One of my favourite authors - Dr Atul Gawande - has written a beautiful book explaining the scientific importance of prioritised checklists in our lives. Checklists have been used the world over- from healthcare to banal activities in life... and it is always in an order of most to least important. If I draw the same parallel to cybersecurity, how can we design a cybersecurity strategy that is prioritised without a parameter to standardise the importance? Do we go by the hundred-page report from security teams, signals from our log and packet assessing tools, or do we just go by whichever area of the heat map turns bright red?
Prioritising your cybersecurity strategy depends on how well you can define the criticality of the said cybersecurity signals and threat intelligence and collate it into a business context that is customised to your enterprise. How do you predict that certain threat signals are more critical than the others? There has to be an objective and unbiased assessment of each asset, IP address, cloud instance, cybersecurity tool, people (employee, third party/ vendor) and policy around a consistent risk metric that considers your internal and external risk exposure across the enterprise and in real-time.
The MAZE ransomware has affected multiple large organisations such as Xerox, Cognizant, Indiabulls, Canon, LG Electronics amongst others. One of the largest IT service providers affected by MAZE is anticipating a damage of $50 to 70 million in just this quarter! This is notwithstanding the reputational loss which can last longer and cause more loss than the initial incident. This estimated dollar impact can mean one of two things - either this organisation had predicted such a breach of their critical assets and prioritised their cyber risk strategy, which would mean that this estimation is their maximum possible liability, or they are still in damage control mode, which would mean that their breach liability is at least to the tune of $50 to 70 million, if not more.
Go from reactive to predictive
Quoted from the Verizon DBIR, 2020, “if you leave your internet-facing assets so un-secured that taking them over can be automated, the attackers will transform your infrastructure into a multitenant environment. Till now, our defensive opportunity is to estimate what we haven’t seen based on what we have. For example, if we see malware, we look back in time for what we may have missed, but if we see a social action, we look at where the attacker is going, not where they are. All in all, paths can be hard to wrap our head around.”
This is a ‘defensive approach’ and it needs to change. The Pareto Principle, which asserts that roughly 80% of the effects come from just 20% of the causes, can be cited to understand why security and risk management leaders have struggled until now. They have to sift through a constantly growing corpus of data coming from multiple sources and tools in order to identify a ‘few’ bad actors. Security teams often scramble to create that life-saving prioritised checklist which I mentioned earlier and instead create a to-do list which merely lists down all possibilities rather than prioritised actionables. According to a study, 80% of organisations still resort to reactive tools. The ‘defend when it happens’ approach is costing them millions in regulatory fines and reputational damage.
The secret is that you don’t have to act on all the vulnerabilities because only 5.5% of them are likely to be exploited. So how do you
- then, prioritise these?
This is where cyber risk quantification becomes a game-changer. Prioritising has to stem from analyses of cybersecurity signals, external and internal threat intelligence and place all this into a business context to identify what and where the ‘weakest links’ of an enterprise lie across people, processes and technology. A supervised machine learning risk quantification engine can generate prioritised insights specific to your enterprise’s industry, revenue and geography ultimately helping you predict a cyber-attack before it happens.
This simple act of prioritising has a ripple effect across the cyber risk strategy of an organisation. There is no silver bullet when it comes to cybersecurity. It suffices to say that the best way to keep yourself afloat is to plug all the holes in your boat before you begin drowning.
Without prioritised and predictive thought leadership at the helm of Security Teams and the Board, we are essentially drowning in information yet starving for knowledge. An enterprise-wide, objective, real-time and unified score that provides a consistent risk metric as a common language across the Board, Security teams and other stakeholders will give the much-needed clarity to make cybersecurity a scientifically backed, data-driven business decision, rather than the mishmash of actions that may or may not protect you. Would you rather take your chances or quantify?
By Vidit Baxi, Co-founder, Lucideus