantify my exposure? And how do I quantify the risk into business value terms and manage it proactively with the management team and the board?
Attack surface
There is no shortage of data available to organisations, whether it is generated internally or brought in from external threat intelligence services. Organisations need to focus on these five vectors for managing cyber risks – employees, processes, technology, cybersecurity products and third parties. These should be used when generating a real-time cyber risk score which represents the likelihood of a breach occurring, along with the potential financial impact of such a breach. Employees are responsible for the majority of breaches, so they make up the first vector. Policy is the second vector. Organisations should be able to assess their security governance policies by giving them a score based on alignment with industry best practices and external compliance frameworks.
Technology is an obvious vector, so security teams should seek granular and birds-eye views of on-prem and on-cloud assets. Endpoints, databases, servers, network security nodes, SaaS applications and cloud assets such as AWS, Azure, and GCP should be monitored in real time. Cybersecurity products must also be closely monitored, with the data they generate contributing to the score. Finally, third parties must be assessed to provide an outside-in view of risk.
Analysis of all five risk vectors can reveal weak links in defences in a holistic and granular manner, by highlighting vulnerabilities affecting an entire enterprise, as well as issues relating to each risk vector, right down to the level of departments or individuals. Again, this information shows the weaknesses affecting an organisation in the short-term, whilst also indicating the likelihood of a future breach .
Predict, Protect and Prosper
Using the data generated by this attack surface, one can use sound data science principles and mathematical models to create a risk score that is a simple, powerful illustration of the level of cyber threats facing an organisation. Scores can also be assigned to departments and individual members of staff. This metric is also a powerful way of communicating with the board, offering a vivid and easily digestible way to influence decision makers and encourage targeted investments.
Once data concerning threat levels is obtained, the next step is assigning it a score. This allows security teams to communicate with stakeholders using an enterprise-wide, objective, unified, and real-time cyber risk score based on analysis of the organisation’s business and technical aspects.
Using principles such as Monte Carlo simulations, which predict the probability of outcomes, a risk score can also be expressed in terms of a dollar value. This allows CISOs to not only tell executives how likely an attack is, but how much it may cost.
Speaking the business language
The communicative power of a score-based risk assessment is profound. Once the board fully understands the danger, it can make informed cybersecurity investment decisions by offering training to departments that face high human risk levels; patch systems to reduce risk; enhance cyber insurance coverage and make many other informed decisions. The rewards of adopting a new approach to risk cannot be overstated. It is time every organisation considered Cyber Risk Quantification.