I don’t know how many times I’ve heard cybersecurity professionals say something like “not having multi-factor authentication [MFA] represents a huge risk for our organization.
The truth is that this type of statement can illustrate a control weakness, but unless the undesirable outcome is a ding in an audit report where MFA is required, that’s not the real risk. The real risk is the likelihood of a ransomware incident, for example, or the leak of personally identifiable information (PII) from a customer database.
For businesses, the risk lies in the potential losses associated with undesirable outcomes to their IT environments. The cybersecurity element typically focuses on incidents where these results were caused by an intelligent adversary.
A simple way to think about undesirable outcomes is to consider the ways in which CSOs might fail to achieve one or more of their control objectives – confidentiality, integrity, availability, or other objectives – and experience one of the aforementioned incidents, among others.
Once the risk is understood, it becomes easier to see that much of what we do in cybersecurity is to address control weaknesses that essentially act as placeholders for risk. We believe there is no real way to identify risks and assess their likelihood and therefore rely on best practices and control frameworks to fill the gaps.
Thus, while most CSOs perform their functions in the service of risk management activities, there is almost never evidence that correcting control weaknesses would ever lead to a real reduction in undesirable outcomes that lead to events. of loss.
Cybersecurity risk lives in real time
I believe there’s a big reason why this is true: we don’t internalize that the risk we aim to manage “lives” in the real-time activities that take place in our IT environments. In other words, the risk exists in the millions, billions, trillions, quadrillions of transactions, messages, sessions and other structured elements.
Although we cannot definitively measure risk, because the primary risk is a prediction about future outcomes, we can at least make these risk predictions and then test their accuracy after the fact by measuring relevant activities. Then, we can use this data to inform our future risk predictions and follow-up decisions.
According to Cisco in its 2017 Cybersecurity Annual Report, spam accounted for nearly two-thirds (65%) of total email volume, and research suggests that global spam volume is increasing due to spam-sending botnets. important and flourishing. As the vendor’s threat researchers pointed out, around 8-10% of global spam seen in 2016 could be classified as malicious.
Additionally, the percentage of spam emails containing malicious attachments is increasing, and adversaries seem to be experimenting with a wide range of file types to help their campaigns succeed.
Based on this information, CSOs can deduce the probability part of the risk of receiving a malicious email of around 6%.
Some of my astute colleagues may point out that risk must also include an element of magnitude expressed in financial losses. While that is ultimately my goal as well, I don’t consider it a necessary condition as long as one can guess the losses associated with receiving a malicious email message.
This allows CSOs to roll back not to control the weakness, but to its strength, based on how many of these messages a solution can stop before an incident occurs.
With so much cybersecurity activity focused on people and processes, it’s easy to be distracted or tricked into thinking incorrectly. It is crucial to understand that amidst the massive amounts of activity that occur in our computing environments, real time is where the risk lies.
Join the newsletter!
Error: Please verify your email address.