The Advantages of Measuring Your Security Risk – Tips from an Expert Panel

January 16, 2019  Jeff B. Copeland

If you’re about to order a new endpoint security system just because you think you should have the latest technology—stop, step back from the phone, and consider the advice given at a recent panel at the  Dark Reading CyberSecurity virtual conference: Measure your risk so you truly understand your needs.

Panel leader Kelly Jackson Higgins, Executive Editor of Dark Reading, asked some practical questions of cyber risk experts Jack Jones (RiskLens EVP R&D and chairman of the  FAIR Institute), Jay Jacobs (Senior Data Scientist for BitSight Technologies) and Terry Barbounis (Global Architect Evangelist at CenturyLink).

Some excerpts…

Q: What is the advantage of measuring cybersecurity risk at a time when everybody is sort of accepting the fact that they’re going to get hacked and infiltrated anyway?

Jack Jones: Realistically and pragmatically, we may accept the fact that at some point we’re going to experience an event of some sort but… we have to continue to have situational awareness and help the organization make decisions to minimize the frequency or probability of those events and their impact.

But those are decisions--and when you talk about risk management, you’re making decisions and decisions are invariably based on comparisons which are invariably based on measurement.

And those measurements can be the wet finger in the air and saying, ‘it feels high to me’ or you can apply a reasonable amount of analytic rigor, data and such to make better decisions.

There isn’t really a practical alternative to making decisions, it’s just a matter of how well informed you’ll be.

Terry Barbounis: Taking a cybersecurity risk management approach saves your security teams, your C-suite and your board of directors if you’re a publicly traded company from having tunnel vision or being blindsided.

The other thing it does, which is critical…with the downward pressure that the board is putting on the C-suite,  it allows you to translate cybersecurity into business terms.

Cybersecurity has been for too long been seen as just the domain of IT. It should be considered as part of the broader risk management program of the enterprise. It is a fundamental risk to enterprise.

Q:  We hear about how hard it is to measure a return on investment for security...Talk about what the actual steps are for an organization for measuring its risk.

Jack Jones: There are a lot of misperceptions that measuring risk is hard or that information cybersecurity related risk is a special snowflake and can’t be measured…The good news is that none of this is really true…

It really comes down to clarifying what it is you are actually measuring. For example, if we’re trying to understand the value of a particular security measure, we have to understand what are the loss event scenarios that are relevant to that security measure…What’s the expected frequency of those events and the nature of impact of those events for each of the scenarios that that are relevant to that security control. And if we put that control in place, how much does it affect the frequency or magnitude of those events.

And that’s essentially a cost-benefit analysis…and that’s where you can begin to articulate in business terms the value proposition for security…Business people get that.

Terry Barbounis:  The thing that seems to be challenging for organizations that say it’s difficult to measure risk, in a lot of cases, they’re  using the wrong metrics.

When you look at some of the products or vendors selling risk numbers--your risk FICO score--they’re very narrow, they’ll give you a risk score on a vulnerability, for example, but that doesn’t give you a scope, to see what that vulnerability along with the 100 others collectively...So I think part of the challenge is…first making sure that organizations…understand what they’re looking at and where its relevant.

The other big issue is… you have to know where all your assets are, where your information resides, and which of the ones if they are breached will cause you the greatest damage…If you can’t at least identify that, it tends to be difficult to run through these models.

Jack Jones: Visibility is absolutely important…but a lot of people do think that  because I have imperfect visibility, I can’t measure risk. And that’s just not true. Whatever part of your landscape you do have good visibility into, you should be trying to understand how much risk that represents.

Q: The term risk is kind of vague and vast…For example, if a company is looking at investing in …next generation endpoint would you apply a risk model to that specific purchase decision?

Jack Jones: The first part of your comment is…a focus of mine, how people understand the word ‘risk’: [they say] cyber criminals are a ‘risk’, unpatched systems are ‘risks’.

All those things contribute to a risk landscape. They aren’t risks…As soon we throw them into this amorphous bucket, we lose the opportunity to measure them in a meaningful and effective way…

If you take the scenario for an endpoint technology, risk is these events that have frequency and magnitude of impact. So if you have this endpoint technology you’re thinking about what are the scenarios that are relevant, the loss events that are relevant to it, what do we know about the threat landscape against that value or liability for the assets it protects.

But you have to start with clarity around what risk is...then you can begin to decompose the problem to things that can be measured.

Jay Jacobs: To get to the endpoint scenario, I would try to get at the ground truth here. Where is the actual data? In other words, if they think their current AV is failing, how much, how many events are they seeing, how much are these events costing them, what are the effects? Then start to try to actually measure this…

And then that also opens it up and says  we’ve got pain points all over the place, is this the best place to spend money? Even though we’d see an improvement, we might see more improvement somewhere else.

Terry Barbounis: It [often] starts with an organization calling up its sales rep and saying ‘Hey, I need you guys to sell me endpoint security.’…

In most cases, you can distill their perceived need, to something that isn’t necessarily a need for new endpoint security, but is a failure somewhere else. Or they haven’t properly assessed where true their risks are, and spending money on that piece of technology isn’t going to make them any more secure.

The second thing I see for companies, especially that have been breached,  the first thing they do is buy more technology. But in this industry, you already have an unemployment rate for skilled security personnel that’s 0.0%. If you’re purchasing new technology in an organization that hasn’t quite grasped the concept of risk management, doesn’t have enough personnel to begin with, and you’re adding to that technology, you’re just complicating your situation further.

Hear the recording of the entire discussion at the Dark Reading conference site, including slides showing a FAIR analysis of DDOS attack data presented by Tom Bienkowski from Arbor Networks.