CISOs / Gaining clarity in cyber-risk and investment
Gaining clarity in cyber-risk and investment
11 February 2019
You know how much you’ve been spending on cyber-security. But do you really know how effective your investment has been?
How well do you understand your current risk exposure? Do you believe your cyber-spending has improved this posture? As it turns out, few executives can answer these questions with any sense of certainty. Let’s see why.
When business priorities drive security spend
An old aphorism commonly attributed to the statistician George Box is, “All models are wrong – but some are useful.”
At CyberProof, we approach risk-modeling using a top-down model where the key question is: what are the primary threats to your business? A top-down approach defining the magnitude of loss and focusing on the top two to three attack scenarios is critical to making it practical.
Focusing on the top two to three attack scenarios
Based on that information, we facilitate a business-oriented prioritisation of your investment in defence and response.
To ensure you spend optimally, we break down risk into distinct categories:
1) Pre-breach is what you can do before a breach – ensuring you have the right technologies to protect yourself, manage vulnerabilities, and track a constantly morphing threat environment.
2) Post-breach is what you do ahead of time to prepare for an attack – identifying how to detect, respond, and recover faster so as to lessen the impact on your business, operations and reputation.
How CyberProof reduces cyber-risk better and faster
The role of managed security services
Boards of major companies are generally aware that it’s impossible to guarantee there won’t be an attack – no matter how much an organisation invests. They are also well versed in assessing financial or regulatory risk. The problem is that cyber-risk is generally not well understood and, as a consequence, an accurate assessment of cyber-risk is poorly communicated to the board.
The real question is whether we’re putting in enough time and focusing the right resources to make sure we reduce the risk of the most important attacks – and are prepared to detect, respond, and recover from an attack as quickly as possible. Meeting this challenge requires enhanced technical and procedural competencies that most organisations don’t have. And that’s where managed security services come in.
Increasingly, CEOs are finding value in services that augment the skills of their in-house staff with flexible, on-demand cyber-security expertise, that works with an organisation to reduce the probability that a vulnerability in a critical system will turn into a major event.
For the next generation of managed security providers, the major impact areas are the continuous ability to find and mitigate vulnerabilities in critical systems, the ability to proactively predict threats, especially targeted attacks, the ability to detect key attack tactics and methods in critical systems, and the ability to respond effectively – reducing the possibility of an attack turning into an event or successfully managing a high-profile breach.
What if you pay for a cyber-risk outcome?
Executives complain that the old managed security service providers provides little value and that the legacy MSSP industry is broken. In fact, the industry has been focused (for too long!) – on meeting regulatory requirements. To move into a new mode that provides optimum value, the business model must change.
Imagine this: what if you could present cyber-security in terms of value at risk (VaR) on a continuous basis to your board? What if you could quickly correlate a new threat in terms of VaR to your business?
Pricing cyber-security services based on VaR, as proposed by CyberProof, revolutionises the conversation with your board. It provides a disruptive model in the industry based on effectively maintaining risk levels, giving you optimal value from your security spend.
To find out more visit www.cyberproof.com.
by Tony Velleca, CEO, CyberProof