Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Coming into Focus: Cyber Security Operational Risk

As news of more data breaches and third-party originated cyber-attacks continue to make the news, businesses and regulators alike are sharpening their focus on how to report on and mitigate these risks. Board members are demanding quantitative risk data that spans all business operations, while business units need to neutralize the impact of cyber-attacks. So how can companies deal with this challenge and transition to a model that uses more data to assess risks?

As news of more data breaches and third-party originated cyber-attacks continue to make the news, businesses and regulators alike are sharpening their focus on how to report on and mitigate these risks. Board members are demanding quantitative risk data that spans all business operations, while business units need to neutralize the impact of cyber-attacks. So how can companies deal with this challenge and transition to a model that uses more data to assess risks? One way is to implement cyber security operational risk management best practices.

In its most recent annual filing, Target (NYSE: TGT) disclosed that it had incurred over $250 million in cumulative damages relating to its 2013 data breach. This is only one of many examples of the rising cost of data breaches. In addition to their initial impact, data breaches clearly can have long-lasting and far-reaching implications. This is leading more and more organizations to offset their liabilities by taking out insurance. According to a Ponemon Institute study, the adoption rate for cyber-insurance has more than doubled to 26% in the past year. Despite increased investments in perimeter defenses, internal threats still account for nearly 60% of security incidents. These are caused by human error or employees with malicious intent. For example, in late 2014 a Morgan Stanley employee stole personal data belonging to 350,000 of the company’s clients.

To gain a holistic view of cyber risks, organizations have to supplement their current view of network / end point related security threats. Since many attackers are targeting the application layer, tools that focus on the network layer are only covering a small portion of the overall risks associated with cyber-attacks. In fact, organizations have to look even beyond the layers of the Open Systems Interconnection (OSI) model to include processes and people.

The good news is that according to a CyberEdge Group study, 54% of responding organizations indicated that they are looking to replace or augment their current endpoint protection infrastructure. In a review of the 2014 threat landscape, HP Security Research confirmed that enterprises are most successful in securing their environment when employing complementary protection technologies. The research concluded that these technologies work best when paired with a mentality that assumes a breach will occur instead of only working to prevent intrusions and compromise. By using all tools available and not relying just on a single product or service, defenders place themselves in a better position to prevent, detect, and recover from attacks.

However, deploying a variety of security tools to cover all aspects of potential cyber threats creates such volume, velocity, variety, and complexity of data that many organizations feel simply overwhelmed and are not able to harness the power of security intelligence to detect threats early in the kill chain. In its raw form big security data remains only a means to an end. Ultimately, information security decision making should be based on prioritized, actionable insight derived from information. To achieve this, security data needs to be contextualized with its business criticality or risk to the organization. Without a risk-based approach to security, organizations can waste valuable IT resources mitigating vulnerabilities that in reality pose little or no threat to the business.

Instead organizations should implement Cyber Security Operational Risk Management best practices, which include continuous monitoring, cyber risk visualization, risk-based prioritization, and closed-loop remediation. This approach is designed to operationalize cyber security risk management so that actionable intelligence can be used to orchestrate remediation activities based on the threat they represent to the enterprise.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

CISO Strategy

The question for 2023 and beyond is whether the cyberinsurance industry can make a profit without destroying its market.