CISOs around the world are having to face up to the challenge of quantifying their organization’s level of cyber risk to get board level-buy in on security, but what does this look like in practice?
Speaking to ITPro, Tim Grieveson, SVP and global cyber risk advisor at Bitsight, and ranked among the Top CSO’s of 2023, reported that during his travels speaking to CISOs around the world, he found that new regulations around cyber resilience are driving security leaders to manage their cyber risks differently.
“I look after Bitsight from a global perspective so EMEA, APAC, and the US and one of the things that is certainly driving the [CISO] mindset is the tsunami of regulations coming up, whether it be NIS2 in Europe, SOC 2 in the US, the cyber bill in Singapore or Australia.”
But Grieveson said that this raises new challenges around how these leaders can collate the various threats facing their organization into a single metric that can then be used to communicate risk to boards and auditors alike.
“The challenge CISOs and chief risk officers are facing is quantification of their risk in financial terms. Understanding what the attack surface is, what they are covering internally and externally but also in the supply chain.”
Organizations are pretty good at understanding and improving their security posture, Grieveson noted, but growing issues such as supply chain attacks, or mass exploitation of vulnerabilities in edge devices, make this task a lot more complex.
“What I noticed was [organizations] tend to be looking at themselves really well, but the supply chain seems to be following at pace and it isn’t really there in terms of understanding what the assets are, what the contracts are, what the risks are, and quantifying that in terms the business can understand.”
Grieveson revealed that when talking to a number of CISOs in the AIPAC region, the conversation quickly turned to the upwards trend in high profile security incidents caused by the exploitation of vulnerabilities in an organization’s third or even fourth-party suppliers.
“We started to talk about third party risk management, supply chain management, people risk, and how does that come together to be a holistic view in security? Because if you don’t understand your assets how can you possibly prioritize them, how can you then mitigate them, and how can you actually quantify that risk to your business?”
The first thing that needs to change, Grieveson argued, was this legacy mindset around perimeter security that is insufficient in an increasingly interconnected digital world.
Prioritization is where many organizations fail when mitigating cyber risk
The first part of this puzzle is visibility, Grieveson noted, stating that if businesses don’t understand what they’ve got in terms of the tools and services that make up their attack surface, they will inevitably fail to identify where they may be exposed through one of their partner organizations, vendors, or clients.
“[Businesses] might do an annual assessment, but vulnerabilities are appearing all the time. You need to do continuous assessment, continuous monitoring, onboarding assessments, as well as doing that annual assessment. If you’re not doing continual assessments you might miss something because it's only 12 months you do it rather than on an ongoing basis.”
Once organizations have this level of visibility in place, being able to identify what to mitigate and when becomes the next challenge for security leaders.
‘Alert fatigue’ is commonplace in the security sector and trying to keep on top of sprawling attack surfaces by prioritizing which issues need to be addressed will be increasingly important, Grieveson asserted.
Every business will have a certain level of risk they are willing to tolerate, he noted, and setting this risk appetite is an exercise of prioritization and weighing up which services are essential to the business.
“The way to set that is to really have a dialogue with your leadership about what are the important assets or services that you provide? What is the value of those? That’s where many organizations fail, they don’t understand what they’ve got in terms of that attack surface and they tend to look very insular”.
Once an organization's critical assets have been identified, security leaders will then need to prioritize which threats they address first, and this is a question of impact and likelihood, according to Grieveson.
He explained it comprises the financial and time cost of taking mitigation steps, as well as the level of risk the particular threat exposes the business to. This equation can then be used to generate a metric by which CISOs can communicate their level of risk to boards and regulators.
Quantifying cyber risk: “The real important thing is to measure it”
Grieveson formulated his idea of a mature approach to managing cyber risk in terms of visibility, prioritization, communication, and quantification, arguing each is vital to getting a holistic view of the threats facing an organization.
“Identify the risk. Prioritize the risk. Communicate the risk to your board in a language they understand so they can allocate the right resources, money and capabilities, and then you’ve got to put the mitigation plan in place. But then finally I think the real important thing is to measure it”
Being able to convert risk in the abstract sense into a digestible metric is essential, Grieveson argued, if you are to effectively communicate cyber risk as a general business risk, as well as for understanding the impact mitigation measures are having on this exposure.
“Where is [the organization’s cyber risk] going to be today? Where is it going to be when you put mitigating controls in or if you reduce or eliminate the risk? If you don’t measure it, it's [ unknown]]. It’s that capability of making sure you know what you’re looking at.”
Grieveson said this understanding of cyber risk is not evolving quickly enough in comparison to the rate of change happening in the threat landscape, but suggested that new regulatory obligations on businesses further push leaders to focus on getting a clearer picture of what cyber risks they have.
“It’s not evolving quickly enough, what I do think will drive that change is the regulations coming in. You know the necessity to report in a timely manner. A necessity to understand the impact and likelihood of that, which you have to report to the regulator.”
