If you’ve glanced at the opinion columns of security industry publications of late, you’ve probably seen the term ‘risk-based’ floating around, as in ‘the time is now for a comprehensive, risk-based approach’ or ‘a risk-based approach to security is key to business alignment’. However, many of the articles where this term is mentioned fail to define what exactly is a risk-based approach to cyber security in the real world. As Jake Olcott asserts, that’s a problem. Without a solid understanding of its meaning, ‘risk-based’ could end up being just another buzz phrase, and all the benefits it’s supposed to bring about might never come to fruition.
If someone tells you their company takes a risk-based approach to cyber security, what they mean is that when it comes to making security-related decisions, they consider risk above all other factors.
Risk-based approaches are often presented in opposition to compliance-driven approaches. Risk-based security teams are more concerned with reducing their organisation’s real exposure to cyber attack and data breach than they are about checking boxes or passing audits (though those remain worthwhile goals).
A risk-based approach to cyber security is also proactive rather than reactive. Instead of focusing on incident response, a CIO at an organisation using this approach is likely to invest heavily in testing, threat intelligence, and prevention.
Finally, this approach is inherently realistic. The goal of a risk-based cyber security program is meaningful risk reduction, not 100% security. That’s important, because the former allows CIOs, CISOs and Board members to make pragmatic decisions about budget and resource allocation, while the latter requires sparing no expense, even when investments receive diminishing returns.
What does ‘risk-based’ look like?
What does a risk-based cyber security approach look like? A security program that’s fully committed to the risk-based approach will necessarily have a few distinguishing elements.
Risk-based approaches to cyber security rely on accurate risk knowledge. On one hand, that means that one’s idea of risk should be based on facts rather than opinion, trends or headlines. However, in the fast-moving world of IT security, data must also be up-to-date. That’s where continuous monitoring comes in.
This approach to security doesn’t leave room for blind spots. That means point-in-time vulnerability assessments and penetration tests that only occur once or twice per year must be supplemented by other kinds of assessments that fill in the gaps.
Security ratings are one popular option for continuously monitoring cyber security risk. Ratings can provide insight into compromised systems, security diligence, user behaviour and other factors that increase an organisation’s risk exposure. These insights are synthesised into one representative number, updated daily, as well as grades in individual risk vectors.
Prioritisation of need
A truly risk-based cyber security program will have a system in place to prioritise security needs based on their relative levels of risk exposure. Effective prioritisation relies on two key elements: knowledge of the threat and knowledge of the target. That means a security leader running a risk-based program must maintain consistent awareness of the latest and most urgent cyber security threats affecting their company, industry and region, as well as a deep understanding of the systems and data those threats could affect.
With this knowledge in hand, a security leader can determine which projects require the most resources at any given moment. For example, they can say with confidence that pausing work on implementing automated incident management software in favour of updating user credentials and access will reduce the risk exposure of their organisation. Prioritisation must also be dynamic, based on short cycles rather than monthly or quarterly initiatives. For this reason, prioritisation relies heavily on continuous monitoring tools like security ratings.
Benchmarking for true understanding
To gain a true understanding of cyber risk, one cannot assess the organisation in a vacuum. Risk is a relative term, and can only be understood in relation to historical performance and the performance of peers, competitors and industries.
Security ratings are based on externally observable information, meaning that they can be used to assess any organisation, not just one’s own. Many organisations use security ratings to gain an idea of the cyber security performance of their competitors, top performers in their space and their industry on average. In fact, these relationships are baked into the ratings themselves.
This method of cyber security benchmarking allows security leaders to understand how their organisation is doing in context. For example, using a security ratings platform, a CISO can see that they have a ‘D’ grade in the malware servers risk vector and understand immediately that they’re performing worse than other organisations in their industry. They can also look at a specific company – say a larger and more established organisation – to see which areas of their cyber security program have received the most attention.
Saving time and money
Compared to compliance-driven organisations or idealistic companies that demand 100% security, an organisation using a risk-based approach can save considerable amounts of resources.
This approach can help an organisation assess the Return on Investment of its cyber security projects and stop spending on tools and systems that are not returning value. Many organisations have spent millions on Best-of-Breed software only to be breached as a result of user error or an underprepared third party. A risk-based approach can help a company avoid these scenarios.
In addition, this approach can reduce an organisation’s reliance on expensive security consultants and large point-in-time assessments. By using tools to assist with security performance management, a company can develop the skills needed to assess and prioritise its security program in-house and on a continuous basis.
Most importantly, however, this approach may be better at reducing an organisation’s chances of experiencing a data breach. With the average total cost of such breaches now reaching $3.86 million, that could mean the very difference between survival and failure.
Jake Olcott is Vice-President of Government Affairs at BitSight