Risk

12/20/2018
02:30 PM
Bryan Sartin
Bryan Sartin
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Optimize Security Spending While Reducing Risk

Risk scoring is a way of getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data.

Globally, organizations have spent millions on security solutions; however, these purchasing decisions often are not based on fact or data — just hunches, expenditures, and market trends. Senior executives struggle to have complete visibility into their own company's security posture as well as the current threat environment. There is a lack of comprehensive, near-real-time information that organizations can rely on to inform critical business decisions.

Getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data is important to increase a company's security strength while optimizing spending and working to reduce risk.

Identifying the Threat in a Constantly Shifting Landscape
The constantly shifting security landscape can have a negative impact on the way organizations approach security and how security is perceived within an organization. It's important to know where the threats are coming from and the realities of the threat landscape. According to the Verizon 2018 Data Breach Investigations Report, cyberattacks are not always focused on billion-dollar businesses but more opportunistic targets that are unprepared. Moreover, 76% of breaches reported were financially motivated, and 73% of organizations breached were perpetrated by outsiders.

Security is always changing, and the need for it is growing — both in existing threats and in relation to your organization's reputation. Those outside the traditional security realm are interested in your organization's security posture, and for good reason. By 2020, organizations are expected to spend $101.6 billion on cybersecurity software, services, and hardware, according to research by the International Data Corporation. Gone are the days that just technologists and security executives needed to concern themselves with cyber threats.

The Ongoing Requirement for More Visibility
In order to combat the dynamic nature of cyber threats, business leaders need better data at their fingertips to help inform decisions, and security strategies need to evolve.

Security professionals must now spend time gathering and explaining the data they are working with to make assessments that make sense to someone outside of the security space. This can also mean needing to justify security investments to those who may not fully understand the breadth and reasoning behind them. CFOs have become more involved in decisions about cybersecurity in recent years, with many citing cyberattacks as the No. 1 external risk to their company, according to CNBC's quarterly CFO Council Poll.

Not only are the types of people at the table changing, but the rules of the game are changing as well. For decades, security issues were fought in a reactive way. A plan was put in place based on previous knowledge, and situations were handled one at a time. Today, businesses no longer have the luxury to wait for a threat to occur or to lean on historical situations and strategies to be an effective guide.

Key Considerations for Security
When examining solutions to assist with the optimization of your organization's security, there are a few key items to consider. Most importantly, the ability to identify and quantify your risk. To accurately identify risk, you'll need to engage technology that can provide an automated, comprehensive security risk scoring framework that identifies security gaps, weaknesses, and associated risks on a daily basis. (Note: Verizon is among a number of companies that offer risk-scoring services.) By gaining insights into potential threats and unwanted attention such as brand mentions and exposed credentials, you're likely a step ahead of a risk that could expose your organization to cyber-attacks.

Quantifying risk capabilities are evolving along with the threat landscape, but the idea behind being able to put a dollar amount to a potential issue is nothing new. Using data-driven dynamic cyber-risk scoring to calculate potential outcomes can guide towards smarter and more informed decisions as well as be able to help you more completely communicate those decisions with stakeholders outside of the security space. An internal analysis of the current system and external risk reports are additional considerations to take into account. Although this information can be costly to compile, when used effectively, it can help to provide an assessment that gives a comprehensive view of your organization's security posture.

Solving the Problems of Tomorrow
A model for dynamic cyber-risk scoring enables enterprises to evaluate their current exposure to cyber-related risks, obtain an understanding of the probability of a potential future breach, and provide a quantitative and qualitative assessment of preventative measures, all underpinned by a framework for sustainable and measurable improvements. By doing this, enterprises have a better opportunity at proactively addressing weaknesses, preparing for threats, and better mitigating risks. Prioritizing the exploration of, and investment in, updated security technologies can enable a business to calibrate their current vulnerabilities to cyber-risk and put themselves in a place to try to prevent, and better handle, any future issues.

Related Content:

As head of Verizon Global Security Services, Bryan Sartin keeps pace with the leading and bleeding edges of innovation in the security market, while maintaining the highest quality of service in delivery operations. He manages the proactive and reactive span of Verizon's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He just showed up at my doorstep one day without a geotag."
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.