A New Era of Risk
It was already a challenge for organizations to stay a step ahead of cyber risk. But today, digital innovation, remote work, and interconnected business ecosystems are among several trends that, along with their advantages, introduce new risks and complexities and trigger additional layers of regulation. The convergence of these trends is testing organizations’ mettle when it comes to their defenses. According to a global benchmarking study of 1200 C-level cybersecurity decision makers, many don’t feel well-prepared for the risks ahead.
As bad actors double down on their efforts with renewed strength, sophistication, and a larger playing field, organizations are exposed. It becomes clear that we must think differently about cybersecurity.
Faced with an unknown future, it isn’t easy to know how to alter our cyber mindset. Members of a recent CISO panel shared their insights gleaned from the landmark benchmark study Cybersecurity solutions for a riskier world.
Arising from this discussion were 5 ways that organizations can significantly reduce cyber risk.
(1) Prioritize vulnerabilities to reduce risk
In the study, CISOs across multiple industries reported that keeping pace with risk is among their biggest challenges. Duc Lai, CISO for the University of Maryland Medical System agrees, adding that “there is little similarity among the different types of risk (malware, IoT, remote workers, ransomware) – and it is constantly changing.”
Combined with global and organizational resource limitations, Lai says that understanding how to prioritize risk is a key step in mitigating it. Risk can be ranked based on the criticality of the systems it resides on, or by the types of risks inherent to an organization’s specific industry, for example. Also, the volume of vulnerabilities that scans return can be significant – and often overwhelming. Prioritization helps teams hone in on and address the exposures that matter, which is essential, especially for smaller teams that are stretched thin.
(2) Inform cybersecurity decisions based on insight and analytics
CISOs traditionally have straddled the line between technology and business, but their skillset has been weighted on the technical side. Today, business skills are equally important in their role as the organization’s cybersecurity evangelist, which requires CISOs to put risk into a business context. But they also need good data in the form of reporting and analytics to shift the uncertainty to certainty, according to Paul Sussman, VP of Cybersecurity Strategy Consulting at Booz Allen Hamilton.
Data can move CISOs from the stance of “we think we have this many vulnerabilities to we know we have this many vulnerabilities,” Sussman explains. Coupled with the ability to benchmark against peers using data from sources such as our study and the ability to prioritize risk based on an asset’s business criticality, data can demonstrate where the business is exposed, inform the organization’s decisions on a business strategy based on its potential risk, and demonstrate the need for cybersecurity investments.
(3) Go beyond regulatory compliance to reduce cyber risk
As cyber tech risks emerge, regulations rise to meet them. “It is another area of challenge for companies, who range in their readiness to meet evolving compliance obligations,” notes Realogy CISO Juan Morales. Regulations include continued changes in data privacy requirements, proposed SEC regulations for reporting incidents, and recent government directives for finding and fixing known vulnerabilities.
While regulations are beneficial for mitigating emerging or specific risk, it’s only part of the bigger security picture. Morales cautions that it’s important to stay true to cybersecurity fundamentals. Vulnerability assessment and prioritization, for example, are as important as security policy and compliance management. Security should be extended to OT environments – with capabilities to visualize and analyze OT, hybrid, and multi-cloud networks to gain a complete understanding of the attack surface.
(4) Leverage technology to proactively reduce risk
While people-centric security is important, Morales advises that there shouldn’t be an over-reliance on end users as the first line of defense. “An advanced adversary is going to be able to trick any user regardless of how much cybersecurity training we provide,” he says.
And while many organizations consider a 5% “click rate” as an acceptable measure for phishing assessments, Morales reminds us that it only takes one email to compromise an organization. “I would rather see a greater investment in leveraging technology to stop these things from coming into the organization in the first place rather than putting the burden on the end users.”
(5) Quantify risk based on business impact
A risk-based approach to cybersecurity takes risk management a step further and quantifies the probability of risk and the impact it’s going to have. That information is then used to decide whether to mitigate, accept, or transfer that risk – similar to how an insurance company would think about risk, notes Lou Celi, CEO of ThoughtLab.
Examples are the inherent risk that an organization in a particular industry might face or hidden exposures in the operational layers of an OT environment. According to the study, organizations that were more rigorous in their risk-based approach fared better than those that did not and, on average, had fewer incidents and material breaches.
“Thinking differently” about cybersecurity doesn’t mean throwing out all you know. It just means expanding your mindset about how you defend your organization. Using data enables us to make more informed decisions about how we approach the new era of risk.
Watch the on-demand CISO panel webinar in its entirety here:
