teissTalk: Delivering measurable cyber risk reduction

On 27 April, teissTalk host Thom Langford was joined by  Laurie Gibbett, Cyber Risk Quantification Manager, KPMG; Lucian Corlan, Senior Director Application Security, Sage; and Jason Hart, Chief Technology Officer, Rapid7.

 

Views on news

 

New cyber security measures will increase the UK’s cyber resilience and protect the UK government’s essential IT functions from ever growing threats. Under the new rules, all central government departments will have their cyber health reviewed annually through new, more robust criteria. As NCSC is involved in the programme, it ‘ll be interesting to see how the success of the programme will be measured and what happens to organisations that can’t meet NCSS’s CAF (Cyber Assessment Framework). Measuring effectiveness is key to the success of any framework and standardisation to assess vendors is crucial to implementation too.

 

There is so much more companies can do in terms of software and supply chain security, and it’s good to see that cybersecurity is becoming a priority for the government. In terms of software security, the CIF has technical training requirements for developers and secure coding standards. The NIS 2 Directive strengthening on incident reporting timeframe and holding senior managers personally accountable seems to have the potential to make a difference, but it can only have good outcomes alongside with new operating models for organisations. 

External threat intelligence and measuring your controls’ success

There is a difference between qualitative and quantitative risk assessments. The two are the most valuable when used in tandem. There are three stages to cyber risk assessment – understand what the organisation’s cyber exposure is; choose the most effective defence mechanisms to reduce these risks; and establish how you measure the effectiveness of these security investments.

 

Cybersecurity 101 is about identifying the risk types relevant to the organisation via threat modelling or the FAIR (Factor Analysis of Information Risk) methodology, then assessing the attacker contact rate and how effective security controls are against that particular type of cyber-attack. Sources that can help make these assessments include SOC’s historical event data or external sources such as the Cyentia Institute’s Iris Report or surveys by the Ponemon Institute or the Verizon Data Breach Report.

 

You don’t need to strive for precision but a 90% accuracy. And the next step is a Monte Carlo simulation carried out in the risk range that you’ve specified. The risk of software products is measured in a similar manner in the context of how strategic they are, the confidentiality of the data they deal with and the number of data subjects that can be impacted by a potential breach.

 

A less scientific way is collecting a wide range of security controls and mapping these against NIST, CAF or ISO to see if these controls are actually in place and what risk they pose if they aren’t. it’s also key to deal with different types of risks (CIA) separately – e.g., integrity risk can have more serious consequences than confidentiality risk. As for where to start, find the business function that will give you the biggest pain when breached and build your security tools around that while also tracking their effectiveness with regards to that business function on an ongoing basis.

 

Meanwhile, threat intelligence platforms can provide you with an early warning system regarding what to protect yourself against. In addition to 1-5 scores measuring cyber maturity, however, process maturity and technical effectiveness are also key metrics, as well as the percentage of the estate being covered by a certain control. 

The panel’s advice

Compliance is minimum security. 

Cybersecurity should work as financial controls – all security controls have to be implemented at all levels of the organisation from the board down. 

Organisations “spray” security everywhere, ignoring how risk is relative to different parts of the organisation. 
There’s no point in looking at one risk in isolation and the MITREATT&CK framework is very useful for tackling risk complexity.

Build your own risk library and keep it updated. 

Reassess what your key assets are as the business is changing. 

Leverage automation to help you with measuring.