Security Experts:

Coming into Focus: Cyber Security Operational Risk

As news of more data breaches and third-party originated cyber-attacks continue to make the news, businesses and regulators alike are sharpening their focus on how to report on and mitigate these risks. Board members are demanding quantitative risk data that spans all business operations, while business units need to neutralize the impact of cyber-attacks. So how can companies deal with this challenge and transition to a model that uses more data to assess risks? One way is to implement cyber security operational risk management best practices.

In its most recent annual filing, Target (NYSE: TGT) disclosed that it had incurred over $250 million in cumulative damages relating to its 2013 data breach. This is only one of many examples of the rising cost of data breaches. In addition to their initial impact, data breaches clearly can have long-lasting and far-reaching implications. This is leading more and more organizations to offset their liabilities by taking out insurance. According to a Ponemon Institute study, the adoption rate for cyber-insurance has more than doubled to 26% in the past year. Despite increased investments in perimeter defenses, internal threats still account for nearly 60% of security incidents. These are caused by human error or employees with malicious intent. For example, in late 2014 a Morgan Stanley employee stole personal data belonging to 350,000 of the company’s clients.

To gain a holistic view of cyber risks, organizations have to supplement their current view of network / end point related security threats. Since many attackers are targeting the application layer, tools that focus on the network layer are only covering a small portion of the overall risks associated with cyber-attacks. In fact, organizations have to look even beyond the layers of the Open Systems Interconnection (OSI) model to include processes and people.

The good news is that according to a CyberEdge Group study, 54% of responding organizations indicated that they are looking to replace or augment their current endpoint protection infrastructure. In a review of the 2014 threat landscape, HP Security Research confirmed that enterprises are most successful in securing their environment when employing complementary protection technologies. The research concluded that these technologies work best when paired with a mentality that assumes a breach will occur instead of only working to prevent intrusions and compromise. By using all tools available and not relying just on a single product or service, defenders place themselves in a better position to prevent, detect, and recover from attacks.

However, deploying a variety of security tools to cover all aspects of potential cyber threats creates such volume, velocity, variety, and complexity of data that many organizations feel simply overwhelmed and are not able to harness the power of security intelligence to detect threats early in the kill chain. In its raw form big security data remains only a means to an end. Ultimately, information security decision making should be based on prioritized, actionable insight derived from information. To achieve this, security data needs to be contextualized with its business criticality or risk to the organization. Without a risk-based approach to security, organizations can waste valuable IT resources mitigating vulnerabilities that in reality pose little or no threat to the business.

Instead organizations should implement Cyber Security Operational Risk Management best practices, which include continuous monitoring, cyber risk visualization, risk-based prioritization, and closed-loop remediation. This approach is designed to operationalize cyber security risk management so that actionable intelligence can be used to orchestrate remediation activities based on the threat they represent to the enterprise.

view counter
Torsten George is currently a security evangelist at Centrify. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He has more than 20 years of global information security experience and is a frequent speaker on cyber security and risk management strategies. Torsten regularly provides commentary and publishes articles on data breaches, incident response best practices, and cyber security strategies in media outlets. He has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).