Why ambiguity in cybersecurity no longer adds up

Why ambiguity in cybersecurity no longer adds up


Article by MetricStream APAC Managing Director Michel Feijen.

There are places where ambiguity and subjectivity work well, but measuring your exposure to cyber risk is not.

One place where clarity is required is in suite C. As the costs and risks of cybersecurity continue to rise, CEOs continue to struggle with what they buy their investment in cybersecurity.

When an attempt was made to measure the effectiveness of your company’s cybersecurity, a survey found that 72% of CEOs receive metrics that “make no sense or context” and 87% “need a better way to measure the effectiveness of their investments in cybersecurity “.

As MIT Sloan Management Review notes, “Executives and directors often spend too much time studying technical reports on things like the number of intrusion detection system alerts, antivirus signatures identified, and software patches implemented.” These things are often delegated and limited to the IT department, but ideally, addressing and addressing cybersecurity risks should be strategically managed by senior management so that risk management is not based solely on incidence.

Cybersecurity increasingly needs to learn to speak a different language. Current reforms in several countries, particularly Australia and the United States, would expose individual directors and executives to personal responsibility for cybersecurity risks. The proposals also seek to record the “substance of how a company manages its cybersecurity risk.”

This is a profoundly different position on risk, not one that favors qualitative or ambiguous “traffic light system” representations.

The traditional approach has been to classify risks as high, medium, and low, or to rate them in terms such as “likely to occur” or “unlikely to affect the business.”

These classifications are too vague in the modern world. Security teams might think that a medium risk needs to be mitigated, but the management team might argue that it can be accepted. Defending your point of view can be difficult because the term “medium risk” sounds pretty ambiguous.

It becomes more difficult when teams have multiple risks that are classified into media. Which do you focus on first? Do you spend the same amount of time and resources managing all three risks? It is difficult to know for sure with non-quantitative metrics.

Organizations face thousands of computer and cyber risks a year. The challenge is to determine what risks need to be addressed first. There can also be hundreds of possible security checks; which will give the biggest benefits at the lowest cost?

These are questions that CISOs need to answer. And to do that, they need quantitative data. Ambiguous terms must be converted to hard numbers.

Do the math

Enter the quantification of cyber risk: a process for measuring exposure to cyber and IT risk in monetary terms.

It aims to help professionals and their employers determine which risks to prioritize and where to allocate cybersecurity resources for maximum impact.

Cyber ​​risk quantification typically uses sophisticated modeling techniques such as Monte Carlo simulations to estimate value at risk (VaR) or the expected loss of risk exposure.

When quantifying the monetary impact of a risk event, questions such as “How much should we invest in cybersecurity?”, “What will be the return on investment?” and “Do we have enough cyber insurance coverage?” it can be answered with more confidence.

Uncertainty is minimized when exposure to cyber risk is expressed in clear and precise terms. It makes it easier to direct investments in security when you know how much the risk will cost and how much a specific control can help reduce that cost. There is much less debate and confusion about the top three cyber risks, why they have been classified this way, or what controls are most relevant to mitigating those risks. The data is already there for everyone to see.

Several stakeholders benefit from this clarity. CISOs gain a deeper understanding of the impact of risk, which helps them make data-driven decisions. Tips have more visibility than is at stake for the business in terms of dollar value. And executives can effectively prioritize cybersecurity investments by driving alignment between cyber programs and business goals.

Six things to keep in mind

To quantify cybersecurity risk, organizations should consider six important points.

First, establish a common risk language. If everyone in the organization has a different definition for each IT asset, threat, or vulnerability, it will be difficult to communicate and advocate for risky decisions. Standardize risk nomenclature as much as possible.

Second, cyber risk quantification is a collaborative exercise that goes beyond the computer security department. Involve other divisions in identifying critical risk scenarios. The more prospects are put on the table, the more complete the risk data will be.

Third, cyber risks and threats are constantly evolving. A risk that was critical a year ago may no longer be as important or relevant. The only way to know for sure is to re-quantify the risks at regular intervals, maybe once or twice a year.

Fourth, it is not efficient or effective to cover all possible threats and risk scenarios at once. Choose an important use case and work on it before proceeding.

Fifth, automate whenever possible. Manual processes for quantifying cyber risk can be both time consuming and time consuming. Automating these workflows can help you measure a large number of risk exposures more quickly.

And finally, quantification is not a definitive solution: cyber risk quantification should improve, not replace, other cyber risk management and IT processes. Its value is best achieved when complemented by risk monitoring, qualitative assessments, internal audits and problem management processes.

While no organization can ever be fully immune to threats and risk, smart, calculable risk quantification, management, and measurement can help organizations improve risk mitigation.



Source link

Related post

EDUCAUSE 2022: How Data Collection Can Improve Student and Faculty IT Support

EDUCAUSE 2022: How Data Collection Can Improve Student and…

At Indiana University, Gladdin said, to make life easier for students and faculty, they implemented a course template for the Canvas…
UGC, AICTE warn students against online PhD programmes offered by EdTech platforms | Latest News India

UGC, AICTE warn students against online PhD programmes offered…

The University Grants Commission (UGC) and the All India Council for Technical Education (AICTE) on Friday issued a joint advisory against…
UGC, AICTE warn students against online PhD programmes offered by EdTech platforms | Latest News India

UGC, AICTE warn students against online PhD programmes offered…

The University Grants Commission (UGC) and the All India Council for Technical Education (AICTE) on Friday issued a joint advisory against…

Leave a Reply

Your email address will not be published.