Need to quantify cyber risk

by Mark Rowe

In an increasingly hostile threat landscape, security cannot be left to chance, says Saket Modi, CEO at Safe Security.

Keeping up with the cyber threat landscape has become an increasingly daunting prospect. The US-Cert Vulnerability database added a record breaking 18,376 new vulnerabilities in 2021.

Many organisations have become more exposed to vulnerabilities as they continue to expand their IT infrastructure through digital transformation and cloud migration. At the same time, threat actors have become increasingly well organised. Even low-level, unskilled criminals can access new vulnerabilities through the dark web.

As a result, the volume of data breaches has continued to climb, with an estimated 5.1 billion records being breached across thousands of incidents over the last year. It’s easy to feel overwhelmed in the face of this threat. Businesses must deal with thousands of potential threats that can strike without warning at any part of their operations. Anything from an outdated web app to an employee clicking a malicious link can trigger a devastating security incident.

With so many threats to deal with, many organisations effectively fall back on guesswork – investing in a selection of solutions and hoping it will be enough when an attack occurs. But this approach will do little to reduce the organisation’s risk exposure. Security investments must be driven by a knowledge-based approach that focuses on the specific vulnerabilities and threats that pose the greatest danger to the enterprise.

Knowledge is power

Before an organisation can begin to truly improve its defences, it must gain a full understanding of its current risk profile and security capabilities. First, the business must be aware of its most valuable assets, such as sensitive customer data or intellectual property, how vulnerable these assets are to risk, and what the impact on the business would be. Alongside this, it is important to conduct an enterprise-wise audit that assess current security tools, policies, processes and human-cyber capabilities.

Both of these actions together will produce much-needed context on the company’s current security state of play. Rather than expending their budget blindly on the latest selection of security solutions and crossing their fingers, the business will begin to have a clearer picture of where they should be investing. This enables them to make more informed decisions about where resources should be allocated to most effectively improve security and resilience.

However, getting to this state can be easier said than done. Most organisations now operate within extremely complex environments that mix old legacy infrastructure with new cloud-led approaches. There can be significant overlap and redundancy between old and new, making it hard to pin down exactly where valuable assets reside on the network, or understand all the ways they can be accessed.

Gaining clarity on threat intelligence can be similarly confusing. Security stacks often comprise of many different solutions and services that operate alongside each other but are not connected. Each application and platform send its own slew of intelligence and threat alerts, which means security teams and decision makers must contend with large volumes of data but little context. As a result, security teams are increasingly overwhelmed, increasing the chances they will miss a serious security alert amidst all the noise.

Unpicking these data threads manually is an impossible task – especially as the threat landscape outside of the business continues to shift and evolve. To keep up, organisations need access to quantified, consistent, and real-time cyber risk metrics. An emerging approach known as cyber risk quantification is one of the most effective ways of achieving this.

With a cyber risk quantification approach, threat data is translated into form that can be clearly understood by non-technical decision makers, either in the form of a risk score or as a monetary value.

Under this model, signals across an organisation’s workforce, human-cyber capabilities, policies and processes, technology and cybersecurity products and aggregated into a single point. Quantification platforms can also go beyond the scope of the organisation itself to account for third parties such as partners and supplies that have any degree of network access.

Next, all of the collected data is analysed to create a quantitative risk score. This enables security decision makers to more easily identify where the biggest risks are within their network, and ensure they are prioritised in the security strategy.

From this overall view, it is possible to zoom in for a highly granular look at risk. For example, it could be apparent that a particular department is especially susceptible to phishing threats, or that a certain application is running on outdated software with multiple vulnerabilities.

The cyber risk score can also be translated into a financial value , serving as a useful tool for explaining risk to the board. Executives can see an estimate of how much a particular risk or vulnerability could potentially cost their organisation if it is exploited in a cyber attack. This shifts the conversation away from technical issues and towards clear business and financial matters, and enables non-technical executives and decision makers to more clearly understand the severity of cyber risk, making it easier for the CISO and other security heads to secure the budget they need.

The cyber threat landscape is only going to grow more hostile in the years ahead. Increasingly complex IT infrastructures are creating more vulnerabilities, and threat actors are becoming more adept at discovering and exploiting them.

Against this threat, organisations cannot afford to leave any part of their security up to chance. Adopting a knowledge-led approach to security supported by cyber risk quantification will establish the visibility and context needed to make the right decisions.

Concentrating on their most valuable assets and greatest points of risk will ensure that businesses have the best chance of mitigating incoming cyber threats.

Related News


Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing