As the digital ecosystem continues to grow, so do cyber security threats. With more data and apps moving to the cloud—accessible by an increasingly savvy class of hackers—companies worldwide are wondering how to manage what seems like an insurmountable cyber threat. Some say a more laissez faire approach to security management might be the key.
If that sounds crazy, hear me out. If you’ve got 100 threats coming at your company, which one do you need to manage first? In many environments, every threat carries the same weight. While many may focus on reducing the total number of breaches, the answer to effective security management may lie more in managing high-impact breaches and letting less threatening ones run their course. But how do you measure the impact of a potential threat? And how do you limit the impact of those that make it past your security systems? That’s where a more quantifiable method of security management can help. Follow the tips below for bringing greater value—and less exhaustive oversight—to your cyber protection strategy.
Assigning a Value
Deloitte recently published a study called “The Value of Cyber Risk Quantification” that shows many of us are doing a fairly inept and inefficient job at cyber security—and even worse, we don’t really even know the impact it’s taking on our companies. Although McAfee estimates the cost of cyber-crime to the U.S. at $400 billion dollars a year, Deloitte argues there is literally no clear basis for that analysis. For instance, most companies have no solid way of measuring the impact of anticipating the breach … the consequences of the breach … the team’s response to it … or the damage caused to other related people or companies who were impacted. In addition, many threats go unnoted. That makes itemizing the “value” of cyber threats in our current environment nebulous at best.
To help, companies need to develop their own algorithm to determine the risk presented by threats and to help them triage which ones need attention—and which can go by the wayside. The value at Risk (VAR) allows companies to quantify and express risk in terms of economic impact. Doing so helps you triage the risk, placing more effort into stopping those with high impact and letting those with less slide.
Part of effective VAR involves effective tracking. During emergency response, it may be difficult for IT teams to make damage-tracking a priority. They’re more interested in getting systems up and running and doing damage control. However, tracking is incredibly important to understanding the overall losses incurred by cyber-attack, and how to guard against them—or not! —in the future. For instance, if tracking shows the IT team spend three full days fixing a breach that caused virtually no impact, the team may choose to ignore that breach in the future in favor of more impactful ones.
Create an Algorithm
We hear a lot about data algorithms today, especially when it comes to machine learning and artificial intelligence. Algorithms can also be effective in creating effective VAR. For instance, one company may choose to calculate risk ratings based on the following: Impact x Likelihood = Risk Rating. Another might get more specific, adding factoring in a weighted score based on type of risk (strategic, reputational, compliance) or type of threat (unauthorized access, loss of data, disruption of productivity.) Only you will know what is right for your company.
Benchmark Your Effectiveness
Lastly, it’s important for companies to start measuring the effectiveness of their cyber safety programs to see how they’re doing in relation to other businesses in the country. This may involve benchmarking your company against the NIST Cybersecurity Framework or the Center for Internet Security Critical Security Controls. These will help build solid VAR calculations—as well as goals to improve your security effectiveness long-term.
Cisco’s 2017 Annual Cybersecurity Report showed IT teams are so overwhelmed with threats that they are only able to investigate 56 percent of the threats that come through each day. By using VAR and risk measurement, companies can make sure the risks they manage are the ones that really matter.
Additional Articles on This Topic:
Key Takeaways from Cisco’s Cybersecurity Annual Report
The Risks of Playing Fast and Loose with Security Compliance
Improving Security Protections with Predictive Analytics
Daniel Newman is the Principal Analyst of Futurum Research and the CEO of Broadsuite Media Group. Living his life at the intersection of people and technology, Daniel works with the world’s largest technology brands exploring Digital Transformation and how it is influencing the enterprise. From Big Data to IoT to Cloud Computing, Newman makes the connections between business, people and tech that are required for companies to benefit most from their technology projects, which leads to his ideas regularly being cited in CIO.Com, CIO Review and hundreds of other sites across the world. A 5x Best Selling Author including his most recent “Building Dragons: Digital Transformation in the Experience Economy,” Daniel is also a Forbes, Entrepreneur and Huffington Post Contributor. MBA and Graduate Adjunct Professor, Daniel Newman is a Chicago Native and his speaking takes him around the world each year as he shares his vision of the role technology will play in our future.