In this “New Normal” of COVID-19, where we rely more than ever on the digital world of virtual meetings and get-togethers, online shopping and delivery alerts, tele-medicine visits and triage – our security and cyber teams are on high alert to protect both regulated and sensitive data.
Ordinarily, most security and cyber teams patrol and prod an organization’s infrastructure, analyzing weaknesses and locking down IT assets to close gaps. Remediation comes in many flavors, from restricting access to tightening configurations based on recommended security settings, to partitioning networks to sequester sensitive information.
Getting a bee line on what ‘crown jewel IT assets’ need high priority attention is the mantra of these teams. It’s an ongoing challenge with the attack surface becoming more complex with third parties, cloud service providers and layers of software and technology blurring the lines of demarcation between what is ‘inside’ and ‘outside’ the organization. It is widely understood now that the concept of a ‘fixed perimeter’ is dead. With the advent of Work for Home, Distance Learning, and the dramatic increase in the use of digital solutions, the threat landscape is growing exponentially. And with it, risk to process, people and technologies.
Risk Quantification is Now Critical to Prioritize Successful Asset Protection
So how can teams understand what remediations to prioritize and where to apply scarce resources to lower risk by closing gaps?
A best practice that is quickly emerging in IT, security and cyber programs is risk quantification.
Risk quantification strives to create an operating risk score, based on multiple factors, in the context of business processes, current events and likely future events, network use and user behaviors with characteristics of data. Properly executed, teams can continuously calibrate and tune algorithms that produce scores. Ideally, scores produce a forward-looking view based on changes in the external environment, business processes and technologies.
For example, cyber risk postures are shifting with as threat actors target attacks on video conferencing and VPN traffic due to the uptick in the number of people working and learning from home. At the same time, the internet is stressed with an increase in streaming and gaming traffic. Spear-phishing and scams are on the rise. If email comes through that looks legitimate, pertaining to personal finance or health issues, employees working from home are apt to click and be trapped, increasing the risk of a bad actor penetrating their organization and threatening information and assets.
How to Quantify Risk With a Top-Down, Bottom- Up View
Teams strive for a top-down and bottom-up 360 view of risk to recommend mitigation investments. The diagram below shows how operational risk, resilience teams and cyber teams can get on the same page to do just that. Driving to a common risk score is a way to make sure teams use aligned techniques and methods.
Top-down views take information from the business in terms of dollars rather than just the days or hours to return to operations (RTO) or an recovery point objective (RTO). RPO and RTO are typically used to measure in resilience through business impact assessments (BIAs) and aren’t sufficient for risk quantification.
Cyber teams can work hand-in-glove with operational and resilience teams that look at inherent and residual risk within a high priority business process. Operational risk teams understand concepts like annual loss expectancy and can put a value of the criticality of a process – say keeping the order processing system up 24×7 – in terms of real dollars.
From a bottom-up perspective, security and cyber teams map threat and vulnerabilities to assets that support critical business processes. They strive to estimate the real cost of mitigating vulnerabilities; for example, strengthening access controls, patching software, replacing an unsupported application, implementing automated controls through firewalls, re-architecting and segmenting networks, outsourcing some apps to a 3rd party operating in the cloud, or taking on cyber insurance. There are limited options. With a risk score supported by a top-down view, cyber teams will be able to weigh one or a combination of mitigation strategies for optimal defense in depth.
For example, a team will have insight into the dollar amount to invest in and deliver the mitigation, such as deploying stronger anomaly detection software on a critical business process.
Risk Quantification Creates Agility and Speed in Remediation
With Risk Quantification, teams can increase their insight, agility and speed in remediation efforts. They can use scores to compare a forward-looking risk with dollar investments to mitigate against dollar impact. Teams can prioritize efforts based on the risk quantification score and the dollar magnitude of impact.
The leverage best practice, security and cyber teams must continue to diligently deploy and refine risk quantification methods – as a scalable discipline – and use them effectively to invest in the just the right areas as our cyber programs evolve with increasing digitalization.
Over the coming weeks, we will explore more best practices and how security and cyber teams are adapting to COVID-19, outlining how risk quantification methods tie to the digital asset/impact chain, how to move from risk to resilience, and orchestrate risk across IT, cyber, op risk, incident and crisis response and other disciplines.