There’s no way to sugar-coat it: Cybersecurity has a data problem. More precisely, cybersecurity as an industry is abysmal when it comes to quantifying cyber risk.
While there are increased calls for cybersecurity expertise in the boardroom, and even proposed changes from the Securities and Exchange Commission (SEC) to have companies disclose cyber expertise of board members, we simply aren’t speaking the same, data-driven language as many of our peers when it comes to threats facing our business. That’s a problem we need to fix.
Cybersecurity Risk Quantification
Cybersecurity risks can be communicated qualitatively or quantitatively. Historically, as an industry, we overwhelmingly do the former.
As a result, explaining the scale of threats is subjective, open to interpretation, and fails to provide business leaders with data to drive organizational decision-making about our cybersecurity risks. That’s occurring against the backdrop of calls we all hear for security pros to “speak the language of the business.” In this context, that means articulating cyber risks and threats, supported by numbers.
This issue isn’t new; experts including Douglas Hubbard and Richard Seiersen address it in their widely cited “How to Measure Anything in Cybersecurity Risk” book (rumor has it, a new edition is coming as well).
They aren’t the only individuals or organizations who have evangelized quantifying cybersecurity risks. Risk Management Executive Jack Jones and the FAIR Institute have also been advocating a similar position. As an organization, FAIR, which stands for Factor Analysis of Information Risk, boasts more than 13,000 members and is used by over 45% of Fortune 1000 organizations.
From a technology perspective, there are also platforms such as Balbix and RiskLens that strive to automate quantification of cyber risk to empower organizations to address those risks and improve board reporting.
The Enterprise IT Environment
So, despite the push from thought leaders, industry organizations, and vendors, why does do cyber risk practitioners still speak in squishy, subjective terms that are devoid of numbers? The truth is that cyber risk quantification relies on methodological and mathematical modeling approaches that lend themselves to quantifying risk. When performing cyber risk quantification, you’re looking at things such as organizational assets, vulnerabilities, threats, and likelihood of exploitation.
Unfortunately, the enterprise IT environment — which is central to overall risk posture — isn’t quite so cut and dried, and therein lies a major problem. Organizations are generally subpar at maintaining hardware and software asset inventory — despite the fact that category has been a SANS/CIS Critical Security Control for years.
As a result, organizations simply don’t have confidence in their overall asset inventory. Even if they do, it is generally misplaced because years of security incidents have shown that shadow IT is rampant. We all know how hard it is to protect, or even quantify the risk to, assets that we aren’t aware of.
Other challenges exist too. The Common Vulnerability Scoring System (CVSS), which is widely used for vulnerability prioritization and risk assessment, is often misused. At least, that is the argument made by Carnegie Mellon University’s Software Engineering Institute (SEI) in its paper titled “Towards Improving CVSS” or Drew University’s paper titled “CVSS: Ubiquitous and Broken”. Combine misused scoring with internal blind spots and you start to gain an understanding of where today’s approaches are falling short.
Future Coverage of Cybersecurity Risks
In additional upcoming analysis on the Acceleration Economy Cybersecurity channel, I will dive deeper into current cyber risk qualitative and quantitative assessments, technical and platform solutions, and potential gaps in the way vulnerabilities are scored and prioritized.
All of these issues contribute to the challenges for cybersecurity when it comes to speaking the language of the business, providing actionable risk insights, and communicating with executive leaders and board members, despite the urgency to have cybersecurity leadership represented “at the table.”
Want more cybersecurity insights? Visit the Cybersecurity channel:
