Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Cyber Risk Reduction is All About the Business

During the past year, you may have noticed a shift in the way IT and security professionals talk about cyber security.

Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk.

During the past year, you may have noticed a shift in the way IT and security professionals talk about cyber security.

Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk.

The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem, aligned with or, in many cases surpassing other operational risks on enterprises’ priority lists. According to a recent board report, 89 percent of board members say they are very involved in making cyber risk decisions, the majority ranking cyber risk as the highest priority.

A shift in mindset is just the start. Actually executing your strategies and tactics based on risk is a whole different story. To really understand risk, enterprises need to start with identifying their most valued applications, their potential business impact if confidentiality, integrity or availability (CIA) were compromised. From there, there are a couple of different approaches.

Early efforts at calculating a risk adjusted dollar amount to which the business is exposed, also known as “Value At Risk,” was based on traditional financial and operational risk models. It required experts to work with the cyber and business teams to try to guestimate probabilities of particular events and their ability to compromise each application’s CIA. One obstacle to that approach is that there is far too little historical data on which to base such guestimates with any accuracy. The other challenges are that even if you were able to guestimate probabilities with any accuracy, it is only a single point in time, and it is difficult to drill down to a level of detail that can help drive daily decisions and actions beyond generally focusing protection on those applications with the greatest theoretical risk.

A more feasible and actionable approach that is evolving is to use the aforementioned asset data and loss impact information in concert with your existing threat and vulnerability data to understand the potential for compromise and prioritize your activities accordingly. This approach uses actual events occurring within the organization, together with external threat intelligence data, to measure the potential for compromise and estimate loss impacts that can result from those exposures. The benefit to this approach is that is based on actual conditions “on the ground” and can be aggregated/decomposed to drive prioritization decisions from the front line responders all the way up to the board of directors.

How can an Application Value At Risk be used?

Most enterprise security teams do a good job identifying threats and vulnerabilities, too good a job. Security teams are flooded with countless threat alerts and vulnerabilities identified daily. With all that data, prioritizing remediation efforts is the real challenge. The answer is to understand which remediation actions will result in the great reduction in value at risk. By understanding the relationship between remediation actions and results, enterprises can drive a more focused and transparent cyber risk management program, where stakeholders can be held accountable in a measurable way for their actions or lack thereof.

Advertisement. Scroll to continue reading.

Mapping potential financial loss value to security exposures also enables better decision making by the board. As security has transitioned into a risk management issue, a communication gap between security leaders and boards of directors has also emerged. Whereas security leaders are accustomed to speaking in the language of technology; board members speak the language of risk. However, if security leaders can walk into a boardroom with actual value at risk metrics that show how much money the enterprise could have lost if a vulnerability was not patched and how much the security team reduced that value at risk by taking action, both parties would be speaking the same language. Boards understand financial impact and can make better decisions if they know the potential dollar amount at stake.

In many other parts of the enterprise, risk management methods using financial impact metrics to drive decision-making has been business-as-usual for time and memorial. As the industry shifts to a risk based approach, we will be able to change the conversation from trying to remediate every threat and vulnerability in an effort to protect every application on equal terms, to what actions to take to best minimize the impact of cyber risks on the business.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...