Cyber risks today are varied and complex. So organisations can’t rely on narrow goals and solutions. They need to prioritise resources based on threats, accept that breaches are inevitable and come up with strategic solutions. In a way, they need to think like rulers – not builders.
What do I mean by this? Let’s step back and look at how they both approach defence. Builders think in terms of design, structure, and maintenance. They make large, strong walls that they try to keep permanently free of cracks or imperfections. Their focus, though, is on little else – in short, builders think tactically, delivering excellent but narrow goals.
On the other hand, rulers have broader objectives and devise solutions accordingly. They create defence mechanisms to provide the type of security that works for their environment and objectives. For instance, on their expeditions, the Mongols used tents that only protected horses and riders from the midday heat. This was a seemingly flimsy solution, but it worked because it was highly portable. On the contrary, Crusader castles relied on three-meter thick, unassailable stone walls. Rulers think holistically, considering geography, most likely enemies, army strength and existing capabilities.
How rulers make decisions: prioritising likely scenarios
When it comes to dealing with cyber threats, most organisations continue to follow a compliance-driven approach, with tick box assessments seeking to plug all gaps. They make everything a priority, with little to no consideration for risks and threats that are unique to them.
In a way, chief information security officers (CISOs) are forced to behave like builders. They focus on fixing every existing crack or loose stone, rather than focussing on the key defences and identifying innovations to stop an enemy army that is knocking at the front gates.
And we know this approach isn’t making organisations more secure. Evidence suggests global cyber security improvement efforts have largely stagnated since 2019, even as the threat increases[Analysis of ISF Benchmark scores from 2019 to 2021]. Defences are getting relatively weaker to the threats they seek to protect against, and organisations are being breached with increasing frequency.
By thinking like rulers, CISOs can prioritise the issues that will provide the greatest protection to their business. What does this look like? Rulers need to understand from builders the current state of the kingdom’s defences, hear out treasurers on which valuable items need to be protected and coordinate with spies who are informed on the state of the enemy and its army.
Similarly, you need to prioritise based on risk by taking advice from intelligence teams, security and IT practitioners and financial stakeholders. The focus needs to be on the likeliest and most damaging risks rather than on preventing unstoppable or inconsequential scenarios. Here are just some considerations that can inform where you direct your resources:
- DDoS attacks are prevalent but have negligible impact;
- Accidental data disclosures are all but unstoppable;
- Insider software compromises are catastrophic but almost unheard of;
- Ransomware is both likely and can be extremely severe; while
- Business email compromise (BEC) remains the most frequent and in total most expensive cyber risk that insurers receive claims for.
Quantifying cyber risks for better risk management decisions
Identifying relevant risks is just the start. You might know your organisation faces a high risk of ransomware and a successful attack will cost you a lot. But are you able to tell precisely how likely an attack is and how much it will cost? This is what quantifying risks helps you with. Beyond informing more effective cyber risk decisions, it can also help make a strong case for cyber investment in the most vulnerable areas to your company board.
So how can you go about quantifying risk? By bringing together refined statistical approaches and cyber threat modelling, it is possible to tell how likely an attacker is to succeed at every stage of an attack path. This analysis can further help you identify and prioritise defences that offer best bang-for-buck risk reduction, rather than wasting time, effort, and money on low-contributing controls. Such a threat-driven approach can help you spend where you need to and maximise protection, leaving more resources for the organisation to achieve core business objectives.
To keep up with a complex risk landscape, you also need to know how your cyber capabilities will hold up against likely threats – readily and in an accessible format. Our Cyber Risk Insights approach delivers on this with the ability to simulate cyber-attack scenarios and define how likely they are to unfold. The idea is to integrate industry-proven approaches, including attack path modelling for likelihood quantification and Monte Carlo simulations for financial impact and cost-benefit modelling, in a user-friendly web app.
With quantification techniques, you will still need to make tough risk management decisions, but you will be equipped with far better information to make them.
To discuss how data-backed insights and cyber threat modelling can help your organisation, feel free to reach out to Michael Yeomans.