During the past year, you may have noticed a shift in the way IT and security professionals talk about cyber security.
Historically, firewalls, DLP, antivirus, SIEM and other technical point solutions have been the centerpiece of security conversations, but the mindset is slowly shifting from technology to risk.
The goal of stopping all attacks and preventing all business impact has been recognized as a fool’s errand, and has shifted to measuring risk and minimizing business impacts. Cyber security is increasingly being viewed as a risk management problem, aligned with or, in many cases surpassing other operational risks on enterprises’ priority lists. According to a recent board report, 89 percent of board members say they are very involved in making cyber risk decisions, the majority ranking cyber risk as the highest priority.
A shift in mindset is just the start. Actually executing your strategies and tactics based on risk is a whole different story. To really understand risk, enterprises need to start with identifying their most valued applications, their potential business impact if confidentiality, integrity or availability (CIA) were compromised. From there, there are a couple of different approaches.
Early efforts at calculating a risk adjusted dollar amount to which the business is exposed, also known as “Value At Risk,” was based on traditional financial and operational risk models. It required experts to work with the cyber and business teams to try to guestimate probabilities of particular events and their ability to compromise each application’s CIA. One obstacle to that approach is that there is far too little historical data on which to base such guestimates with any accuracy. The other challenges are that even if you were able to guestimate probabilities with any accuracy, it is only a single point in time, and it is difficult to drill down to a level of detail that can help drive daily decisions and actions beyond generally focusing protection on those applications with the greatest theoretical risk.
A more feasible and actionable approach that is evolving is to use the aforementioned asset data and loss impact information in concert with your existing threat and vulnerability data to understand the potential for compromise and prioritize your activities accordingly. This approach uses actual events occurring within the organization, together with external threat intelligence data, to measure the potential for compromise and estimate loss impacts that can result from those exposures. The benefit to this approach is that is based on actual conditions “on the ground” and can be aggregated/decomposed to drive prioritization decisions from the front line responders all the way up to the board of directors.
How can an Application Value At Risk be used?
Most enterprise security teams do a good job identifying threats and vulnerabilities, too good a job. Security teams are flooded with countless threat alerts and vulnerabilities identified daily. With all that data, prioritizing remediation efforts is the real challenge. The answer is to understand which remediation actions will result in the great reduction in value at risk. By understanding the relationship between remediation actions and results, enterprises can drive a more focused and transparent cyber risk management program, where stakeholders can be held accountable in a measurable way for their actions or lack thereof.
Mapping potential financial loss value to security exposures also enables better decision making by the board. As security has transitioned into a risk management issue, a communication gap between security leaders and boards of directors has also emerged. Whereas security leaders are accustomed to speaking in the language of technology; board members speak the language of risk. However, if security leaders can walk into a boardroom with actual value at risk metrics that show how much money the enterprise could have lost if a vulnerability was not patched and how much the security team reduced that value at risk by taking action, both parties would be speaking the same language. Boards understand financial impact and can make better decisions if they know the potential dollar amount at stake.
In many other parts of the enterprise, risk management methods using financial impact metrics to drive decision-making has been business-as-usual for time and memorial. As the industry shifts to a risk based approach, we will be able to change the conversation from trying to remediate every threat and vulnerability in an effort to protect every application on equal terms, to what actions to take to best minimize the impact of cyber risks on the business.