Our Roundtable Sessions are invite-only events hosted by peers for peers that bring together a select group of senior IT leaders from across industries for topic-driven, intimate dialog on current trends and topics. We hosted two Sessions featuring a group of CXOs and other IT executives. The groups met remotely to discuss cyber risk quantification, led by the CISO of a Swiss-based technology group. These Sessions were sponsored by Balbix.
Cyber-risk Quantification (CRQ) is an evaluation of your organization’s cybersecurity risk landscape. As you identify risks, you associate with them the likelihood of the risk leading to a breach and the potential impacts. Ideally, cyber-risk quantification should help you quantify the financial risk attached to your various IT assets, with the end goal of board-level reporting. But what are the steps involved in the calculation and where do you start?
A senior executive mentioned that cyber risk quantification (CRQ) is a journey, with the primary driver being the reduction of attack surface and risks. The first part of the journey is visibility, i.e., creating an inventory of all the assets plugged into your network. The second part is identifying the potential risks and vulnerabilities and prioritizing them. The third part is communication. You have to communicate with a lot of people in different languages. Your IT team may understand technical recommendations, but those won’t make sense to your audit committee. The language your board of directors and other senior executives will understand is money. So, you have to try and quantify cyber risk in the form of money.
An attendee explained that CRQ is calculated by multiplying the weighted average of the likelihood of a breach (in percentage) of an asset by the potential impact of the breach (in $ etc.). For example, let’s assume you have a public-facing website that you value at $20 million. If there is a 50% chance of the website getting breached, then the cyber risk associated with the website will be $10 million.
Some other attendees raised doubts regarding the aforementioned definition by saying that the simple likelihood x impact formula doesn’t exactly apply anymore. If we talk about a ransomware attack that could shut down your entire organization, or parts of it, how do you quantify risk? Do you quantify it by how much the application/server rebuild costs? Or do you quantify it by how much money it makes per day, per month, etc.? Quantifying in terms of money is ideal, but often you don’t have access to enough financial data to make the proper calculations.
A participant remarked that the main trigger for their cyber quantification journey was when they hired a penetration testing team to infiltrate their networks and attempt a full-service compromise. Within two hours, without raising any alarms, the pen testers were able to compromise their network. This effort allowed them to identify many cyber risks and vulnerabilities, which they then focused on mitigating. They also immediately hired an external incident response team to help them with disaster recovery, if and when required. Lastly, they implemented new processes and applications for better incident reporting and intrusion detection.
One executive talked about how they have to apply for grants from the Department of Defense and NSA to operate in their industry. A single vulnerability or breach can hurt their ability to apply and obtain these grants. This was their main trigger to implement a cyber-risk quantification program to improve their overall security posture.
Multiple executives agreed that ransomware has completely changed the cybersecurity world. In the past, if your company didn’t store personally identifiable information (PII) or healthcare data, then your likelihood of being a target would be close to zero. These days, that’s just not true. Malicious actors perform ransomware attacks on companies of all sizes and types. A cyber expert shared that the average claim is around $8 million for enterprise-level ransomware victims.
One participant mentioned that they are starting to hear that boards could be held responsible if they don’t keep their companies accountable for cybersecurity. This is mainly because of the rising number of ransomware attacks that can cause months of downtime.
Software applications aren’t the only places to look for vulnerabilities. You have to consider many other factors like user behavior, access policies, and password practices (weak, reused, or default passwords, etc.). According to a Swiss cyber-incident reporter, the root cause of 90% of ransomware attacks is missing MFA. Without MFA, your only line of protection is a password, which has become exponentially easier to compromise.
Getting approval from the top-level executives of your organization is critical in implementing a security-first model. However, conveying technical details in a manner that’s easily understandable for non-technical people isn’t easy. This is why you may have to transform “technical mumbo jumbo” into metrics, KPIs, or monetary risk. For example, you may say that you detected X number of vulnerabilities and attempted cyberattacks in the last X months preventing X dollars in financial and data loss; or that 60% of attacks in 2019 were caused because of unpatched software, and that’s why you need more IT resources to handle vulnerability patching and upgrades.
In addition to having an incident response team, you must also have a communications team that monitors the public sentiment after a breach and issues relevant notifications to all concerned parties. Ensure that all major stakeholders in your organizations are on the same page regarding the official communication guidelines, e.g., how to communicate with customers, vendors, partners, etc., in the event of a breach.
An executive remarked that cyber risk quantification ultimately comes down to tracing and reducing the attack surface. The first step for that is knowing your network and knowing what’s on it. The second step is identifying the risks, vulnerabilities, and threats and contextualizing them. Once you add context to threats and alarms and prioritize them, it enables your security teams to be more productive. Otherwise, they spend half their time dealing with false positives.
Gamification of cybersecurity is an excellent way of spreading awareness and ultimately reducing the attack surface. For example, one attendee shared how they developed a tool that lets them launch phishing contests across their organization. As a result, over time, most people became aware of phishing (how to detect/avoid it), which significantly decreased their overall attack surface.