by Jake Olcott, VP Government Affairs, BitSight
If you’ve glanced at the opinion columns of security industry publications, you’ve probably seen the term “risk-based” floating around, as in “the time is now for a comprehensive, risk-based approach” or “a risk-based approach to security is key to business alignment.“
However, many of these articles fail to define what exactly a risk-based approach to cybersecurity is. And that’s a problem — without a solid understanding of its meaning, “risk-based” could end up being just another buzzword, and all the benefits it’s supposed to bring about will never come to fruition.
What is a risk-based cybersecurity approach?
If someone tells you their company takes a risk-based approach to cybersecurity, what they mean is that when it comes to making security-related decisions, they consider risk above all other factors.
Risk-based approaches are often presented in opposition to compliance-driven approaches. Risk-based security teams are more concerned with reducing their organisation’s real exposure to cyber attack and data breach than they are about checking boxes or passing audits (though those remain worthwhile goals).
A risk-based approach to cybersecurity is also proactive rather than reactive. Instead of focusing on incident response, a CIO at an organisation using this approach is likely to invest heavily in testing, threat intelligence, and prevention.
Finally, this approach is inherently realistic. The goal of a risk-based cybersecurity program is meaningful risk reduction, not 100% security. That’s important, because the former allows CIOs, CISOs, and Board members to make pragmatic decisions about budget and resource allocation, while the latter requires sparing no expense, even when investments receive diminishing returns.
What does a risk-based cybersecurity approach look like?
A security program that’s fully committed to the risk-based approach will necessarily have a few distinguishing elements.
Risk-based approaches to cybersecurity rely on accurate risk knowledge. On one hand, that means that one’s idea of risk should be based on facts rather than opinion, trends, or headlines. However, in the fast-moving world of IT security, data must also be up to date. That’s where continuous monitoring comes in.
This approach to security doesn’t leave room for blind spots. That means point-in-time vulnerability assessments and penetration tests that only occur once or twice per year must be supplemented by other kinds of assessments that fill in the gaps.
Security ratings are one popular option for continuously monitoring cybersecurity risk. Ratings can provide insight into compromised systems, security diligence, user behaviour, and other factors that increase an organisation’s risk exposure. These insights are synthesised into one representative number, updated daily, as well as grades in individual risk vectors.
Independent research shows that BitSight Security Ratings correlate to data breaches — companies with a BitSight Security Rating of 500 or lower are nearly five times more likely to have a breach than those with a rating of 700 or higher.
A truly risk-based cybersecurity program will have a system in place to prioritise security needs based on their relative levels of risk exposure.
Effective prioritisation relies on two key elements: knowledge of the threat and knowledge of the target. That means a security leader running a risk-based program must maintain consistent awareness of the latest and most urgent cybersecurity threats affecting their company, industry, and region, as well as a deep understanding of the systems and data those threats could affect.
With this knowledge in hand, a security leader can determine which projects require the most resources at any given moment. For example, they can say with confidence that pausing work on implementing automated incident management software in favour of updating user credentials and access will reduce the risk exposure of their organisation.
Prioritisation must also be dynamic, based on short cycles rather than monthly or quarterly initiatives. For this reason, prioritisation relies heavily on continuous monitoring tools like security ratings.
To gain a true understanding of cyber risk, one can’t assess their organisation in a vacuum. Risk is a relative term, and can only be understood in relation to historical performance and the performance of peers, competitors, and industries.
Security ratings are based on externally observable information, meaning they can be used to assess any organisation, not just one’s own. Many organisations use security ratings to gain an idea of the cybersecurity performance of their competitors, top performers in their space, and their industry on average. In fact, these relationships are baked into the ratings themselves.
This method of cybersecurity benchmarking allows security leaders to understand how their organisation is doing in context. For example, using a security ratings platform, a CISO can see that they have a “D” grade in the malware servers risk vector, and understand immediately that they’re performing worse than other organisations in their industry. They can also look at a specific company — say a larger, more established organisation — to see which areas of their cybersecurity program have received the most attention.
How a risk-based cybersecurity approach can save time and money
Compared to compliance-driven organisations or idealistic companies that demand 100% security, an organisation using a risk-based approach can save considerable amounts of resources.
This approach can help an organisation assess the ROI of their cybersecurity projects, and stop spending on tools and systems that aren’t returning value. Many organisations have spent millions on best-of-breed software, only to be breached as a result of user error or an underprepared third party. A risk-based approach can help a company avoid these scenarios.
In addition, this approach can reduce an organisation’s reliance on expensive security consultants and large point-in-time assessments. By using tools to assist with their security performance management, a company can develop the skills to assess and prioritise their security program in-house, continuously.
Most importantly, however, this approach may be better at reducing an organisation’s chances of experiencing a data breach. With the average total cost of a data breach reaching $3.86 million in 2018 ($148 per lost or stolen record), that could mean the difference between survival and failure.