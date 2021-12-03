Today, data informs the work of almost every department in the enterprise. Marketers use metrics to track the success of their campaigns. Sales teams monitor performance so it can be compared against targets. Even the catering department will monitor the food that is going uneaten in order to make better decisions about what to cook for lunch.

Similarly, in the cybersecurity world, CISOs and security teams have access to many metrics which show everything from the number of intrusion attempts to the time it takes to patch vulnerabilities after they have been discovered. But is this enough? To find out, we spoke to Cherif Sleiman, CRO at Safe Security.

How can organizations use data better?

Organizations today deploy an average of 45 cybersecurity products and each of these products provides various signals and data points that security teams have to manage. However, this data exists in silos and lacks correlation, leaving security teams to analyse, prioritize and make subjective decisions when it comes to risk management. For example, a firewall tells you only about network security, antivirus products tell you only about endpoint security, and a SOC alerts you to a cyber incident only after it has occurred.

Organizations need a single and unified metric which is objective, easy to understand and dynamically correlates signals across people, process, and technology for both first and third parties to provide one score that matters. This score will represent the present enterprise-wide cyber risk posture, and the related financial impact in case a breach occurs.

Such metrics are actionable, and gives the board and other senior business leaders the confidence to take data-backed and informed decisions on cybersecurity.

Why should organizations use cyber risk scoring?

Traditional risk management practices are point-in-time and often only produce a sense of security. Cyber attacks are continually on the rise in frequency, sophistication, and expense; it’s not a matter of if, but when, a cyber-attack will impact your company. In such a scenario, depending on quarterly audits, or cybersecurity products alone is no longer enough. Cyber risk scoring provides the much needed real-time visibility into an organization’s risk posture both at a macro and at a micro asset level. Furthermore, cyber risk scoring simplifies understanding of cyber risk, helping security & risk management leaders to communicate better with the board and senior leaders within the organization.

It enables an organization to simply accept, mitigate or transfer the risk with cyber insurance more effectively and build a proactive strategy to measure, manage and mitigate cyber risks.

What data should be used to build a cybersecurity risk score?

Today, security teams are already sifting through huge amounts of data to make subjective decisions about the organization’s risk posture. Organizations need to adopt Cyber Risk Quantification platforms that correlate that data into a single, objective breach likelihood score which is actionable and enables security teams to take decisions backed by data.

Let’s take an example of the data that needs to be considered for understanding the Breach Likelihood score of every asset within the organization:

Asset information such as geography, industry, industry size, asset vertical

Organization level policy controls such as password management policy, media handling policy, logging and monitoring policy amongst others

Organization level cybersecurity product controls such as network access controls, antivirus, DLP etc

Asset level configuration controls such as System Security Administration, Vulnerability Management, Data Security etc.

Asset level vulnerabilities and malware

With a cybersecurity risk score backed by such data, security & risk management leaders can make confident decisions about their organization’s risk management strategy.

How can data help organizations to develop a proactive defense?

It is not a matter of if you will be breached, but when you will be breached and by adopting Cyber Risk Quantification platforms, organizations can accurately predict their present risk posture and take corrective measures to mitigate their biggest risks, bringing the likelihood down. For example, Cyber Risk Quantification platforms such as SAFE continuously track which techniques are being leveraged by at least one APT groups to proactively detect threats of the future, and give customers the opportunity to fix issues before they become more severe.

Having access to the right information at the right time allows companies to develop the correct strategies – which sounds easy, but has become difficult for larger organizations. Today, the average Fortune 200 CISO uses 12 dashboards to monitor their environment. That is a lot of information to monitor, particularly when point products do not communicate with each other efficiently.

Too many businesses do not have access to a dynamic, real-time view of their organization’s security, allowing them to identify the problems that need immediate attention and build a proactive defense.

How should organizations score their cybersecurity posture?

There are two important ways of assessing an organization’s security stance. Firstly, companies should carry out internal, intrusive testing. This should start by scanning devices on a network to provide a connection overview. When vulnerabilities are found, they should be prioritized according to their severity and given a security score so that the most serious problems are dealt with first. Then comes the job of fixing these issues, followed by tests to assess if the patches were successful. This process should be repeated as often as possible to provide a continuous assessment of their cybersecurity posture.

The second type of test is external, non-intrusive testing. This method uses risk vectors that can be measured externally and then correlated against actual security incidents. This could involve monitoring the dark web for leaks of credentials or other sensitive information, as well as other signs that suggest malicious activity is happening inside an organization’s network. Assessing third-party suppliers is also a crucial part of external testing. If a company somewhere along an organization's supply chain has been compromised, then it should brace for attack and make preparations immediately.

Cherif Sleiman, CRO, Safe Security