Cybersecurity Readiness First Principles #5 digs into the question: What is cyber risk? According to PWC, Cyber risk is any risk associated with financial loss, disruption or damage to the reputation of an organization from failure, unauthorized or erroneous use of its information systems. At its core, cyber risk is having knowledge of whether your cyber defenses are working or not. Are the patches you’ve spent time and money implementing effective? Are your systems configured to prevent cyber threats? Are you vulnerable to threats being used against your organization?
The only way for organizations to start winning the cyberwar is to embrace cybersecurity readiness. Readiness enables you to identify what you need to protect, and then test the performance of your people, processes, and technology against the cyber threats they will actually face — and on their own production systems.
Find out more in the final video of our Cyber Readiness First Principles series, which lays out how SightGain is taking cybersecurity back to its basics to build up a new strategy that’s optimized for today’s challenges and cyber threats. Watch the video below.
Learn More:
Cyber Readiness First Principles One: Be Clear on What You Are Protecting
The Real Truth About Cybersecurity Readiness
Cyber Readiness 101 – How to Measure Cybersecurity Performance on Production
Video Transcript
Timestamps
0:00 Intro
0:33 Cyber Risk: Understanding Vulnerabilities
0:58 Cyber Risk: Readiness Approach
1:27 Cyber Risks
2:10 Cybersecurity Framework
3:24 Challenges to Overcome
3:49 Recap
Cyber risk is a balance between what is known and what is unknown and tries to make good decisions in the face of uncertainty. Once we have a sense of it, we can make wise decisions in the face of uncertainty. For some organizations, prevention costs millions of dollars a year in order to prevent billions of dollars in losses.
In the market today, one of the biggest challenges is understanding vulnerabilities and how those vulnerabilities translate to risks.
0:33 Cyber Risk: Understanding Vulnerabilities
Currently, there’s two methods. One is looking at proxy measures like patches and compliance information. And the second is looking at subject matter opinion. Neither of which actually look at the performance of your systems in lieu of threats. And neither which tell you actually how vulnerable you are.
0:58 Cyber Risk: Readiness Approach
Most approaches do this because it was the best information they previously had available. However, there’s information now through the readiness approach that gets to the heart of risks and tells you are your patches actually working, are your systems configured to stop the threats that you face, and are your cybersecurity investments worth the money that you spent on them, or should you invest in different solutions in order to cover those gaps.
In other words, are your systems that you spent all this time and treasure patching even working? Are they configured to stop the cyber threats that you face? And how do you know you’re vulnerable to the threats that are out there?
1:27 Cyber Risks
Current cyber risk approaches have a veneer of authority by providing detailed technical metrics or advanced mathematical equations. They can give the perception that performance has been tested and that vulnerability is represented accurately. However, what we see time and time again, and the recent string of compromises bears us out, is that compliance and patches and subject matter opinions are usually wrong. And that 100% of those systems are vulnerable to the threats they face until they’re actually tested against those very threats.
2:10 Cybersecurity Framework
So how do you use readiness to evaluate the vulnerability and inform your cyber risk? Well, we built the whole cybersecurity readiness framework to address just that. By looking at your systems and how they are positioned and postured and respond to threats, we can fully inform the performance and tell you just how likely a threat is to be successful. Then by integrating the MITRE attack framework, we can fully inform all those different threat techniques. And then finally layer in the business information that tells us just how valuable this protection is, how much we spent on our technology, and how well that technology is performing in light of the threat that it faces.
So then with all of this information, we can bring it together to tell you what is the return on investment for your cybersecurity dollars, if you have gaps, what’s the recommended way to overcome those gaps, if there’s investments that you need to make, which things should you invest in based on performance and costs in light of the context of your overall organization.
These are new things that the market just hasn’t been able to do until bringing it together and synthesizing threat information with performance and cost to give you a complete picture of how your risk operates.
3:24 Challenges to Overcome
So what’s the biggest challenge to overcome to implementing readiness as we answer risk questions? In our mind it’s cultural. The market over the last 20 and 30 years have used these proxy measures and expert opinion to inform their assessment at risk. We now can drive directly at those assessments, but we do it in a different way. It’s not mandated or a checklist item that you have to check off. However, we feel strongly that if leadership really wants to get to the heart of cybersecurity risk, readiness is the way.
3:49 Recap
So a quick recap. By bringing together your business objectives and how much you’re trying to protect against the threats and the MITRE attack framework that’s out there, testing those threats against the cybersecurity systems you’ve invested in, we can finally for the first time realize true cybersecurity risk measures. Using these cybersecurity risk measures and combining with business information unlocks the potential to really understand what you should invest in for your cybersecurity budget, why and where to go from here.
So we’re really excited about how our cybersecurity readiness approach can inform for the first time and unlock really true, accurate, empiric hard data on cyber risks.
So click on the link below to figure out more about how we do it and subscribe to understand how we’re going to use it in the future.
