Great decision making requires the ability to review different options while simultaneously considering the risks associated.
As humans, think about the risk calculations we make every day: when driving a car, walking across the road, or even deciding on whether to get out of bed in the morning. There is a risk of missing an important business opportunity by blowing off that early meeting if you decide to sleep through your alarm. Without us even consciously trying, the brain is instinctively weighing the impact of each decision we make.
Risk is a term that is used a lot in cybersecurity. However, most organisations aren’t using risk in any meaningful way in their understanding of how much risk the organisation is exposed to, how much risk they are willing to accept, or how much risk they are minimising with their security programme? What if they changed something – then how much risk would they have? Can we honestly say that these are questions that organisations have the answers to – or that have been driving their decision making in security these past decades?
Aligning security to your business
In fairness security analysts are seeking to make risk-informed decisions, as the human brain does this instinctively. However, they can only do that based on the information they are provided. There are not many security programmes where business context was provided to the analyst to aid in decision making.
Recognising this reality, organisations are seeking to quantify their cyber risk to better align security to the business, drive remediation and response activities, support investment decisions and demonstrate return on security investment. Many have already embraced the move to a quantified understanding of risk – only to be let down as current approaches require too much manual data collection, too much training and professional services support, don’t connect this newfound understanding with the ability to take action and fail to meet the need to efficiently and cost-effectively mitigate risk.
The move to Cyber Risk Quantification
Organisations need to acknowledge that understanding and quantifying risk is critical to building an effective security programme in this day and age. Solely orchestrating and automating security actions with an intelligence-led approach is not enough. As the Cyber Risk Quantification movement has taken off over the last few years, evolving approaches to security need to be considered to aid organisations in the long term. More has to be done to change the way security works.
In a holistic sense, the marriage of risk, threat and response is the only way to achieve the primary goal of cybersecurity – reducing risk to the organisation. Therefore, it’s a no brainer that organisations should start to rely on cyber risk mathematical models and rules engine to quantify cyber risk.
Cyber risk quantification is the process of evaluating the cyber risks that have been identified and then validating, measuring and analysing the available data using mathematical modelling techniques to represent the organisation’s security posture.
Adopting this new model will give organisations the ability to prioritise response activities based upon their efficacy in reducing the risk of financial loss or operational impact, allow them to more confidently apply security dollars for the greatest return on investment by seeing the risk you buy down and will ultimately make it easier for organisations to justify spending decisions by talking in terms that CISOs and Boards will understand.
By adopting cyber risk quantification, organisations will be able to understand which solutions might be the most effective at reducing the chance of certain threats or attacks succeeding against high-value assets, targets, lines of business or missions, based on their value to the organisation. This is key as organisations don’t want to spend a substantial amount of money trying to mitigate risks of attacks that don’t cause as much harm as others may.
Using a risk-led approach to cybersecurity makes prioritisation easy for security teams, enabling them to focus on what matters most. By adopting cyber risk quantification coupled with threat intelligence and security orchestration, automation and response, the security team’s actions around the most critical risks will be unified and streamlined, which can ultimately strengthen the entire security ecosystem.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.