The enhancement of cybersecurity infrastructure is inadvertently tied to threats becoming increasingly sophisticated, leading to CISOs and cybersecurity executives spending excessive time countering them.
It is difficult to account for all devices connected in an enterprise network since the very meaning of assets today is itself complex. The modern infrastructure goes beyond traditional assets and now includes multi-cloud workloads, ephemeral containers and serverless workloads, APIs and even IaC (infrastructure as code).
Every new technology that contributes to digital transformation efforts is an additional attack surface that needs monitoring, assessment and remediation from risk.
According to Gartner’s 2020 CISO Effectiveness Survey, the average enterprise has more than 16 security tools, with 12% of CISOs reporting 46 or more.
If one would think that possessing more tools is tantamount to greater coverage, contrarily having more tools rarely equates to a more fortified security infrastructure. The absence of actionable insights, critical gaps in coverage, lack of alignment and challenges in prioritising response and remediation across security, compliance and IT teams persists.
IT infrastructure is increasingly heterogeneous and ephemeral – from on-premises to virtual to serverless, public cloud to private to hybrid, IT to OT to IoT. And on addition to this, the continuing IT skills gap makes hiring and retaining seasoned professionals increasingly difficult – adversely affecting the efficacy of managing cybersecurity.
IT complexity is largely compounded by the lack of cybersecurity automation, poor cross-team collaboration, and a need for workflow coordination.
Today’s CIOs and CISOs are desperately trying to find ways to cope with these obstacles in addition to dealing with recently added pressures from boards to track and report on cyber risk. But why this sudden focus on cyber risk by executive teams?
Cyber risk is a board-level concern
Governments around the world are making significant moves to defend against hacking gangs. But even with the heightened focus on protecting digital assets, bad actors have had a head start, and organisations are still reporting unease in their ability to ward off ongoing threats.
Today’s organisations face increasing numbers of catastrophic breaches, internet-shaking vulnerabilities, nation-state-backed attacks, and a severe rise in ransomware. Just recently, Verizon’s DBIR 2022 reported a 13% year-over-year increase in ransomware, a rise as big as the last five years combined and exploit of vulnerabilities as a top three vector for attackers to leverage to gain a foothold in an organisation's environment.
Corporate boards tend to be very news-driven, growing more concerned with each industry report of cyber warfare, hacking campaigns and new more sophisticated threat actors – as seen by more than 50% of quarterly board agendas now including the CISO, according to ESG.
Reducing cyber risk is important as the cost of successful cyberattacks soar. The average cost of a data breach rose during 2021 from US$3.86 to US$4.24 million – the highest increase per annum in the 17-year history of IBM’s reporting. Due to the crucial role cybersecurity plays in protecting corporate data and company crown jewels, it is gaining urgency amongst companies of all sizes.
CISOs are expected to provide a novel approach to issues concerning cybersecurity, which includes budget, goals and plans for enhanced reinforcement. Such a requirement translates to cybersecurity leaders having to simplify how they discuss cyber risk with company management, the board, shareholders, customers, partners and the wider market.
It is time to abolish ‘techno-speak’ and clearly define cyber risk in terms of bottom-line business risk. This enables all parties involved to gain a better understanding of cyber risk and effectively tackle the rising slew of issues. For many, this will be a forcing function to shift and adopt a risk-based approach to managing cybersecurity.
Adopting a risk-based approach to cybersecurity
The number of risks associated with cybersecurity is countless and could arise due to outdated software applications or software that has not been adequately developed to mitigate evolving risks. There are risks posed by integrated technologies that may be managed by third parties or part of a wider supply chain.
Other risks may affect physical or virtual infrastructure such as endpoints, servers, network devices, clouds, and containers. Humans also pose many risks, as a company’s workforce may fall prey to malicious actors exploiting human error.
With CISOs in the hot seat for reducing risk, it’s clear they have their hands full. So what is the best approach? Adopting risk-based methodologies that allow cybersecurity technologies, processes and people to converge and collaborate.
These risk-based methodologies may be prescribed by industry mandates, government regulations and financial audit standards. They must simultaneously achieve strengthened cyber defences while maintaining continuous compliance.
And ultimately, they must be able to report to executives and the board in clear metrics, the success of security controls against internal objectives as well as industry peer benchmarks.
This requires a three-step cycle that continuously monitors the threat landscape, enables quick response and measures the metrics that company leadership is concerned about:
- Assess risk – A thorough threat assessment provides the fundamental basis for organisations to reliably quantify their threat risk. This allows them to gain visibility and control all IT assets in the organisation’s environment. A reliable manner to quantify cybersecurity risk facilitates organisations in prioritising threats and acting swiftly.
- Reduce risk – Consolidating siloed security tools into a unified platform with automation capabilities for risk monitoring, detection and remediation. Actionable steps to reduce risk should be assigned across security, IT or compliance teams in their system(s) of choice.
- Report risk – Automated dashboards with clear, risk-defined metrics against industry standards, peer benchmarks and best practices aid organisations in reporting threats conveniently. Modern techniques break with security reporting of the past by tracking metrics customised to an organisation’s unique cyber risk exposure to specific threats.
Count risks instead of vulnerabilities
A reported cumulative growth rate in vulnerabilities of 5,116% over the past few years seems startling. However, if we take a risk-based approach to this increase, cyber risk in terms of business risk can be put into perspective.
To illustrate, out of the universe of 185,446 known vulnerabilities, only 29% have exploits available. Just 2% have weaponised exploit code. And considering the range of malware currently in the wild, a mere 0.4% – 718 vulnerabilities – have been exploited by malware.
Threat actors are actively leveraging only 0.16% of the universe of known vulnerabilities. Finally, even fewer vulnerabilities end up branded with their name. Those show up on the front page of major newspapers including Log4Shell and Heartbleed.
As most security teams do not have visibility into this simple fact, vulnerability management objectives are prioritised based on CVSS scores alone, which can result in wasted effort patching vulnerabilities that may or may not reduce risk.
To be a true risk to your enterprise, a specific vulnerability must-have material applicability in your specific environment.
For example, a high-severity vulnerability may not be as much of a concern should your enterprise have to compensate controls to mitigate the risk posed. Vulnerability management must go beyond a simple vulnerability score, to include all forms of risk to the business – e.g., a password such as “ABC123” may pose a more significant risk to an environment than any known CVE.
Controlling cybersecurity risk is much more achievable by focusing security and IT teams on the vulnerabilities that matter most to your company’s exposure. It is the essence of a risk-based approach to security.
