If there's one thing that's interesting about my job, it's that I get paid to lie for a living. In order to fully assess an organization's cybersecurity capabilities, figuring out creative ways to break in is key. Do we chat up a receptionist to gain physical access to their computer? Or maybe dropping an infected flash drive in the parking lot just before lunch where an employee will inevitably find it and plug it into their work computer out of curiosity. Maybe we'll clone a door swipe card from a distance and walk right through that locked door. Having a firewall and anti-virus (now Endpoint Detection Response) may seem great but those are small, though important, parts of the overall equation.
At the end of the day, the only thing cybersecurity professionals do for a company is quantify and mitigate risk.
Many companies will go through a "cybersecurity audit" from their local IT provider that is usually sadly anything but. The provider will typically run a scan of the network, identify some technical vulnerabilities such as passwords that never expire, and then a few days later attempt to sell products and services to fix these issues. What is missing from this equation? Almost everything.
Cybersecurity consulting should never start with cybersecurity. I always start with an attempt to understand and quantify the client’s risk. Can the company clearly and accurately answer, in hard and soft dollars: how many of their computers and devices can be down and for how long until it puts them out if business? If there isn't a ready answer to that question, then that's a serious problem.
That's the core of the issue here. Without understanding risk, all a company does is make assumptions and then buy products on that premise to attempt to fill a gap. For example, having a backup solution that will fully restore a company within 24 hours sounds great on paper but maybe that's eighteen hours longer than production needs, since it loses so much money for every hour there is a work stoppage. Or maybe marketing can be down for a week without any impact. Corporations literally add more risk without quantifying the risks by taking educated guesses that are often times not even in the ballpark.
So how do we begin to quantify risk? Let's dive in.
For starters, it's important for organizations to understand their expense and loss footprints. When I'm walking organizations through risk quantification, I want to understand hard dollars first. As mentioned, risk directly informs Contingency Planning so how can you have a good plan if you honestly don't know your monetary thresholds for recovery time?
How much money does the organization spend to keep going as an entity is a question that helps frame the risk footprint. One simple framework I use to start organizations down this road is the following basic equation:
Cyber Risk = Threat x Vulnerability x Information Value
Basically, every CEO needs to be asking these questions and quantifying the answers:
- What are the threats to my business in terms of technology and defense thereof?
- How vulnerable are the company's systems?
- What is the reputational or financial damage if the company systems are breached or made unavailable for an extended period of time?
Those can be difficult questions to answer but they're a solid start in quantifying overall risk. Not fully understanding this process leaves a company more vulnerable than they think. Just ask Illuminate Education, a cloud platform used by school districts across the nation. They failed to properly secure their infrastructure, and millions of students, teachers and parents were exposed. This had the effect of Illuminate losing one of their largest clients; the entire New York City Public School System. How would exposing all of your customer's sensitive information bode for your bottom line? How many would leave you because the trust in your company’s security has been broken?
So… how do you start down the risk quantification road?
I usually recommend doing a cyber-risk and cybersecurity assessment using a framework like NIST 800 or ISO 27001, two of the most comprehensive cybersecurity and risk frameworks in the world. The results of an assessment like this allows cybersecurity professionals to begin to quantify and prioritize the risk to the business. Even for small businesses, an overview assessment using one of these frameworks can take a few months. This is vastly different and way more comprehensive than the “cybersecurity audit” most IT companies finish in a day or three.
Beyond this, cyber risk quantification dovetails rather nicely with Financial Risk Modeling with a bit of a twist by using both to achieve the following goals:
- Understand the financial impact of cyber events on your business
- Assess the ROI of cyber investments
- Prioritize cyber risk management decisions based on the first two points.
With an understanding along these lines, spending on both IT and cybersecurity ceases to be a giant pit that money is thrown into but rather an understanding that technology drives the business and without defense, everything can literally grind to a halt.
At the end of the day, we're only as secure as we make ourselves. However, without deeply understanding your risk appetite, meaning how much risk you're willing to take on, you may not nearly be as secure as you think!
Nick Espinosa is a cybersecurity and network infrastructure expert. He consults with clients ranging from small business owners to Fortune 100 companies through his business Security Fanatics, a cybersecurity/cyberwarfare outfit dedicated to designing custom cyberdefense strategies. Learn more at www.securityfanatics.com.