But cyber risk analysis isn’t keeping up. Here’s how to fix the problem.
by Kevin Gust
Cybersecurity is constantly changing. It is cliche to talk about the “ever-changing threat landscape” or to lament the existential struggle to identify and patch vulnerabilities in a timely manner. Both these examples are widely accepted throughout our industry. Threat actors constantly change their tactics and techniques. Cyber criminal groups transform themselves, change allegiances, and take on new identities. Meanwhile, cyber defenders learn of new vulnerabilities every day and face a seemingly endless list of things to patch.
If we accept that cybersecurity is constantly changing, then why do we treat cyber risk differently? Cyber risk is dynamic, and as practitioners, we need to start treating it that way.
The reason we haven’t taken a dynamic approach to measuring cyber risk in the past is simply that we didn’t have a better option. We were doing the best we could with the information and tools available.
As cyber risk management has matured, we have moved from:
- fear, uncertainty, and doubt (FUD) to
- qualitative, compliance-focused checklists to
- ordinal scales to
- bona fide cyber risk quantification models – but still with some critical limitations
Even the most mature cyber risk management programs I have seen in the past few years rely on point-in-time risk assessments to produce periodic (usually quarterly) reporting. One of the main challenges practitioners face is how to measure meaningful changes over time with minimal data.
What’s Holding Cyber Risk Quantification Back?
The first problem: data availability. Metrics like phishing click rate are usually only available on a monthly basis (at best), other metrics are only available on a quarterly or annual basis, and changes in internal controls are hard to pinpoint unless there is a material change (i.e. addition of a new control that didn’t exist previously).
The second problem: overreliance on human assumptions. Risk analyst intuition has been (and will continue to be) an important part of cyber risk assessment. But an assessment that relies solely on the skills and assumptions of a human – no matter how strong the analyst – will always be subject to bias and inconsistency. From my own experience, estimating changes in control efficacy without a trusted framework is basically a shot in the dark. Frameworks like FAIR-CAM for controls analytics and FAIR-MAM for cyber loss exposure analysis paired with AI-powered automation allow for a consistent, scalable approach to risk assessment that minimizes the chance for human error in the process.
From my years of experience using the FAIR methodology to help companies mature the way they manage cyber risk, I believe we at Safe Security are flipping the script. With recent advances in our product, we enable practitioners to dynamically track risk over time. Rather than annual/quarterly/monthly reporting, we enable weekly, even daily reporting on changes in risk.
Threat Center on the SAFE One Platform. You can identify risks to your organization from specific threat actors or groups, compare your organization’s security with active threat groups, and get helpful tips on preventing these threats.
Solving Dynamic Cyber Risk Management
Two of Safe’s solutions that enable dynamic cyber risk management are Threat Center and Integrations. Threat Center provides real-time Threat Event Frequency (TEF) data curated by Safe’s Threat Intelligence team using trusted industry sources and expert analysis.
Integrations with security tools provide asset and finding data used to assess the reliability of controls (TEF, Susceptibility, and Loss Magnitude) and changes over time as those findings are mitigated and new findings emerge.
- Threat Center
- Integrations
A dynamic approach is not a panacea but it’s another step in the right direction to mature the cyber risk profession and increase its usefulness. After all, as British statistician George Box famously said, “all models are wrong, but some are useful.”
Integrations on the SAFE One platform
As a community, let’s change our approach to measuring and monitoring cyber risk. Today, we have capabilities we have never had before by automating extensions of the FAIR model like FAIR-CAM and FAIR-MAM. When implemented appropriately, we can further advance the cyber risk management profession from an infrequent, static view of risk (subject to mistake-prone practitioner assumptions), to a frequent, dynamic, and objective risk view based on real data through integration with threat feeds and key cybersecurity tools.
Cyber risk is dynamic, let’s treat it that way.
Safe Security brings the benefits of automation and integrations to a cyber risk quantification program, enabling you to scale at the level of the enterprise, and to monitor and manage risks in real-time. See for yourself. Contact us for a 1:1 demo!
