CyberSaint Blog | Expert Thought

How Cyber and IT Risk Quantification is Fundamentally Shifting

Written by Kyndall Elliott | May 20, 2021

It’s common for companies to hoard their knowledge like a dragon with gold. Especially in competitive marketplaces, no one corporation wants to give their opponent an advantage over them or even let them know there’s an advantage to be had. With Biden’s new executive order following the Colonial Pipeline ransomware attack, it’s been purported that not only does risk information need to be shared between companies, but between the government and private corporations as well. 

With the pandemic, the last 12 months alone have been a high-speed rollercoaster of companies adopting new technologies like the cloud to keep customers and regular operations going, despite the disruption COVID-19 brought. The amount of data being “traded” now is infinitely more than it was even a year ago. This kind of explosive growth has propelled cybersecurity initiatives to the forefront of everyone’s minds, and many new ways to determine risk and threats were implemented. 

But with the explosive growth comes uncharted territory for a lot of these enterprises. The new technologies or systems that have been adopted helped them stay afloat in the pandemic. Still, they’re now struggling to address the new monsters in cyberspace that are attacking just placed, vulnerable security systems. How does this affect one’s approach to cybersecurity risk?

How does risk quantification come into play in modern companies?

Risk has been an integral part of business since the 16th and 17th centuries. Contracts in the 16th century led to the emergence of lending, demonstrating that business leaders have been taking what they deem as ‘acceptable risks’ for hundreds of years. In the 17th and 18th centuries, though, the concept of accepting or rejecting risk came into play, predicated on measures like personal relationships or word of mouth.

Although a lot has changed since then, there are still a few factors that remain constant. Modern leaders are still determining (sometimes daily) what an acceptable level of risk or projected risk is for their operation. The modern concept of risk is directly correlated with uncertainty, and uncertainty is connected to the availability of information. If an individual can make a decision with 100% certainty from all available information given, there would never be any amount of risk associated with a project or business. 

But it is almost impossible to assemble all possible information before a decision deadline. Whether that deadline is a board meeting or new compliance regulations, gathering that information quickly and efficiently is a constant struggle for security teams who are often working out of spreadsheets for risk and compliance that are obsolete the minute they’re finished. If there’s been a breach, and time is of the essence, that deadline is even more pressing and looms over the heads of the whole security team while they try to address the threat.

Managing risk is a constant struggle in the cybersecurity landscape. Cyber risk quantification can seem elusive and nebulous to organizations with a less mature security posture. With less mature companies, it can be tempting to look at quantitative risk instead of qualitative risk. To more efficiently and accurately address risk management and quantify risk in the next 12 months, organizations can look at doing a few things. 

Sharing information across industries and organizations

Although it’s tempting to hoard knowledge as a company, ultimately, organizations may just be hurting themselves in the process. Historically the biggest drawback to risk quantification has been the lack of data. There isn’t a database of risk that the companies, or even the government, can access. It’s also not helpful that most risk analysis or quantification happens post mortem--that is to say, it happens after the attack has already taken place and has been dealt with. 

The new executive order from the Biden administration has cracked open the possibility of information sharing across enterprises.

CyberSaint Chief Product officer Padraic O’Reilly says, "Information sharing within the cybersecurity community has long been decried as something there needs to be more of," O'Reilly said. "As the government looks to increase the communication between public and private sectors, they must work to ensure that it is a two-way street. The EO does acknowledge this need. However, historically private sector CISOs have felt that the information sharing ends up as a one-sided relationship."

Even though cybersecurity has always been a dynamic landscape, the pandemic has pushed it even further. It’s forcing organizations to think in broader terms. Gartner predicts that by 2022, 90% of corporate strategies will explicitly mention data as a critical enterprise asset and analytics as an essential competency. They also say that by 2022, more than 30% of businesses (up from less than 5% today) will use financial risk assessments of their data assets to prioritize investment choices for IT, analytics, security, and privacy.

What possibilities open up with risk data being shared? 

Imagine your company has a severe threat or vulnerability that’s being pressed by bad actors or could be pressed any moment. This kind of attack has never happened in your company’s history, and there’s no process or strategy set up to deal with it. You’re lost, and your security team is lost, and the board and other C-suite executives are bearing down on you for a plan and answers. But what can you do? 

Suppose risk data is aggregated from several sources and several other enterprises into a database that can be accessed by anyone, giving them the ability to quickly and efficiently address risk spikes. Suddenly the power is put back in the hands of the chief information security officer (CISO) and their team. They’re able to pull data from another entity that has already been through the attack to mitigate the danger to their own systems. 

The possibilities this could open are staggering. This is a case of “a rising tide lifts all ships.” By aggregating data and making it publicly available, it’s possible for every security team to address threats before or as they happen. 

Industry’s like cyber insurance could more accurately predict what level of risk certain enterprises might face, like are they a prime target for phishing attacks, or ransomware, based on historical data? Is the risk for those things low, medium or high, for that company? 

Any company that has data stored on or off-site could be the victim of ransomware, but what if there was a way to continuously assess risk in real-time with products like CyberStrong? What if your company could aggregate that data and share it publicly to prevent likely attacks happening to other companies as well?

The possibilities are endless with the number of doors this kind of data could open to ensure the safety of not just your company but others as well. The business impact of this kind of data sharing could propel cyber risk management years into the future and gives risk matrices a huge boost. 

Conclusion

The fact of the matter is that risk is only going to become more prevalent and more pressing as the world grows into embracing digital technology and solutions. 

To learn more about IT & Cyber Risk Management and how to mitigate the risks that stand in your way so you can take on the risks that matter, download our solution sheet.