Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Risk Management

Cyber Risk, Cyber Threats, and Cyber Security: Synonyms or Oxymorons?

Cyber security and cyber threats are most often confused with cyber risk, and often used interchangeably, but they are worlds apart. What is the difference between these concepts and what really defines an organization’s cyber risk posture, internal security posture, and the exploitability of threats in the context of organizational risk?

Cyber security and cyber threats are most often confused with cyber risk, and often used interchangeably, but they are worlds apart. What is the difference between these concepts and what really defines an organization’s cyber risk posture, internal security posture, and the exploitability of threats in the context of organizational risk?

Last month’s RSA Conference 2017 in San Francisco provided a great snap shot of the industry. One of the biggest takeaways was the fact that after decades of pursuing a check-box, compliance-driven approach to security, risk has finally become security’s new compliance. Both end users and vendors talked about risk in all forms and flavors. While this is a positive development, the show also illustrated the confusion that still exists when it comes to the “innerworkings” of cyber risk, cyber security, and cyber threats. One vendor even claimed that “threat is the new risk”, which for risk professionals was an obvious indicator of their lack of knowledge. What really defines cyber risk? Cyber risk is made up of many factors including compliance posture, threats, vulnerabilities, reachability, and business criticality.

It is important to understand that focusing solely on findings from internal security intelligence such as vulnerability scanners, configuration management databases, and SIEM systems can lead to inaccurate prioritization of remediation actions and inefficient allocation of resources. The POODLE Vulnerability in 2014 is a good example. The National Vulnerability Database (NVD) assigned this vulnerability at 5.5 CVSS score out of 10, which resulted in most organizations choosing not to remediate it. On average, organizations only act upon security flaws rated 7 or higher – in order to be able to deal with the continuous onslaught of vulnerabilities in their environment. However, had organizations known that hundreds of thousands of POODLE exploits were being carried out, they likely would have changed their risk assessment of the vulnerability.

Two conditions are required for a security incident to occur: a vulnerability must be present in some form (e.g., a software flaw or insecure programming; insecure configuration of IT infrastructure; insecure business operations; risky behavior by internal staff or other people, conducted maliciously or by mistake) and secondly, a threat must exploit that vulnerability.

Typically, security professionals have no direct control over threats. As a result, organizations have tended to focus on known, more visible facts – vulnerabilities and control failures – while neglecting threats as a factor in cyber risk assessments. However, as the volume of vulnerabilities has exploded over the past few years, it has become almost impossible to remediate all of them without vetting the impact and likelihood that they will be exploited. The point is, why dedicate resources to fixing vulnerabilities that have no threat associated with them and are not even reachable?

Since a threat is the agent that takes advantage of a vulnerability, this relationship must be a key factor in the risk assessment process. It can no longer be treated as risk’s neglected step child. In fact, advanced security operations teams use threat intelligence to gain insight into the capabilities, current activities, and plans of potential threat actors (e.g., hackers, organized criminal groups, or state-sponsored attackers) to anticipate threats.

Once internal security intelligence is contextualized with external threat data (e.g., exploits, malware, threat actors, reputational intelligence), these findings must be correlated with business criticality to determine the real risk of the security gaps and their ultimate impact on the business.

In summary, cyber risk is the holistic view of an organization’s potential exposure to internal security flaws in the context of external threats. In addition to the operational advantages that cyber risk management brings to the table, it also propagates better collaboration among otherwise siloed stakeholders that include the board, C-suite, business units, as well as security and IT operations teams, and even internal / external auditors.

Advertisement. Scroll to continue reading.
Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...