teissTalk: Demonstrating effectiveness in managing cyber risk

teissTalk host Geoff White was joined by Benjamin Corll, VP, Cybersecurity, Coats; Nick Harris, Director of InfoSec and Cyber Resilience, Oxford Nanopore Technologies; Ash Hunt, Group Head of Information Security, Sanne.

 

Views on news

 

Cybersecurity company Illumio found that leaders that employ zero trust architecture thwart five major cyberattacks per year, saving their organizations an average of $20 million annually. 

 

Nearly all (90%) of those surveyed say that advancing zero trust strategies is one of their top three security priorities this year. Zero trust segmentation has also become necessary within the security architecture. Users who are well-versed in segmentation are almost twice as likely to prevent compromises from spreading to other systems (81% to 45%) versus users who do not practice segmentation.

 

Although almost half of those surveyed believe that their organisation is unlikely to be breached in the next 12 months, no one should have that mindset but rather get ready for the most probable scenarios. The three actions laid out by Illumio that businesses should consider when implementing zero trust segmentation are visibility, containment and protection.

 

Identifying the right metrics to assess risk management performance

 

There is a very important measuring aspect to the risk-based approach as opposed to doing a tick-the-box exercise.

 

How you present risks should depend on who they are presented to -  for staff, you can use gamification, while for the Board, and especially IT, it can get more technical. Finding the right scale to measurement, however, is always key whether it’s the technology risk methodology tailored to the organisation, a threat landscape, hits over misses, running estimates, primary and secondary losses, or the Monte Carlo method simulating a risk scenario a thousand times over with a quick model using random sampling.

 

Although running risk models sounds like a laborious and costly task, once the model is ready it will take only seconds to run a scenario and it will provide you with a continuous feedback loop that can help you make better decisions. In some environments management is less aware of and knowledgeable about risks and are therefore less keen on risk modelling. There, communications about risk need to be simplified. What can win management over to risk modelling is the fact that risk always manifests itself in financial loss.

 

You can measure any security performance by finding data fields relevant to what you want to measure and then pull in the data on a continuous basis to a platform. For example, to measure the effectiveness of change request approvals, measure the number of changes that didn’t have approval over the ones that did.