Page 153 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 153
Think Holistically
While the CISO is in charge of security, this is no longer the realm of the CISO alone. Security is a
valuable business asset–and risk– and the entire C-suite needs to be involved, including having CISOs
sit on management boards. Cybersecurity is increasingly affecting productivity and daily operations in
every sector, with attacks or breaches potentially stopping or interrupting operations for hours or days.
When cyberattacks interrupt business, as seen in cases like the shutdown of the Colonial pipeline last
year, they demand action far beyond technical mitigation. Such situations call for public relations, change
in business operations, legal actions and more. Responding to attacks involves all departments, so
should planning for attacks and defining security strategy. Rather than being seen as in charge of
security, today’s CISOs should be seen as an essential bridge between the business and technical
concerns, leading a collaborative effort to protect the organization.
Embrace automatic tools to quantify risk and exposure
In order to have a truly holistic approach to cybersecurity, everyone, including non-technically-minded
executives, need to understand the risk and possible solutions. This means that the risk and the
company’s exposure to potential threats need to be translated into and explained in dollar terms. A proper
risk exposure calculation will take into account each asset, the likelihood of it being attacked and the
consequences of such an attack. This way companies can effectively invest in the proper solutions, and
decide what is worth protecting, and at what cost.
Automation, data and AI play a growing and important role calculating exposure. The internet is full of
cyber risk calculators, and many security companies provide them as well. But most are missing key
components and fail to give a breakdown of direct costs, like the price of an in-house IR team, and indirect
costs, like fines or crisis communications following breaches. Most also fail to take into account factors
like the cost of closing a business or part of a business due to an attack.
That’s why we at CYE provide a SaaS solution that maps out attack routes, and correlates technical
vulnerabilities with business insights that optimize the reduction of cyber exposure through scientific
analysis of the organizational risk profile. This allows the system to assign a dollar amount to each
possible breach, and points to exactly where mitigations are needed. These assessments are unique for
each company, and based on an algorithm using the most relevant and up-to-date data. It is not a
simulation, but rather delivers a real-life picture of the risk scenario and the bottom line effect it could
have on the business through the use of advanced algorithms and graph modeling, but also highly
experienced “red teams” with national-level experience. This goes along with our company’s general
approach to help users understand their security posture within the bigger business picture.
Look for targeted security solutions, and don’t forget about the human factor
CISOs often get distracted by all the cybersecurity solutions, especially as new one chasing the latest
vulnerabilities are constantly released. This has led to a situation of over differentiation in the sector, with
many solutions solving very specific issues. Companies should not only look for more holistic solutions
153