Cherif Sleiman at Safe Security explains why why it’s time to take a data-driven approach to quantifying risk
Businesses are investing more in cyber-security than ever before, with total global spending predicted to exceed $1.75 trillion between 2021 and 2025, according to a report by Cybersecurity Ventures.
Despite cyber spending ramping up, the frequency and cost of breaches has also never been higher. The total cost of breaches through to 2025 has been estimated at $10.5 trillion, more than five times the total business investment. As of October, 2021 had already exceeded the total number of breaches across the entirety of 2020.
So why are cyber threats continuing to skyrocket?
Simply throwing money at the problem isn’t enough. All too often, security spending is concentrated on yesterday’s threats, rather than looking ahead or even matching the needs of today. Investments have to be going to the right places and matching the rapidly changing business environment and cyber threat landscape.
Achieving this means moving on from making best guesses based on the rear-view mirror, and looking ahead with a data-driven approach.
How has the security landscape shifted?
The business world has transformed at a breakneck pace over the last decade, accelerated further by the COVID-19 pandemic. Trends such as cloud migration, SaaS, and remote working have transitioned rapidly from bleeding-edge strategies to baseline capabilities that organisations require to stay competitive.
The threat landscape has moved at a similar speed, with cybercriminals rapidly evolving their tactics to exploit new developments as they emerge.
As a result, securing an enterprise has become ever-more complex and challenging and security leaders must deal with a multitude of problems that simply didn’t exist just a few years ago. Once, workers and infrastructure were all neatly contained within designated locations.
Now, soaring cloud usage means that security teams must account for users, devices, and assets being spread across a huge variety of places, often outside of their direct control.
Security must also account for third parties as all organisations sit within increasingly large and
complex webs of suppliers, partners, and customers. Further, organisations have become
interconnected with these third parties, with suppliers and partners often being granted a high degree of unsupervised access to critical data and systems.
Against all of this change, many companies are still labouring under security structures that were created for bricks-and-mortar businesses and are no longer fit for the modern digital world.
Accordingly, while trillions of dollars is being spent on security, much of it is simply going towards expanding the security stack without looking at the underlying foundations of how security is approached.
The security solution pileup
As organisations attempt to keep up with their rapidly changing environments, the average number of security solutions used by each business has climbed steadily over the years. Many in the industry will remember being able to get by with around half a dozen different security tools.
Today however, large enterprises have more than 130 security tools on average, and even small businesses are likely to have as many as 20.
This number has gradually crept up as new technology is introduced into the market, and adding additional solutions to the stack has also become something of a default reaction to an increased security threat, such as an industry peer being breached.
But this approach doesn’t necessarily work to make the company more secure. In fact, the product pileup can make the security team’s job more difficult as each new tool adds a new stream of data. Without a clear framework to manage and control all these disparate solutions, it is all but impossible to get a clear idea of the company’s actual risk exposure.
When the board wants to know what the company’s risk level is, CISOs will be able to list all the products they’ve purchased and actions they’ve taken. But this really amounts to a best guess scenario. With the number and cost of breaches continuing to climb, this is not enough.
Instead, CISOs need to provide a much more specific and accurate view of risk exposure in real-time.
How can organisations adopt a data-driven approach?
To achieve this, organisations should be moving towards building a proactive approach to risk management through cyber risk quantification platforms. This is a different approach that focuses on creating a real-time, dynamic assessment of risk.
Crucially, this takes into account every single aspect of the business. People, endpoints, on-site infrastructure, virtual environments, the security stack: all of this and more must be assessed at an atomic level of detail.
Quantifying unknown cyber risks
This methodology also needs to extend to third party connections, both current and future. If a
business is inking a supplier relationship, it needs to know if its sensitive information will be secure with the new company. Conventionally, this has been established with a cumbersome and unreliable stack of paperwork.
As part of a cyber risk quantification approach, organisations should instead scan potential partners’ domains and identify any cracks in their digital footprint. Then the company and supplier can work together to address these issues before the contract is initiated.
Once a cyber risk quantification model is in place across the entire organisation, security heads can immediately identify all issues across the infrastructure and the risk they present, as well as
translating this into a dollar value that can be easily communicated to the board. From here they can assess which issues fall outside the acceptable risk appetite, and work with the board to budget for security solutions.
Rather than taking a best guess, CISOs can create an accurate, data-driven cyber road map that marks out exactly how each action will improve the risk score and reduce the company’s exposure to cyber threats.
Cherif Sleiman is Chief Revenue Officer at Safe Security
Main image courtesy of iStockPhoto.com