The role of the CISO is continuing to evolve. Originally CISOs were expected to be tech-savvy security subject matter experts. Today organizations are requiring their CISOs to be business-savvy experts at cyber risk management also. Singularly either one of these functions would constitute a full-time challenge. In combination, they would drive even the most proficient security executive to seek better cybersecurity approaches.
The Challenge of Cyber Risk Management
“When, not if” is the popular sentiment regarding the possibility of a successful cyber-attack as organizations struggle to get ahead of their adversaries.
The logical response of board members and senior executives is, if CISOs cannot prevent cyber-attacks, then they need to divest the organization of the probable losses. However, as many CISOs know only too well, the challenge with cyber risk management is that cyber risk does not follow the same logic and rules of other organizational risks.
Managing risks to an organization’s physical assets is straightforward. The assets are tangible. Attackers are visible. Gates, walls, cameras, security guards, and other traditional security resources are very useful in preventing adversaries from acquiring assets. Managing risks to an organization’s financial assets is somewhat more complicated. Financial assets are classified by their “liquidity” rather than by physical characteristics. Furthermore, financial assets are potentially subject to many more types of hazards than tangible assets. After all, does your roof leak because interest rates fall or the foreign exchange rates increase?
Cyber risk management, however, is an entirely different beast with significantly more risk management challenges. Under normal operating conditions organizations know exactly where their physical and financial assets are. They know the value of these assets down to the penny. However, cyber assets are, by nature, transitory. At one moment a set of records could be stored in an on-premises stack, and in the next moment, a perfect copy of those records could be transmitted through a cloud IT infrastructure for processing by a 3rd party micro service provider. The marketplace fixes the value of physical and financial assets. However, there is no legitimately recognized fixed market for cyber assets. Their economic worth to an organization is derived almost entirely by how they can be operationally leveraged to generate revenue.
Cyber Risk Management is Evolving
The point is this: the CISO’s risk management function can be untenable because the concept of cyber risk does not come with the measurable, quantifiable backing inherent to managing the risks of other asset types. Moreover, without measurable inputs and quantifiable outputs, the full concept conveyed by “risk” may vary significantly from person to person.
The savvy CISO understands – the critical challenge to effective cyber risk management is objectively evaluating whether or not all is making all reasonable efforts at securing the cyber assets. Ten years ago a security executive could successfully manage this issue by “gut feeling.” However, today’s business realities increasingly demand a more quantitative approach.
Consider the growing difference between book value and market capitalization, particularly for organizations that are heavily data driven. Financial analysts often use this variation as a proxy or an upper limit for the value of the organization’s cyber assets. It is not uncommon for the organization’s cyber asset value to be 2 – 4 times the organization’s book value. Cyber assets are clearly becoming increasingly important for continuing operations and revenue generation. Managing the security of these assets, therefore, is a far more weighty responsibility than just maintaining the organization’s reputation or securing insurance against a loss that might be material. As the cyber risk management stakes increase, so does the need for objective measurement and verifiable quantification. Today’s CISOs need a comprehensive attack surface analysis.
Generating the Comprehensive Attack Surface
From a security perspective, the IT environment has three primary components: First, the environment necessarily contains cyber assets which need to be secured. Second, these same assets are what attracts the attacker population. Viewing the IT environment and its cyber assets from the attacker’s perspective helps defenders prioritize their resource deployment relative to the adversaries faced by the organization. Third, the paths which attackers will attempt to exploit to access the targeted assets invariably initiate somewhere on the organization’s comprehensive attack surface. The goal of cybersecurity is to implement the appropriate security controls along the attack surface which will reduce or eliminate an attacker’s opportunities to access targeted assets.
Actionable cyber risk management necessarily requires a full understanding of these components. Developing such an understanding requires linking together the individual threat models created for various applications or systems in a way similar to how the actual applications and system components interact. The resultant output for the CISO will be the attack surface of the organization’s entire IT environment. Analysis of this “big picture” yields the necessary data-driven understanding of the enterprise’s entire threat portfolio.
More Benefits of Attack Surface Analysis
Rarely does a CISO have the opportunity to start with a fresh IT environment. In the vast majority of cases, a CISO will inherit an IT environment with a legacy of various security controls already in place. Objectively determining if the legacy controls as implemented are effective against the current attacker population is only possible through analysis of the comprehensive attack surface. With the data-driven approach provided by the attack surface, however, a CISO can make quantifiable and measurable decisions to reduce the overall cyber risk, decisions which can be objectively presented to various stakeholder as well as the CFO and board members.
Cyber risk management is a vital task for today’s CISOs. Organizations increasingly depend on their cyber assets for operations and revenue generation – thus they can ill-afford to risk harm or loss to these assets. This will make the CISO’s task of implementing proactive cyber security solutions that produce measurable results even more critical.
Measurable, proactive cybersecurity results are only possible when an organization understands its cyber ecosystem from the perspective of its attacker population. Providing that perspective and developing that understanding is the goal of an automated, matured threat modeling process that results in building the organizational attack surface for the CISO and the other stakeholders.
Contact us today to learn about how ThreatModelerTM can help you intelligently analyze your comprehensive attack surface.