This year the conversation about cyber risk and cyber risk quantification must change.
Even the best vulnerability management program isn’t really addressing cyber risk. Did you know that more than 13% of all Common Vulnerabilities and Exposures (CVEs) have a severity score between 9.0 and 10.0 (the highest possible value). Of those 13%, 7,628 (or about 47%) are scored at 10.0. The question becomes how can a security team tell one 10.0 from another? And how do businesses know they are focusing on the right ones?
The answer is simple – without understanding that risk isn’t a technical issue, it is a business one, you can’t. Most businesses don’t know what their exposure is to any given cyber event, including what the impact is in terms of lost revenue, response costs, and secondary loss. Until now, the result has been a lack of focus on the risks that matter most to the business and an inability to communicate an accurate risk posture to the C-Suite and board of directors.
The growing pace and sophistication of nation state attacks, coupled with an ever-expanding attack surface stemming from continued digital modernization, makes our ability to accurately quantify and prioritize cyber risks within the context of our individual businesses an urgent priority for 2021. Fail to do it this year, and you will likely leave your business open to disaster.
Move Beyond Theoretical Computations of Risk
Security professionals aren’t always comfortable talking about the business. Historically, they have had very little visibility into business structure, motivations, and initiatives. Yet, cyber leaders are still being asked to advise the business on how best to protect critical data and business applications – on how to protect the organization from harm. This has required a speedy evolution on the part of many Chief Information Security Officers (CISOs) and security leaders to build cyber risk quantification programs that focus security efforts on the most critical risks and show business intelligence backing those actions.
But these brave pioneers are finding themselves lost in the woods. The bottom line is that the most well known approach requires lengthy, human-driven assessments and theoretical computations, which are not sufficient for measuring cyber risks and making intelligent business decisions. Moving forward, businesses must commit to producing timely, verifiable risk intelligence that can automate and orchestrate security decisions and investments.
The three “Musts” for quantifying cyber risk are:
- Must be financially quantified. Without accurate financial calculations, organizations cannot integrate cyber risks into the overall enterprise risk management strategy. Quantifying cyber risks in financial terms is a necessary step in transforming cybersecurity from a cost center into a business enabler.
- Must account for the attacker. There are two attacker attributes that define and shape each risk: their motivation and their toolkit. Without the attacker, it’s not cyber. And without the attacker, the view of the risk is by definition incomplete and inevitably results in an incomplete analysis and blind spots. This understanding must be driven by threat intelligence, not some arbitrary scoring system that still refers to APT-1 to demonstrate its understanding of threat actors.
- Must drive to actionability. IT has always had an endless number of issues to resolve. The question is not solely ‘what is the problem?’, but rather, ‘given the problem, what is the best solution?’ Forward-thinking organizations are starting to demand that their cyber risk quantification solution provide deeper and deeper visibility into the problem, leading to increasingly valuable action plans for risk mitigation and risk minimization.
Automating Risk Quantification
Attackers don’t sleep. Nor does your business and its IT infrastructure. With all three functions operating in a hyperdynamic manner, it is not sufficient to take snapshots, or to rely on human calculations. Cybersecurity needs to become a decision support system that operates in real time rather than waiting for lengthy interviews, training and manual reviews. This requires automation.
Automated cyber risk quantification is now a reality, and businesses should move quickly to gain a better understanding of their actual business risks and prioritize mitigation efforts so that critical business processes, applications, and data are protected.
Automation boosts three specific areas for your cyber team:
Proactively Model and Predict Risk
- Leverage existing data to map a forensic view of the unified risk environment. You can use that data to model probable attack vectors against the entire security lifecycle in key areas of your business to predict loss exposure and business impact, so you stay ahead of unacceptable losses.
- Business Benefit? C-Suite leaders and board members can clearly see potential hazards and better understand the need to fund and support specific mitigation measures.
Establish a Baseline, Mitigate and Monitor for Changes
- Monitor changes to the threat landscape built into your modelling and then assess the potential of those changes to cause your business harm.
- Business Benefit? Armed with metrics like business interruption, reputational damage, and legal fines, leaders can proactively escalate security initiatives.
Recommend and Drive Smart Action
- Activate risk mitigation plans with recommended security controls to reduce loss exposure. Engage the entire security team in response to the risks that matter most, automate workflows to increase efficiency and use orchestration to integrate your technology stack.
- Business Benefit? Calculate the return-on-investment of your security tools and technologies by demonstrating risk reduction to underpin budget proposals and defend security decisions.
It’s Time to Have The Risk Appetite Conversation
CISOs have a choice to make in 2021: Continue to sink under the weight of daily alerts and fail to adequately protect an expanding attack surface, or take the steps now to pinpoint your most important risks from a business and financial perspective, and for the first time be able to effectively communicate cybersecurity policy and funding requirements to the business leadership.
It’s time to have that risk appetite conversation with your business counterparts and start to quantify.
The only way to drive risk down to zero is to cease operations. You can’t do that, so there’s going to be some residual risk. The question then becomes, what is the risk appetite of the business? That’s a very powerful conversation for a CISO to have with business line managers and board members. It is a conversation that, until now, could not take place due to the inability of cybersecurity professionals to assess, align, and prioritize the most important risks in the business.
More importantly, this is a conversation that can be prepared in just days or weeks, not months. Automated CRQ leverages user inputs and multiple data sources such as regulatory data, insurance claims, financial data, breach reports and a wealth of security and threat intelligence. When the data is applied to the risk model, CISOs will be armed with:
- Top cyber risk scenarios as defined by financial impact
- Communication of cyber risks and financial impact that resonates with the rest of the business
- Recommended actions for improvement prioritized by ROI
In the end, most of the early cyber risk quantification efforts turned out to be too subjective, out of date, and are not easily understood by a Board of Directors audience. An automated CRQ platform offers a better way to achieve a faster time to value (TTV). It’s time to have that risk appetite conversation armed with data relevant to your business.