Over the last few years, there has been increasing interest by CISOs and business leaders in cybersecurity risk quantification. Many of the CISOs we are working with are keen to connect security risk to the language of business. In this article, Graeme Payne reviews how cyber risk quantification and decisioning can be used to communicate cyber risk more clearly and accurately to the business, including:
Pitfalls of the traditional approach to communicating cyber risk
The shift to cyber risk quantification and decisioning
Where to start your cyber risk quantification journey
Why now is the time to start
Cybersecurity risk is now ranked by Global CEOs as the top threat to growth. The increasing digitization of business, expansion of digitized data, and high reliance on technology have created many opportunities for threat actors to attack companies’ systems and data.
While senior business leaders and Boards of Directors intuitively understand that cybersecurity is a key risk, they are challenged to evaluate it in relation to other risks such as credit, liquidity, and market risk. At the same time, security leaders want to be able to communicate risk in business terms.
Pitfalls of the traditional approach to communicating cyber risk
The traditional approach to communicating cyber risk has been to use ordinal scales for determining the likelihood and impact of a risk, for example, 1 (low) to 5 (high). Risks are then plotted on a risk grid so that management can visualize the relative severity of the risks facing the organization.
In their book How to Measure Anything in Cybersecurity Risk, authors Douglas Hubbard and Richard Seiersen point out many of the pitfalls of using these techniques. Pitfalls of the traditional approach to communicating cyber risk include:
Heavy reliance on the subjective judgment of the risk assessor to determine likelihood and impact.
A greater tendency to inflate risk due to the uncertainty of measurements
A perception that risk measurements are based on a scientific approach that provides a “placebo effect”
A lack of evidence that traditional risk scoring and risk matrices improve cybersecurity decision making
A belief that some elements cannot be measured, or are too few to be representable
Instead, they argue for a more quantitative approach to measuring cybersecurity risk.
The shift to cyber risk quantification
There are multiple approaches and tools available to help CISOs in quantifying cybersecurity risk. Kudelski Security has teamed up with X-Analytics, a leading provider of cybersecurity risk decisioning services. X-Analytics is a patented and validated cyber risk decisioning platform that is changing how executives, boards, and the risk management industry understand and manage cyber risk.
X-Analytics leverages a combination of firmographic data about the organization and historical cybersecurity incident data to deliver financial metrics that enable better cyber risk decisions. Key factors addressed in the model include:
The model also allows for “what if” simulations to model potential investment returns in evolving the security program.
When to use a cyber risk decisioning platform
The adoption of cybersecurity risk quantification is a journey. In working with our clients, we have identified several use cases for when to use a cyber risk decisioning platform.
Evaluating cyber insurance and self-insurance
The relatively immature nature of the cybersecurity insurance market has resulted in the insurance industry experiencing high losses. Consequently, insurance premiums, underwriting standards, and contract exclusions have all increased. In some cases, organizations are deciding to self-insure their cyber risk.
Using X-Analytics we have been able to help our clients through this decision process and optimize the insurance spending and capital allocation needed to address the overall cyber risk.
Justifying and prioritizing cybersecurity investments
By measuring the amount and range of potential financial impacts resulting from cybersecurity risk, the senior management, Board, and CISO can now engage in a discussion about cyber risk appetite and risk tolerance expressed in financial terms.
Now investments to reduce financial exposure can be considered alongside other investments that generate revenue or reduce risk. Armed with quantified financial dashboards and metrics, the key stakeholders are all using the language of business to discuss cyber risk and return on investment.
X-Analytics provides “what if” analysis features that allow a range of investment options to be considered and measured.
Evaluating a potential acquisition
When a company is considering an acquisition, it is often difficult for the security leader to evaluate the potential risks inherent in the acquisition. Due diligence is often limited, and there is a lack of detailed information to really understand cyber risk. Using a risk quantification platform can provide a quick analysis of the potential cyber risk that the organization may assume if the acquisition is completed.
Evaluating the impact of specific threats
Cyber risk quantification analysis allows the security leader to focus on the potential financial impact of specific threats. For example, Boards of Directors are very interested in the company’s exposure to ransomware. Using a tool like X-Analytics allows the security leader to provide a specific financial quantification of that risk profile. Management can then evaluate whether the analyzed risk is acceptable or if not, what mitigations need to be implemented to reduce the risk to an acceptable level.
Communicating cyber security program effectiveness
As the senior management and Board become accomplished in understanding and using a risk quantification model for cyber risk, the security leader can now use it to measure and report on the overall security strategy and program. As changes occur in the threat landscape and business environment, these can be seen in changes in the loss estimates. Similarly, as investments are made in security controls and processes, the payback in terms of reduced risk exposure can be measured and reported in financial terms.
Where to start your cyber risk quantification journey
We have four tips to help security leaders get started on their cyber risk quantification journey:
Get comfortable with the risk decisioning model.
Socialize the model with peers.
Integrate the decisioning model into your overall risk framework.
Leverage the model to communicate the organization’s overall risk profile.
Get comfortable with the cyber risk decisioning model
First, the security leader needs to be comfortable with the risk decisioning model and the underlying assumptions. They don’t need to be a financial expert but understanding the basic inputs and drivers of any model is important. Experiment with different assumptions and inputs to understand the model sensitivity and drivers. Leverage experienced consultants to help ramp up quickly.
Socialize the cyber risk decisioning model with peers
Second, socialize the risk quantification model and dashboards with peers. Finance, insurance, and other risk professionals in the organization will want to understand the model. Start with one of the use cases described above and build from there. For example, use the model to help with your next cyber insurance review.
Integrate the decisioning model into your overall risk framework
Third, find ways to integrate the risk decisioning model into your overall risk framework. Consider how it can be used to help in managing your risk register, determine risk impacts, and evaluate risk treatments.
Use the “what if” analysis tools to help evaluate the efficacy of risk treatments. Expand the tool to measure risks at a business unit level. Use it to measure and manage supply chain risks.
Leverage risk quantification and decisioning to communicate overall risk profile
Finally, leverage risk quantification and decisioning to communicate the overall risk profile of your organization to your Board and senior management. Use the tools and models to help in your discussions of risk appetite and risk tolerance. Align your security investments and strategic roadmaps with the risk profile to demonstrate how investments in developing and maintaining capabilities are providing a payoff in risk reduction.
Why now is the time for cyber risk quantification and decisioning
“To address these increased expectations, companies need to understand the financial impact associated with cyber-event risk. Boards of directors and management are also expected to demonstrate to investors due care in the governance and oversight of cyber risk…. Leveraging these mathematical and scientific methods for improved analyses can allow for more effective decision making compared to qualitative types of risk scoring and heat map risk reporting.“
Now is a great time for security leaders to step forward and take the lead in cyber risk quantification. I would encourage security leaders to start experimenting and getting comfortable with cyber risk decisioning.
Contract tracing is especially top of mind given the global challenges surrounding COVID-19, and, in some cases, it’s a requirement as organizations begin re-opening their doors to employees and customers. Analyzing location-based data from network-connected devices or Bluetooth and mobile application signals can significantly reduce workplace risk and enable a safe return to work.
We recently sat down with Joel Crane, Partner Sales Engineer at Juniper, and Ron Frederick, VP of Solutions Architecture at Kudelski Security, for a webinarcovering effective methods for user location data collection and how to apply the analysis of that data to reduce workplace risk through various forms of contact tracing. A recap of that discussion is below.
Three ways network-based location data can be analyzed to reduce workplace risk
Enforce social distancing guidelines with congestion alerting. Congestion alerting is the most straightforward way to use location data. It doesn’t require user-level identification, just signals from Bluetooth, WiFi, or a mobile application. Defining a capacity limit for each area or zone will allow you to identify areas that exceed the allowed number of users, at which point you may choose to alert those nearby users that they are in or entering a congested area.
Identify potential contact events with proximity tracing. Proximity tracing looks at user-level location data to identify possible encounters, e.g. the areas and contacts the user comes in contact with and the time and duration of the encounter. This type of analysis requires the user to be identified by their device via Bluetooth, WiFi, or a mobile application.
Understand the potential spread with user journey mapping. Together with proximity tracing, user journey mapping creates a map that allows you to trace a user’s journey throughout a site, floor or zone as defined by your network access points. User journey mapping also requires user-level identification, which can be provided by a Bluetooth device, WiFi connection or mobile application.
Methods of collecting user location data for analysis
The type of analysis you’re able to perform depends on the accuracy and completeness of the location data you’re able to collect. There are three primary methods of collecting location data—each with its own advantages and disadvantages.
WiFi is the best place to start for location data gathering. It’s the easiest method to deploy, only requiring an access point to be installed. In fact Juniper includes this type of tracking with all their Mist deployments. WiFi is always-on, meaning your location data is nearly real-time. It’s one limitation, however, is accuracy. WiFi location data is accurate at about 5-10 minutes, which is okay but not great.
There are two variations of WiFi data collection: connected users and unconnected users Connected users have a phone or device connected to the WiFi network. This allows you to track users at the individual level by hostname or MAC address. Collected data from unconnected users won’t give you the ability to uniquely identify a user, but it will show you how many devices are scanning for WiFi in a certain zone.
Bluetooth is a great option for collecting location data because it’s always-on. It’s easy to connect a user to a Bluetooth device, especially if you implement a Bluetooth beacon on employee badges (e.g. kontakt.io). If you’re looking at all Bluetooth devices, however, you will need to account for users having multiple devices on their person—a phone, headphones, badge, etc. Bluetooth location data is moderately accurate at about 3-5 meters.
Bluetooth also provides the most variety in terms of the methods of data collections available. Passive BLE listening, for example, can tell you where Bluetooth devices are, but not who they belong to. BLE tags, like a kontakt.io beacons, are constantly signaling and would be tied to a specific user, giving you more precise, real-time location data. Finally, BLE application-based tracking ties to a user’s device….
Using an application installed on a mobile phone is the most accurate way to collect user-level location data at about 1-3 meters accuracy. This makes it very precise, but with a caveat. You are only able to collect data from users who have the app installed on their device. For corporate devices, this won’t be a problem. You can use your mobile device management platform to push the app to all employees. For BYOD or customer devices, however, you may need to offer an incentive to entice users to install the mobile app. Mobile applications also allow for bi-directional communication, which enables push notifications, and blue to navigation if needed.
Juniper’s Mist platform now supports digital contract tracing to enable a safe, secure return-to-work. Mist customers can perform capacity analysis, proximity tracing and user journey mapping with a subscription to Juniper’s Assistant and Premium Analytics services.
For assistance in evaluating a digital proximity tracing solution, request a consultation with Kudelski Security’s Advisory Services here.
One of the toughest challenges that face Chief Information Security Officers is effectively communicating with the board of directors. That begs the question, how can CISOs articulate their comprehensive and sophisticated security strategy to them?
Kudelski Security’s Secure Blueprint SaaS is a business management platform, designed by CISOs and created for CISOs. The software enables security leaders to plan, execute and evolve business-aligned security programs, allowing continuous improvement. It enables security leaders to centralize key management functions, gives them visibility on maturity and risks, and facilitates stakeholder engagement.
See what Frost & Sullivan, the global business consultants, have to say about Kudelski Security’s software:
If you haven’t got three minutes to watch the video, key takeaways include:
Secure Blueprint measures cyber program maturity and risk by benchmarking an organization’s capabilities across cybersecurity control models like the NIST cybersecurity framework or Kudelski Security’s own cybersecurity portfolio management model
The language that is used to communicate security strategy with the organization, the C-suite, and board of directors needs to be delivered in a business language and not tech speak
The program facilitates and automates stakeholder engagements, taking lengthy quarterly meetings down to just a few minutes
Secure Blueprint allows the CISO and board of directors to effectively communicate the security strategy using out of the box executive dashboards
If you’re interested in learning more about Secure Blueprint, click here.
It is easy to recognize the lack of women in the IT world. With an ever-growing demand for a more diverse workplace and a lack of cybersecurity workers in general combined with consistent cyber threats, the demand is surely there.
Olivia Rose, Kudelski Security director of global risk solutions, knows that all too well. The latest statistics suggest that there is only around 10 percent of women in the cybersecurity field in the US and even fewer worldwide. Though she fell into cybersecurity by chance, she hasn’t turned away in almost two decades. Speaking on the Security Boulevard podcast CyberSpeak, Olivia delves into a multitude of topics surrounding her experience and the growing number of women in cybersecurity.
According to Olivia, there are two sides to security:
The highly technical side. if you actually are interested in coding, encryption, technology, penetration testing, etc., go for it.
The strategy and governance side. This is becoming recognized as even more critical than the technology side at times. You help develop the programs, strategy, and find the gaps in existing security programs to help companies effectively defend themselves. This requires a high degree of listening, communication, and creative thinking skills – ALL SKILLS women tend to be good at. It also involves partnering with Executives and Sr. Management of companies which need these skills, which women tend to be strong at, to partner with.
You can listen to the podcast by clicking the play button below.
Olivia has some additional advice for women who may be considering diving into cybersecurity:
If you want to get into a field which holds unlimited potential, especially for women, security is it. We need more women (and we need more people in general).
The industry needs the skills women tend to be strong at, they shouldn’t be scared to enter into the field. Some of the most successful security consultants, salespeople, and execs I’ve ever worked with have been women because they’ve leveraged their gender skills.
Women need to change their perspective of what security is and what is needed to work in the field.
Yes, it’s a highly male-dominated field and you will face situations where you are made to feel less important than and/or uncomfortable. But this is also why we need more women in this field, to even out the playing field and support each other.
Views on women in the field are changing and becoming more accepting, so it is less harassing than it was ten years ago, but be ready for certain situations which you will encounter.
Authors, Julien Gibert, Executive Director, PageGroup and Martin Dion, Vice President of EMEA Services, Kudelski Security
According to the Michael Page Swiss Job Index, there is a record demand for IT developers. Between June and July 2018 the demand for such positions increased by +18.5%. This compared with a decline of -4.9% in all jobs advertised in Switzerland over the same period. Based on the frontline experience of Kudelski Security and Michael Page, we outline four key ways of attracting and retaining talent in this market:
Provide Projects where They will learn and grow
Projects are the key drivers for attracting and keeping talent – not salary. Developers like to work on new tools. They want projects where they can learn and grow and preferably influence the choice of technology. Developers like change more than most other professionals. They typically work on an 18 month – 2-year framework and are totally connected, via various IT communities, about where the next interesting projects are on offer. For this reason, employers need to communicate the benefits of their projects e.g. in terms of technology, project management and potential people management skills advancement. They also need to stay close to their developers, show them that they are interested in their career progress, ask them what they would like to work on next and let them know that there are new projects available for them – but not so far from the end of a project that they lose focus.
Flexibility is a key driver to attracting and keeping talent in this field. The ability to organize their time is extremely important to developers. Employers need to be flexible with working hours as well as location. This includes allowing them to work on weekends rather than certain weekdays, enabling them to work from home and being prepared to have them work from different locations. For example, if they’re based in Zurich and don’t want to move to Geneva, then that needs to be accommodated. Given demand exceeds supply for developers in Switzerland, employers also need to be prepared to relocate talent from wherever they are.
Compromise on Skill Sets
If a candidate has 80% of the skills required for a job and is willing to learn, then be prepared to make them an offer. Skills in this field are quickly outdated and good candidates will have 2-3 offers at any one time. So employers need to find them when they are available and quickly make them an offer. Job descriptions with too many criteria will significantly reduce the chances of filling such a position.
Look beyond the IT profession
Recognize that certain roles can be staffed by professionals outside of the IT/development field. For example, when a financial institution is building a new tool, they need people who understand the business. These roles are typically known as “business analysts” and are filled by people from other disciplines (e.g. finance, HR, sales) who understand the business and like IT projects. On the consulting side, lawyers with IT practice backgrounds have also proved successful because they are typically good at negotiating and communicating the risks and benefits with clients. So be prepared to look to people who understand your business, can deal with business partners and clients and have a cultural fit to the organization and project team.
The shortage of developers will only become more pronounced in Switzerland in the near future as demand grows and the supply cannot be met from the Swiss workforce or graduating institutions. It is therefore important to remember that we are not Silicon Valley with a huge number of developers and be prepared to follow the 80/20 rule.
As a refresher, what is the problem in a nutshell?
Security risks now have board-level attention and CISOs struggle to present information about their security program in ways decision-makers can understand.
They need a single solution that allows them to programmatically plan, execute and measure their programs, and the means to show their boards and executive peers the relevant metrics to justify plans and investments.
The challenge, however, has always been creating a centralized view and providing meaningful information that non-technical professionals, such as business leaders and boards of directors, find meaningful.
What is the solution?
The solution is to have a central place for all the relevant data, including plans, priorities, maturity metrics, risks and more. From there you can get a comprehensive view of the whole security program or target individual areas to present just the information of interest to the organization’s leaders.
This would provide the platform for CISOs to track investments, measure and articulate risk, track progress, and translate comprehensive technical information into something that is meaningful and actionable by business leaders.
What does Secure Blueprint look like?
Secure Blueprint is a unique SaaS solution that utilizes the most common maturity and control frameworks and provides the technical depth to manage that goes above and beyond traditional executive cyber reporting.
The software has been designed to give the user a one-of-a-kind experience, delivering business-focused analytics, initiative tracking and dashboards that keep track of your defined key performance indicators. With just a click, you’ll have all the information you need to assess risk, potential risk, set maturity and goals for all aspects of your program.
Secure Blueprint is a way for CISOs to drive continuous improvement with the end goal of being able to clearly communicate business-focused priorities and outcomes. The platform automatically generates dashboards to track specifics and used during presentations to boards and committees to show your program state and goal. We are able to clearly show the past, present, and future of your program maturity based on control frameworks. This includes analytics integrated with cyber business maturity benchmarking to ensure the CISO can not only identify program gaps but also guide investments.
No more manually created charts, no more multi-tabbed Excel sheets, Secure Blueprint is intuitive and easy to use so that you can be confident in showing your program to the board.
What are some key attributes to the program?
According to Gartner, CISOs need dashboards that cover a wide range of aspects. Secure Blueprint is a comprehensive program management platform that includes dashboards. It provides easy visibility into program maturity, program roadmap, initiatives management, investment management, cybersecurity program component heatmap and component management dashboards. Currently, CISOs are forced to build those out manually. Secure Blueprint does all this for them.
The integrated dashboards allow visualization of all these aspects and more. With just a click of the mouse, they can see every relevant detail in a manner that is easy for anyone in the organization to understand, therefore justifying the costs associated with their cyber program.