There are various qualities that allow for effective decision making. The most important being having the skills to assess multiple options while at the same time considering the risks associated with it.
In our everyday lives, there are never ending risk calculations that we make throughout the day. For example, when we’re driving a car, walking across the road, or even deciding on whether to get out of bed in the morning. There is even the risk of missing an important business opportunity by dismissing that early meeting if you decide to sleep through your alarm in the morning. Without us even deliberately trying, our brains are naturally assessing the impact of every decision we make, no matter whether the decision is big or small.
When it comes to cybersecurity, risk is a term that has increased in popularity in recent years. Yet, there are a plethora of organisations who have yet to recognise that cyber risk must be assessed and managed in the same way as other forms of business risk – it must be quantified in financial terms and managed to drive down potential financial harm to the organisation. Businesses must ask themselves, what are our top risk scenarios? How do these scenarios compare to one another? Is this risk acceptable or does it exceed our risk appetite? How much should we invest to drive down risk? How does one mitigation option compare against another?
Putting it simply, these are not questions that many organisations are able to answer and as a result there has been little more than experience, gut feeling and reactionary responses to threats driving their decision making in security for the last few decades.
Quantifying cyber risk to align security
Recognising this reality, some organisations are seeking to quantify their cyber risk to better align security to the business, drive remediation and response activities, support investment decisions and demonstrate return on security investment.
Cyber risk quantification is the process of scoping the risk scenarios that could cause the most harm to an organisation, validating, measuring and analysing available data using mathematical modelling techniques to represent the potential financial harm from any given cyber event.
By adopting this new understanding of cyber risk, organisations have the ability to communicate in terms that CEOs and boards understand. It level sets the conversation around security spending, helps prioritise response activities based upon their efficacy in reducing the risk of financial loss or operational impact and allows them to more confidently apply security dollars for the greatest return on investment.
Unfortunately, those that have already embraced the move to a quantified understanding of risk have been let down as current approaches require too much manual data collection, too much training and professional services support, don’t connect this newfound understanding with the ability to take action and fail to meet the need to efficiently and cost-effectively mitigate risk. But there are new approaches emerging that marry risk, threat and response.
The marriage of risk, threat and response
Organisations need to acknowledge that understanding and quantifying risk is critical to building an effective security programme in this day and age. Solely orchestrating and automating security actions with an intelligence-led approach is not enough. As the Cyber Risk Quantification movement has taken off over the last few years, evolving approaches to security need to be considered to aid organisations in the long term. More has to be done to change the way security works.
In a holistic sense, the marriage of risk, threat and response is the only way to achieve the primary goal of cybersecurity – reducing risk to the organisation.
Introducing a risk-led approach to cybersecurity will prove successful in the long term. It will make prioritisation incredibly easy for security teams which will help them to focus on the most important tasks at hand. The adoption of cyber risk quantification coupled with threat intelligence and security orchestration, automation and response will guarantee that the actions of security teams around the most critical risks will be united and streamlined, fortifying the overall security ecosystem.
By Miles Tappin, VP of EMEA at ThreatConnect