In this “new normal” of COVID-19, where we rely more than ever on the digital world of virtual meetings and get-togethers, online shopping and delivery alerts, telemedicine visits and triage – our security and cyber teams are on high alert to protect both regulated and sensitive data. We are seeing how COVID-19 has changed the way we do risk – forever. Ordinarily, most security and cyber teams patrol and prod an organization’s infrastructure, analyzing weaknesses and locking down IT assets to close gaps. Remediation comes in many flavors, from restricting access to tightening configurations based on recommended security settings, to partitioning networks, to sequester sensitive information
Getting a bee line on what ‘crown jewel IT assets’ need high priority attention is the mantra of these teams. It’s an ongoing challenge with the attack surface becoming more complex with third parties, cloud service providers, and layers of software and technology blurring the lines of demarcation between what is ‘inside’ and ‘outside’ the organization. It is widely understood now that the concept of a ‘fixed perimeter’ is dead. With the advent of Work for Home and the dramatic increase in the use of digital solutions, the threat landscape is growing exponentially. And with it, risk to process, people and technologies.
So how can teams understand what remediations to prioritize and where to apply scarce resources to lower risk by closing gaps? A best practice that is quickly emerging in IT, security and cyber programs is risk quantification. Risk quantification strives to create an operating risk score, based on multiple factors, in the context of business processes, current events and likely future events, network use and user behaviors with characteristics of data.
Properly executed, teams can continuously calibrate and tune algorithms that produce scores. Ideally, scores produce a forward-looking view based on changes in the external environment, business processes and technologies. For example, cyber risk postures are shifting with how threat actors are targeting attacks video conferencing and VPN traffic due to the uptick in the number of people working from home. At the same time, the internet is stressed with an increase in streaming and gaming traffic. Spear-phishing and scams are on the rise. If email comes through that looks legitimate, pertaining to personal finance or health issues, employees working from home are apt to click and be trapped, increasing the risk of a bad actor penetrating their organization and threatening information and assets.
Teams strive for a top-down and bottoms-up 360 view of risk to recommend mitigation investments. The diagram below shows how operational risk, resilience teams and cyber teams can get on the same page to do just that. Driving to a common risk score is a way to make sure teams use aligned techniques and methods.
Top-down views take information from the business in terms of dollars rather than just the days or hours to return to operations (RTO) or an recovery point objective (RTO). RPO and RTO are typically used to measure in resilience through business impact assessments (BIAs) and aren’t sufficient for risk quantification.
Cyber teams can work hand-in-glove with operational and resilience teams that look at inherent and residual risk within a high priority business process. Operational risk teams understand concepts like annual loss expectancy and can put a value of the criticality of a process – say keeping the order processing system up 24x7 – in terms of real dollars.
From a bottoms-up perspective, security and cyber teams map threat and vulnerabilities to assets that support critical business processes. They strive to estimate the real cost of mitigating vulnerabilities; for example, strengthening access controls, patching software, replacing an unsupported product, implementing automated controls through firewalls, re-architecting and segmenting networks, outsourcing some products to a third party operating in the cloud, or taking on cyber insurance. There are limited options. With a risk score supported by a top-down view, cyber teams will be able to weigh one or a combination of mitigation strategies for optimal defense in depth.
For example, a team will have insight into the dollar amount to invest in and deliver the mitigation, such as deploying stronger anomaly detection software on a critical business process.
With Risk Quantification, teams can increase their insight, agility and speed in remediation efforts. They can use scores to compare a forward-looking risk to dollar investments to mitigate against dollar impact. Teams can prioritize efforts based on the risk quantification score and the dollar magnitude of impact.
To best leverage best practices, security and cyber teams must continue to diligently deploy and refine risk quantification methods – as a scalable discipline – and use them effectively to invest in the just the right areas as our cyber programs evolve with increasing digitalization
Yo McDonald, Vice President, Customer Success and Engagement, MetricStream, is a seasoned executive in Governance, Risk and Compliance (GRC) consulting and product solutions. She drives customer engagement and retention, while fostering a culture of customer success at MetricStream.