ThreatConnect’s Miles Tappin on connecting the dots between cybersecurity and business
In the wake of recent cyberattacks targeting critical infrastructures – including JBS and Colonial Pipeline – it is now vital that businesses begin to identify the cyber risks that matter most to their organisation. These high-profile attacks, which resulted in a combined total of $15 million paid to hackers, should act as a call to action for both large and small organisations to implement a robust cyber threat intelligence (CTI) programme. This will start with assessing the financial impact of threats, ranking them in priority, and communicating the severity of risk – ultimately improving overall security posture. To guarantee a cyber secure future, it is now time that businesses bridge the gap between their cybersecurity experts and their business executives through proper cyber risk conversations. The growing pace and sophistication of attacks “I think it’s incredibly important to evolve the way that we talk about cybersecurity,” stated Michael Daniel, a former White House cybersecurity policy advisor and the CEO of the Cyber Threat Alliance. “Cybersecurity is now a critical enabler for most businesses to continue operating. And it needs to be framed in that way. I think that’s very much the place that we need to move is putting it in those business terms, framing it in those risk terms.”
With the possibility of attacks only set to increase in the coming years, all businesses should ensure that their cyber risk programme is receiving the attention it deserves. One of the primary reasons critical infrastructure enterprises have remained vulnerable, and a target, is the lack of structure that has existed around enterprise cyber risk quantification. Last year’s release of an interagency report by the National Institute of Standards and Technology, titled, Integrating Cybersecurity and Enterprise Risk Management, identified significant shortfalls in enterprise cyber risk quantification efforts. “Most enterprises do not communicate their cybersecurity risk guidance or risk responses in consistent, repeatable ways,” the report states. “Methods such as quantifying cybersecurity risk in dollars and aggregating cybersecurity risks are largely ad hoc and are sometimes not performed with the same rigour as methods for quantifying other types of risk within the enterprise.” The growing pace and sophistication of nation-state attacks, coupled with an ever-expanding attack surface, makes our ability to accurately quantify and prioritise cyber risks within the context of our individual businesses an urgent priority. But when business networks and systems can be compromised in a way that disrupts or halts industrial operations, that points to a clear failure to identify, understand, prioritise and remediate the most critical cyber risks facing one’s organisation.
Focus, prioritise and manage risk A recent survey by ThreatConnect showed that half of the respondents said they lack confidence in their ability to communicate and report the financial impact of cyber risks, prioritise vulnerabilities and security alerts, and justify their future investments to mitigate those risks. The reason for this is two-fold: almost half (41%) of respondents said they do not have a formalised process in place to evaluate and rank cyber risks and a quarter (25%) say they do not have a cyber risk quantification technology deployed at the company. Translating cyber risks into financial and operational terms will show business leaders and boards of directors the most dangerous risks facing their organisations and will determine the actions needed to mitigate those risks. Ultimately, when this process is automated, it will remove the guesswork that historically has been the weakest link in manual efforts to quantify risk. The inability to understand the core mission of cybersecurity at a business level is one of the most critical challenges facing Chief Information Security Officers (CISOs) today. The role of cybersecurity professionals is not solely about defending IT systems, it is about risk mitigation and protecting the business from harm. But few CISOs understand their businesses at this level and cannot communicate cybersecurity in a language that business leaders can understand. By quantifying risk, based on possible losses from business interruption and response, exposure can be directly linked to the business services that are affected. This is the missing link for CISOs to communicate the risks facing their organisations. Mitigating risk for a cyber secure future Organisations tend to be in a constant state of reacting to threats, vulnerabilities, and incidents. Now is the time to become proactive through a cyber threat intelligence programme that directly informs automated and orchestrated actions and helps align with the business as a whole to threats that matter most. The Risk – Threat – Response paradigm enables organisations to be better equipped in understanding and prioritising resource allocation. A focus on cyber threat intelligence is required to keep up with the threats and challenges that matter most to your organisation. By developing this cyber threat intelligence programme (CTI), organisations can constantly reassess and process knowledge about cyber threat actors – not just incidents impacting their network previously – discovering and understanding the who, where, how and when of the challenges they face now and in the future. Connecting the dots Connecting the dots between cybersecurity and business remains an aspirational goal for many who struggle to understand where to begin. In a world of highly sophisticated cyber criminals, there is no time to hesitate. We must adopt a risk-led cybersecurity programme to help organisations not only prioritise and focus on the risks that matter most, but also to help them to leverage threat intelligence to drive orchestrated response. Businesses should move quickly to gain a better understanding of their actual business risks and prioritise mitigation efforts so that critical business processes, applications, and data are fully protected. The bottom line is that most vulnerability management teams are overwhelmed and are likely not focusing on the risks that matter most to their organisation. With the right CTI programme, your team will be able to focus on the most important risks facing your business and better protect it from harm.