How to Confront Cybersecurity Risks With Data

There’s no glossing over it: Cybersecurity has a data problem. More specifically, cybersecurity as an industry sucks a bit when it comes to quantifying cyber risk. While there are increasing calls for cybersecurity in boardrooms, and even proposed changes by the Security and Exchange Commission (SEC) to force companies to disclose cyber expertise in their board composition, as an industry we simply don’t speak the same language as many other our fellow human beings.

Cyber ​​security risk quantification

In principle, cybersecurity risks can be conveyed qualitatively or quantitatively. Historically, as an industry, we mostly do the former. This presents a scenario that is undeniably subjective and open to interpretation, and does not provide our business peers with hard, quantifiable data and metrics to drive organizational decision-making about cybersecurity risk. This comes at the same time as incessant calls for cyber to “speak the language of business”.

Far from new or novel, this topic has been discussed by leaders such as Douglas Hubbard and Richard Seiersen in their much-cited book How to Measure Anything in Cybersecurity Risk (a new edition is also rumored to be forthcoming). Nor are they the only individuals or organizations with a long history of quantifying cybersecurity risks.

Risk Management Executive Jack Jones and the FAIR Institute have also campaigned for this position. As an organization, FAIR, which stands for Factor Analysis of Information Risk, has more than 13,000 members and is used by over 45% of Fortune 1000 companies. There are also platforms like Balbix that are increasingly being adopted and are striving to provide automated cyber risk quantification to empower organizations and improve reporting to board members.

The corporate IT environment

With the push of thought leaders, industry organizations, and vendors, what is the cyber industry still talking about in muddy subjective terms and metrics? The truth is that quantifying cyber risk relies on methodological and mathematical models and approaches. While these may be straightforward, it’s an enterprise IT environment that’s not quite as thin and dry.

When quantifying cyber risk, you look at things like corporate assets, vulnerabilities, threats, and probabilities of exploitation or events. Some basics such as B. Inventory of hardware and software assets, which has been a critical SANS/CIS security control for years, is something that organizations generally underperform quite a bit at.

Companies just don’t have much confidence in their asset portfolio. If so, it’s generally misplaced, as years of security incidents have shown Shadow IT to be rampant. It’s difficult to protect, let alone quantify, the risk of assets you don’t know exist.

Combine this with the vulnerability databases and rating systems currently in use and you have a scenario where even knowing your resources, the way vulnerabilities are rated and tracked is far from infallible. The Common Vulnerability Scoring System (CVSS), widely used for vulnerability prioritization and risk assessment, is often misused. At least, that’s the reasoning of Carnegie Mellon University’s Software Engineering Institute (SEI) in their paper entitled “Towards Improving CVSS” or Drew University’s paper entitled “CVSS: Ubiquitous and Broken”.

Future cybersecurity risk coverage

In this month’s articles on the Acceleration Economy Cybersecurity channel, we’ll delve deeper into current qualitative and quantitative assessments of cyber risk, as well as potential gaps in the industry’s assessment and prioritization of vulnerabilities. All of these issues contribute to cybersecurity challenges in speaking the language of the business, delivering actionable risk insights, and adopting the taxonomy of their fellow board members despite the desire to have cyber at the table.

Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: