The Case For Risk-based Cybersecurity


When the United Arab Emirates businesses showed the world what swift COVID-response action looked like and took to the cloud in droves, they experienced an unsavoury side-effect.

Cybercriminals, intent on their own swift action, made prey out of cloud-bound innovators and pushed security further up the corporate agenda than it had ever been. Regional business leaders now regularly wince at headlines telling cautionary tales and wonder if their organisation is next.

Around the world, half of all quarterly board agendas now include the CISO, according to ESG. This is not surprising since the global average cost of a data breach, according to IBM, sat at $4.24 million in 2021, after the steepest year-on-year increase the tech company had seen in the 17 years it had been publishing its “Cost of a Data Breach” report.

From vulnerability-watching to risk-watching

But now, as boards, shareholders, and other leaders try to discern what can be done to keep them safe, security teams must ditch their traditional verbiage to paint a clearer picture of the threat landscape.

Counting vulnerabilities fails to capture a reportable narrative that will get the boardroom on a CISO’s side. Vulnerabilities are an undeniable source of risk, and they are rising. Qualys has seen the scale of vulnerability reporting rise from thousands in the 90s to tens of thousands in the 2000s to hundreds of thousands today – cumulative growth of more than 5,000 per cent. But what do those numbers mean to a business leader who wants to ensure uninterrupted operations and steady growth? Sky-high numbers can become less panic-inducing when viewed through a risk-assessment lens.

Qualys found that out of the 185,446 vulnerabilities known at the time of writing, only 29 per cent have exploits available and a mere 2 per cent have weaponised exploit code. And threat actors are actively leveraging less than two in every thousand vulnerabilities. And yet security analysts will become obsessed with the Common Vulnerability Scoring System (CVSS) and act without due regard for whether the vulnerability is one of the two in a thousand leveraged by threat actors or whether the flaw has material applicability to the environment in question. A high-severity vulnerability is not of concern if compensating controls are in place to mitigate any potential risk.

So rather than talking about attack vectors and vulnerabilities, CISOs and security decision-makers must now frame the drama in terms of business risk.

The ‘risk landscape’

Today’s IT ecosystems are a confusing kaleidoscope of on-premises, virtual, serverless, public, private, hybrid, IT, OT, and IoT, not to mention the Ops teams that run and manage their own fiefdoms and the multiple accounts and privileges they hold. The complexity extends to security solutions themselves. Gartner’s 2020 CISO Effectiveness Survey claimed the average enterprise runs more than 16 security tools. Meanwhile, the regional digital-skills gap presents a challenge in building the right team to secure the estate. None of this is good news for the CISO that craves concrete, actionable insights.

Different organisations will have different mixes and different compliance needs. What constitutes a high risk for one business may be a negligible trifle to another. The CISO’s task is to sift out the insignificant and protect the critical in a way that is compliant and does not impact business agility, all while measuring understandable metrics that allow them to prove their successes and learn from their missteps.

Risk-based security starts with three standard steps:

  1. Assess

Visibility comes first and achieving it in today’s IT environments may seem daunting. But once all assets have been catalogued, the attack surface will come into focus. Threat assessment is impossible without comprehensive visibility, but once each element can be seen, its vulnerabilities can be listed and quantified. This will allow organisations to prioritise threats more effectively.

  1. Reduce

Today’s disparate security tools often operate in silos. Security teams take their next important step toward risk management by consolidating them into a unified platform that offers automation capabilities for risk monitoring, detection, and remediation. Out of such platforms comes actionable intelligence that allows teams to reduce risk. Monitoring tools can be deployed across security, IT and compliance teams as required by the individual business.

  1. Report

The unified platform will offer a rich array of reporting options and automated dashboards. In a break with tradition, modern security reporting provides concise, risk-defined metrics that account for business-specific requirements as well as industry standards, peer benchmarks, best practices, and regulatory frameworks.

Risky business

The takeaway for security decision-makers is clear — the business looks at risk from the point of view of potential harm rather than the probability of occurrence. It is time that security professionals adjust their threat posture to match that of their pragmatic colleagues.

If you liked reading this, you might like our other stories
With Cybersecurity Strategies ‘In the Doldrums’, Automation Is Your Best Ally
What You Need To Know About Phishing Attacks