Yesterday, Anna Irrera and Olivia Oran wrote a piece about some large corporations coming together to standardize the rating of cyber risk. Such ratings, which are the cyber equivalent of a FICO credit score, enable enterprises to understand how prepared the organizations they work with—vendors, partners, and customers— are to withstand cyber attacks. For example, we have Insurers beginning to look at such ratings when they make underwriting decisions on cyber liability policies.
This is a good move, an important step in the right direction. A key reason behind the cyber mess that we find ourselves in is the lack of quantitative understanding of cyber risk posture in our business culture. Today, cyber security risk is not something that most business people worry about on a day-to-day basis. Instead, this is silo-ed and abdicated to security experts or to governance committees who are unable to make real improvements in security because the business is not involved.
Big firms creating standardized cyber security checklists lists that map to a well understood score-- this has the potential of heightening cyber risk awareness across the industry using the economic incentives and levers of the broad markets. If you can’t sell your product to that big customer because your business has a low cyber risk score – this will get noticed by business unit owners. The powerful rivers of the economy - revenue and profit - are the best tools to get the business engaged in the fight against cyber breaches. Great!
There are however a few things to keep in mind as we begin to measure security and risk: It's not just enough to have the desire for an outcome for the outcome to happen. We need the right approach and technology as well. We cannot "checklist" our way to a good risk score. The enterprise attack surface is hyper-dimensional, complex and continuously expanding. Our risk measurements have to be comprehensive. The modern enterprise is not a simple network with a defined perimeter- it is mobile, extends into the cloud and is heterogenous, with many open systems as well as lots of opaque closed systems, and a myriad of apps and users. All of these elements have to be assessed for cyber risk, as any one of these could be your weak link or crown jewel. Similarly, the threat model is both global as well as specific to your organization and hyper-dimensional. All of these factors have to be incorporated in risk measurement.
Our measurements have to be continuous, not episodic. The enterprise changes continuously as we shape and re-shape the interplay between technology, process and people. Such change almost always has a cyber side-effect, often non-obvious. We must measure this change as it happens, and make cyber corrections rapidly when things go in the wrong direction. Think all the telemetry gear underneath your car’s hood that is always keeping tabs on the different temperatures, pressures and fluid levels in your car. Needless to say, continuous risk assessment has to run fully automated.
Risk measurements must be predictive—we have to reason about the possibility of different kinds of cyber failures that can happen based on the operating environment, even though such things might not yet have ever happened. We must think beyond security events of the past, beyond indicators of compromise (IoCs) and attack (IoAs). This is key to getting ahead of the adversary.
Risk measurements need to have business context. This should be obvious, but IT security teams still struggle with understanding and incorporating business impact into their day to day operations, project planning and reporting. As you might imagine, visualization is key to drive business insights.
Risk measurement will be toothless if the measurement system is not prescriptive. Our algorithms and user interface must be able to map backward from a bad score or red color to pinpoint the specific reasons driving the risk. The system must also be able to specify the missing best practice, configuration or compensating control that would resolve the risk insight.
Finally, modern attacks routinely breach some element of the enterprise. This is because of the fundamental fragility and imperfectness of software, human users and our processes. We must not try to only assess the likelihood of breach of the various elements of the enterprise, but instead focus on the resilience – the ability of the enterprise to limit the impact of attacks. Measuring and modulating the level of “bumpiness” inside the enterprise is key!
As you can imagine, a port scan and some app testing from the outside- in is not going to cut it. Our desired risk measurement system has to be comprehensive, continuous, predictive, business context aware, prescriptive, with great visualization capabilities and must focus on cyber-resilience. We need to select the right technology, powered by some really smart algorithms, to measure risk and resilience.
While this may seem like a tall order, there is a brave new world of security companies, like Balbix, and some visionary practitioners and analysts that are already living this. The recently concluded Gartner conference introduced CARTA—a risk based framework for cyber-security. We are very excited about the possibilities and potential of a measurement driven risk-based approach to security.