Saving Time, Saving Money: A Risk-Based Approach Towards Cyber Security

If you’ve glanced at the opinion columns of security industry publications of late, you’ve probably seen the term ‘risk-based’ floating around, as in ‘the time is now for a comprehensive, risk-based approach’ or ‘a risk-based approach to security is key to business alignment’. However, many of the articles where this term is mentioned fail to define what exactly is a risk-based approach to cyber security in the real world. As Jake Olcott asserts, that’s a problem. Without a solid understanding of its meaning, ‘risk-based’ could end up being just another buzz phrase, and all the benefits it’s supposed to bring about might never come to fruition.

If someone tells you their company takes a risk-based approach to cyber security, what they mean is that when it comes to making security-related decisions, they consider risk above all other factors.

Risk-based approaches are often presented in opposition to compliance-driven approaches. Risk-based security teams are more concerned with reducing their organisation’s real exposure to cyber attack and data breach than they are about checking boxes or passing audits (though those remain worthwhile goals).

A risk-based approach to cyber security is also proactive rather than reactive. Instead of focusing on incident response, a CIO at an organisation using this approach is likely to invest heavily in testing, threat intelligence, and prevention.

Finally, this approach is inherently realistic. The goal of a risk-based cyber security program is meaningful risk reduction, not 100% security. That’s important, because the former allows CIOs, CISOs and Board members to make pragmatic decisions about budget and resource allocation, while the latter requires sparing no expense, even when investments receive diminishing returns.

What does ‘risk-based’ look like?

What does a risk-based cyber security approach look like? A security program that’s fully committed to the risk-based approach will necessarily have a few distinguishing elements.

Risk-based approaches to cyber security rely on accurate risk knowledge. On one hand, that means that one’s idea of risk should be based on facts rather than opinion, trends or headlines. However, in the fast-moving world of IT security, data must also be up-to-date. That’s where continuous monitoring comes in.

This approach to security doesn’t leave room for blind spots. That means point-in-time vulnerability assessments and penetration tests that only occur once or twice per year must be supplemented by other kinds of assessments that fill in the gaps.

Security ratings are one popular option for continuously monitoring cyber security risk. Ratings can provide insight into compromised systems, security diligence, user behaviour and other factors that increase an organisation’s risk exposure. These insights are synthesised into one representative number, updated daily, as well as grades in individual risk vectors.

Prioritisation of need

A truly risk-based cyber security program will have a system in place to prioritise security needs based on their relative levels of risk exposure. Effective prioritisation relies on two key elements: knowledge of the threat and knowledge of the target. That means a security leader running a risk-based program must maintain consistent awareness of the latest and most urgent cyber security threats affecting their company, industry and region, as well as a deep understanding of the systems and data those threats could affect.

With this knowledge in hand, a security leader can determine which projects require the most resources at any given moment. For example, they can say with confidence that pausing work on implementing automated incident management software in favour of updating user credentials and access will reduce the risk exposure of their organisation. Prioritisation must also be dynamic, based on short cycles rather than monthly or quarterly initiatives. For this reason, prioritisation relies heavily on continuous monitoring tools like security ratings.

Benchmarking for true understanding

To gain a true understanding of cyber risk, one cannot assess the organisation in a vacuum. Risk is a relative term, and can only be understood in relation to historical performance and the performance of peers, competitors and industries.

Security ratings are based on externally observable information, meaning that they can be used to assess any organisation, not just one’s own. Many organisations use security ratings to gain an idea of the cyber security performance of their competitors, top performers in their space and their industry on average. In fact, these relationships are baked into the ratings themselves.

This method of cyber security benchmarking allows security leaders to understand how their organisation is doing in context. For example, using a security ratings platform, a CISO can see that they have a ‘D’ grade in the malware servers risk vector and understand immediately that they’re performing worse than other organisations in their industry. They can also look at a specific company – say a larger and more established organisation – to see which areas of their cyber security program have received the most attention.

Saving time and money

Jake Olcott

Jake Olcott

Compared to compliance-driven organisations or idealistic companies that demand 100% security, an organisation using a risk-based approach can save considerable amounts of resources.

This approach can help an organisation assess the Return on Investment of its cyber security projects and stop spending on tools and systems that are not returning value. Many organisations have spent millions on Best-of-Breed software only to be breached as a result of user error or an underprepared third party. A risk-based approach can help a company avoid these scenarios.

In addition, this approach can reduce an organisation’s reliance on expensive security consultants and large point-in-time assessments. By using tools to assist with security performance management, a company can develop the skills needed to assess and prioritise its security program in-house and on a continuous basis.

Most importantly, however, this approach may be better at reducing an organisation’s chances of experiencing a data breach. With the average total cost of such breaches now reaching $3.86 million, that could mean the very difference between survival and failure.

Jake Olcott is Vice-President of Government Affairs at BitSight

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts