[BreachExchange] Real Security is a Question of Business Value

Destry Winant destry at riskbasedsecurity.com
Sun Aug 19 23:54:27 EDT 2018


https://www.infosecurity-magazine.com/opinions/real-security-question/

If you’re a CISO, you’ve probably wrestled with placing a monetary
value on your exposure to cyber-attacks. For example, if your
organization was breached thanks to a phishing campaign, how much
would it lose in stolen records, device recovery, brand reputation, or
even ransom payments? Your board of directors wants to know,
especially before green-lighting extra cybersecurity spending.

The plethora of security breaches organizations experience also demand
that security officers push back on solution providers and demand
proof of value. When they do, CISOs would be wise to ask about overall
business value, not just technical value or a solution’s ROI.
Specifically, how does a solution help protect business value at risk?

We Need to Change Our Expectations
Too often, we limit the “realization of benefits” conversation to the
purchase point of a product. I get it. Talking to security vendors or
walking into a security conference main hall can feel a bit like
walking into the commerce building at your local state fair, where
products you didn’t even know you needed are bought and sold based on
features, functions and promises of results that far outweigh their
reality.

It’s not until you get your new email gateway or firewall home and
attempt to use it that you find out it doesn’t work exactly as
promised. Yes, we’ve all experienced it. For decades now, we have
bought security solutions and installed them, only to discover the
promises made (this product/solution is the silver bullet to end all
breaches) can’t be kept.

As a result, CISOs should be prompted to continually review the value
of purchases made and change their expectations of realized or ongoing
benefits. This further implies that security solutions should provide
more than their basic functions or features and address the
measurement of value they provide in terms of covering exposure to
risk.

Think in Terms of Value at Risk
In other words, they should show how they address value at risk (VaR).
Solutions that incorporate a VaR model empower a decision maker to
understand more clearly important things: what threats the product or
solution is attempting to mitigate; how often those threats appear on
the organization’s landscape; and, the current capability of their
organization to recognize, respond to, and mitigate the threats.

For example, a true anti-phishing solution will support all three
elements. It will help measure the frequency and type of phishing
attacks making it past perimeter defenses. It will strengthen your
user bases’ ability to identify and report those active threats. And
it will help show the value of the data and resources employees have
access to or use, until they are negatively impacted by a
phishing-related breach.

Applying the VaR model of analysis to anti-phishing programs enables
security executives to visualize and measure relative risk of exposure
to active phishing threats; prioritize security program activities
based on objective risk analysis; and, focus critical resources and
time where it is needed most.

Specifically, a phishing-specific VaR model looks at three factors:

1. Known (real) phishing threats—map out the type and frequency of
phishing attacks your company currently faces:

- Model phishing simulations on active threat intelligence.
- Utilize both internal and external phishing intelligence as source material.
- Harden your users against known industry attacks.

2. Capability to resist attacks—know your ability to recognize and
report various attacks:

- Are email and security tools up to date and configured to stop known threats?
- Which phishing attacks and models are still making it past your
perimeter? (E.g. - Business Email Compromise scams).
- Measure user resilience (ability to recognize and report known threat models).

3. Value of protected information and assets—understand the value of
anything exposed by a phishing-related breach and the costs of
recovery.

- Discover and document the type of data that is available on your network.
- Find out who has access to critical or regulated data.
- Estimate the costs of a potential breach by determining the value of
intellectual property, reputation damage, price per stolen record,
recovery costs (IR, IT hours, etc.).

Stop Guessing and Start Knowing Which Risks to Focus On
When they fail to apply this type of continual analysis, decision
makers are in the precarious position of guessing which risks to
address, unable to ensure reasonable and effective efforts are being
made to protect critical data and assets.

This is not a position that can realistically be maintained. It’s
becoming more incumbent upon security managers, directors and CISOs to
scrutinize purchases of security infrastructure, training, third party
services and consulting.

With the ever-growing strain on IT budgets and the need to maximize
the efficiency of existing security staff, understanding value at risk
is a critical business capability. It’s time to end the separation of
security decisions from derived business value. CISOs should insist
security vendors enable them to make the best decisions for their
specific environments and business needs, starting with the need to
protect bottom-line value.


More information about the BreachExchange mailing list