Around the world, according to ESG, half of all quarterly board agendas now include the CISO. This is not surprising since the global average cost of a data breach, according to IBM, was USD $4.24 million in 2021, after the steepest year-on-year increase the tech company had seen in the 17 years it had been publishing its “Cost of a Data Breach” report.
But now, as boards, shareholders, and other leaders try to discern what can be done to keep them safe, security teams must ditch their traditional verbiage to paint a clearer picture of the threat landscape.
Counting vulnerabilities fails to capture a reportable narrative that will get the boardroom on a CISO's side. Vulnerabilities are indeed an undeniable source of risk, and they are on the rise. The scale of vulnerability reporting has risen from thousands in the 90s to tens of thousands in the 2000s to hundreds of thousands today – cumulative growth of more than 5,000%. But what do those numbers mean to a business leader who wants to ensure uninterrupted operations and steady growth? Sky-high numbers can become less panic-inducing when viewed through a risk-assessment lens.
Qualys found that out of the 185,446 vulnerabilities known at the time of writing, only 29% have exploits available, and a mere 2% have weaponised exploit code. And threat actors are actively leveraging less than two in every thousand vulnerabilities. Yet security analysts will become obsessed with the Common Vulnerability Scoring System (CVSS) and act without due regard for whether the vulnerability is one of the two in a thousand leveraged by threat actors or whether the flaw has material applicability to the environment in question. A high-severity vulnerability is not of much concern if compensating controls are in place to mitigate any potential risk.
Rather than talking in terms of attack vectors and vulnerabilities, CISOs and security decision-makers must now frame the drama in terms of business risk.
The ‘risk landscape'
Today's IT ecosystems are a confusing kaleidoscope of on-premises, virtual, serverless, public, private, hybrid, IT, OT, and IoT, not to mention the Ops teams that run and manage their own fiefdoms and the multiple accounts and privileges they hold.
The complexity extends to security solutions themselves. Gartner's 2020 CISO Effectiveness Survey claimed the average enterprise runs more than 16 security tools. Meanwhile, the regional digital-skills gap presents a challenge in building the right team to secure the estate. None of this is good news for the CISO that craves concrete, actionable insights.
Different organisations will have different mixes and different compliance needs. What constitutes a high risk for one business may be a negligible trifle to another. The CISO's task is to sift out the insignificant and protect the critical in a way that is compliant and does not impact business agility, all while measuring understandable metrics that allow them to prove their successes and learn from their missteps.
Risk-based security starts with three standard steps:
Visibility comes first, and achieving it in today's IT environments may seem daunting at first. But once all assets have been catalogued, the attack surface will come into focus. Threat assessment is impossible without comprehensive visibility, but once each element can be seen, its vulnerabilities can be listed and quantified. This will allow organisations to prioritise threats more effectively.
Today's disparate security tools often operate in silos. Security teams take their next important step towards risk management by consolidating them into a unified platform that offers automation capabilities for risk-monitoring, detection, and remediation. Out of such platforms comes actionable intelligence that allows teams to reduce risk. In addition, monitoring tools can be deployed across security, IT and compliance teams as required by the individual business.
The unified platform will offer a rich array of reporting options and automated dashboards. In a break with tradition, modern security reporting provides concise, risk-defined metrics that account for business-specific requirements and industry standards, peer benchmarks, best practices, and regulatory frameworks.
The takeaway for security decision-makers is clear - look at risk from the point of view of potential harm rather than the probability of occurrence. It is time that security professionals adjust their threat posture to match that of their pragmatic colleagues.