Every time the cyber threat landscape has changed, the standard response has been to add another layer to the security stack.
Where once a set of firewalls was sufficient in providing a secure priority, over the years we’ve seen the addition of network policies, intrusion detection, data loss prevention, proxies, and a myriad of other technology and strategies. Today most organisations sit beneath at least 10 different security solutions.
With so many threats out there, defence in depth is a smart approach. But despite all the capital organisations are pumping into their increasingly dense security stacks, breaches are more prevalent than ever. By October, 2021 had already outpaced the entire previous year for the number of reported breaches.
Cyber spending is increasing – so why are businesses less confident of their risk posture?
It’s estimated that businesses will cumulatively spend around $1.75 trillion on security in the next five years. So why is the confidence in security measures not increasing in parallel?
The answer is not how much is being spent, but how it is being spent. Most security strategies tend to be very reactive. Organisations wait to see what analyst houses suggest in their latest industry reports.
If say, next gen firewalls are tipped to be the biggest thing, that’s what you go and invest in. Or in other cases, organisations may invest in solutions to guard against a specific threat after an industry counterpart is hit by it.
This lulls business heads into a false sense of security. “We’re doing the right thing,” they think. “We bought the right solutions recommended by experts, so we’re as safe as we can be”.
But as the rising number of successful breaches demonstrate, this is not working.
The dangers of reactive security
The reason this approach is failing is because it does not account for the dynamic threats facing the business. Point in time cybersecurity audits conducted by agencies often run the risk of being biased in their outcome. Organisations relying on analysts are attempting to peer into the future using a cloudy crystal ball. Those reacting to existing breaches are taking a look in the rear-view mirror.
Neither of these strategies are fit for securing an organisation that is constantly transforming and evolving with new technology and practices, amidst a threat landscape that is also in a constant state of flux.
Both approaches have also made it harder to effectively secure budgets from the board. Relying on industry prophecies about future risks makes it difficult to prove return on investments. Reacting to attacks on other companies meanwhile usually means falling back on FUD (fear, uncertainty and doubt), and executives have long since become inured to this after so many years.
Accelerated by COVID, digital transformation has massively changed the way businesses operate in a very short span of time, and most now have Swiss cheese for network architecture as a result. Key data and systems are dispersed throughout the cloud via SaaS solutions and employees are no longer fixed to working at specific times and locations.
Organisations need to ensure their security strategy can account for this digital hodgepodge and the threats it faces today, rather than the ones of the past or theoretical future.
Why a dense security stack can mean too much noise
Effective security today means knowing, not guessing, what the most prevalent threats facing the organisation are. If the board asks the CISO if the enterprise is safe after an industry counterpart is breached, they need to be able to reliably say so, not just give a best guess.
Ironically, despite being armed with a stack of security solutions pumping out reams of data, many businesses are finding it harder than ever to get an accurate picture of their risk exposure. It’s like trying to concentrate with a dozen people all whispering different things in your ear at the same time.
To stop themselves from being overwhelmed, security decision-makers need to be able to gain a single view of all this information. One of the most effective ways of achieving this is with a cyber risk quantification approach to security. This strategy not only puts the emphasis on a real-time view of threats facing the organisation but also translates the risk into a clear set of priorities and actions.
The value of an atomic view
Cyber risk quantification collates data from across the organisation’s entire security stack. All those disparate whispers are combined into a single voice, strong and easily understood.
But as well as giving a big picture view, this approach drills down to an atomic level. The risk exposure of each individual person, process and piece of technology throughout the organisation can be analysed and understood.
It might quickly become apparent that a particular user is accessing the corporate network through an unsecure, jailbroken iPhone. Or perhaps the finance department is using an outdated piece of accounting software that is no longer being patched. This view also extends beyond the company’s boundaries to incorporate third party connections as well, accounting for the growing number of supply chain attacks.
Each factor is assessed and given a score, with one being high risk and five being low. This enables CISOs to easily see where the biggest threats lie and plan accordingly. Scores can also be converted to show the potential financial loss in case of a breach, providing an even more compelling metric to explain these risks to non-technical board members.
Making security investments count in 2022
Armed with granular, real-time data, CISOs can construct a security plan that accurately addresses the biggest threats facing the organisation and will demonstrably lower its risk exposure. This also facilitates a cross-departmental approach, zeroing in on specific risks and working with IT, HR, compliance and other relevant teams to address them.
Threats that are outside of the company’s risk appetite can be dealt with by the right solutions, while others can be mitigated or handled with transference strategies like cyber insurance. Rather than taking an educated guess and hoping for the best, CISOs can be sure that their investments will make a real difference in securing the future of the organisation through cyber risk quantification.
By Saket Modi, CEO, Safe Security