Cyber security and cyber threats are most often confused with cyber risk, and often used interchangeably, but they are worlds apart. What is the difference between these concepts and what really defines an organization’s cyber risk posture, internal security posture, and the exploitability of threats in the context of organizational risk?
Last month’s RSA Conference 2017 in San Francisco provided a great snap shot of the industry. One of the biggest takeaways was the fact that after decades of pursuing a check-box, compliance-driven approach to security, risk has finally become security’s new compliance. Both end users and vendors talked about risk in all forms and flavors. While this is a positive development, the show also illustrated the confusion that still exists when it comes to the “innerworkings” of cyber risk, cyber security, and cyber threats. One vendor even claimed that “threat is the new risk”, which for risk professionals was an obvious indicator of their lack of knowledge. What really defines cyber risk? Cyber risk is made up of many factors including compliance posture, threats, vulnerabilities, reachability, and business criticality.
It is important to understand that focusing solely on findings from internal security intelligence such as vulnerability scanners, configuration management databases, and SIEM systems can lead to inaccurate prioritization of remediation actions and inefficient allocation of resources. The POODLE Vulnerability in 2014 is a good example. The National Vulnerability Database (NVD) assigned this vulnerability at 5.5 CVSS score out of 10, which resulted in most organizations choosing not to remediate it. On average, organizations only act upon security flaws rated 7 or higher – in order to be able to deal with the continuous onslaught of vulnerabilities in their environment. However, had organizations known that hundreds of thousands of POODLE exploits were being carried out, they likely would have changed their risk assessment of the vulnerability.
Two conditions are required for a security incident to occur: a vulnerability must be present in some form (e.g., a software flaw or insecure programming; insecure configuration of IT infrastructure; insecure business operations; risky behavior by internal staff or other people, conducted maliciously or by mistake) and secondly, a threat must exploit that vulnerability.
Typically, security professionals have no direct control over threats. As a result, organizations have tended to focus on known, more visible facts – vulnerabilities and control failures – while neglecting threats as a factor in cyber risk assessments. However, as the volume of vulnerabilities has exploded over the past few years, it has become almost impossible to remediate all of them without vetting the impact and likelihood that they will be exploited. The point is, why dedicate resources to fixing vulnerabilities that have no threat associated with them and are not even reachable?
Since a threat is the agent that takes advantage of a vulnerability, this relationship must be a key factor in the risk assessment process. It can no longer be treated as risk’s neglected step child. In fact, advanced security operations teams use threat intelligence to gain insight into the capabilities, current activities, and plans of potential threat actors (e.g., hackers, organized criminal groups, or state-sponsored attackers) to anticipate threats.
Once internal security intelligence is contextualized with external threat data (e.g., exploits, malware, threat actors, reputational intelligence), these findings must be correlated with business criticality to determine the real risk of the security gaps and their ultimate impact on the business.
In summary, cyber risk is the holistic view of an organization’s potential exposure to internal security flaws in the context of external threats. In addition to the operational advantages that cyber risk management brings to the table, it also propagates better collaboration among otherwise siloed stakeholders that include the board, C-suite, business units, as well as security and IT operations teams, and even internal / external auditors.