Saket Modi, CEO at Safe Security, explains why he thinks the current way of doing cyber security in many organizations is broken as far too much of the risk analysis and associated decisions are based on estimates and guesswork, instead of using a knowledge-based approach.
Cyber security has become more dynamic, both in terms of the technology available to organizations and the wide range of threats that target them. In today’s world, there is no scope for assuming whether a breach will happen, instead, it’s a question of when.
In the current cyber security landscape, there is a wide array of vulnerabilities across the spectrum, waiting to be exploited by threat actors. What’s more concerning is that illicit tools for exploiting those vulnerabilities are widely available on the dark web, whether it’s sophisticated ransomware toolkits, social media reconnaissance, or phishing kits. So, cyber criminals can maximize their impact with minimum effort.
In order to safeguard valuable business assets in such hostile digital environments, businesses need to start making informed decisions. A lot of the security decisions today are made around the question ‘What happens after a breach occurs?’. Businesses need to move away from such mindsets and develop proactive thinking. Security teams should move beyond reactive and assumptive actions, and rather focus on improving their security posture through data-driven intelligence.
Taking a knowledge-based approach to cyber security
The first step to making informed security decisions is to develop accurate knowledge of the current cyber capabilities and the potential risks involved with the existing business processes. Without a clear picture of the organization's current capabilities, security leaders will not be able to accurately project the potential risks and vulnerabilities of the existing security infrastructure.
Organizations must pursue the assessment of current security tools, policies, processes, human-cyber capabilities, and any third parties involved. In addition, security leaders must also assess any potential vulnerability or risks associated with current processes.
Cyber security is a very strategically driven sector - more like a game of chess, with businesses at one end and threat actors at the other. Whichever party has the most knowledge and predictive power, has the advantage. In most scenarios, cybercriminals are always one step ahead, which is why we are seeing an influx of successful breaches and sophisticated attacks. To take this advantage away from the threat actors, businesses need to achieve a totalistic and contextual view of their cyber risk posture.
Taking a knowledge-based approach allows organizations to switch from detecting to predicting cyber threats. With profound assessment and data-driven intelligence, businesses can start predicting potential threats and take proactive actions well before a threat arrives at the network gateway. Thus, security teams can potentially cut-off attack paths even before they are crafted by cybercriminals. By constantly measuring the projected threat level, security teams can start patching vulnerabilities in real-time, and always stay a step ahead of the threat actors.
A knowledge-based approach also creates a sustainable value for organizations. Blindly investing in security resources and solutions will evidently increase the financial burden for business leaders. Key decisions like security investments, strategy and policy implementation should be driven by profound data and intelligence. Informed decisions based on quantitative data will allow business leaders to invest in solutions and strategies that have long-term value.
However, transitioning from a reactive and detection-based security mindset to a data-intelligence driven predictive model can be challenging. A feasible approach for businesses would be to implement cyber risk quantification solutions, a knowledge-based model that provides businesses with a quantified, consistent, and real-time cyber risk metrics to identify the level of risks associated with the different elements of the security infrastructure.
Understanding cyber risk quantification
Cyber risk quantification platforms generate risk and breach-likelihood scores based on the assessment of the organization’s security posture, using data science-backed risk engines that can feed information-driven confidence to security teams. The model aggregates signals across an organization's workforce, human-cyber capabilities, policies and processes, technology, cybersecurity products, and associated third parties to generate a quantitative measure for the entire security infrastructure.
Security teams can use this quantitative measure or risk score to identify the weakest links and security gaps across the entire infrastructure in real-time. The cyber risk quantification approach not only allows organizations to predict potential risks in advance, but also allows leaders to allocate resources efficiently across different areas of the business. Stakeholders are able to quantify the efficiency of their current security measures, products in use, and return on investment.
Furthermore, the risk quantification approach can allow organizations to communicate cyber risk to all relevant stakeholders. There are often scenarios where departments beyond the IT and security teams do not truly understand the cost of a security breach. Cyber risk quantification can generate a measurable metric to represent the likelihood of a breach and its financial impact on the entire business, in turn taking the guesswork out of cybersecurity. So, every stakeholder across the organization becomes aware of the potential threat and risk associated with a security breach.
New-age cybercriminals are becoming more aggressive and agile in their approach - whether it's by using advanced illicit technology, tailoring attacks with new sophisticated methods, or by automating attack paths in ways we have not seen before. Therefore, the only means of defending against this new age of threat actors is to change our security mindset and move beyond the traditional reactive approach. Cyber risk quantification allows organizations to effectively make the transition to a proactive security mindset, and start identifying and addressing risks before they lead to a potential breach or disruption.
Saket Modi is CEO at Safe Security.