Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/20/2018
02:30 PM
Bryan Sartin
Bryan Sartin
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Optimize Security Spending While Reducing Risk

Risk scoring is a way of getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data.

Globally, organizations have spent millions on security solutions; however, these purchasing decisions often are not based on fact or data — just hunches, expenditures, and market trends. Senior executives struggle to have complete visibility into their own company's security posture as well as the current threat environment. There is a lack of comprehensive, near-real-time information that organizations can rely on to inform critical business decisions.

Getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data is important to increase a company's security strength while optimizing spending and working to reduce risk.

Identifying the Threat in a Constantly Shifting Landscape
The constantly shifting security landscape can have a negative impact on the way organizations approach security and how security is perceived within an organization. It's important to know where the threats are coming from and the realities of the threat landscape. According to the Verizon 2018 Data Breach Investigations Report, cyberattacks are not always focused on billion-dollar businesses but more opportunistic targets that are unprepared. Moreover, 76% of breaches reported were financially motivated, and 73% of organizations breached were perpetrated by outsiders.

Security is always changing, and the need for it is growing — both in existing threats and in relation to your organization's reputation. Those outside the traditional security realm are interested in your organization's security posture, and for good reason. By 2020, organizations are expected to spend $101.6 billion on cybersecurity software, services, and hardware, according to research by the International Data Corporation. Gone are the days that just technologists and security executives needed to concern themselves with cyber threats.

The Ongoing Requirement for More Visibility
In order to combat the dynamic nature of cyber threats, business leaders need better data at their fingertips to help inform decisions, and security strategies need to evolve.

Security professionals must now spend time gathering and explaining the data they are working with to make assessments that make sense to someone outside of the security space. This can also mean needing to justify security investments to those who may not fully understand the breadth and reasoning behind them. CFOs have become more involved in decisions about cybersecurity in recent years, with many citing cyberattacks as the No. 1 external risk to their company, according to CNBC's quarterly CFO Council Poll.

Not only are the types of people at the table changing, but the rules of the game are changing as well. For decades, security issues were fought in a reactive way. A plan was put in place based on previous knowledge, and situations were handled one at a time. Today, businesses no longer have the luxury to wait for a threat to occur or to lean on historical situations and strategies to be an effective guide.

Key Considerations for Security
When examining solutions to assist with the optimization of your organization's security, there are a few key items to consider. Most importantly, the ability to identify and quantify your risk. To accurately identify risk, you'll need to engage technology that can provide an automated, comprehensive security risk scoring framework that identifies security gaps, weaknesses, and associated risks on a daily basis. (Note: Verizon is among a number of companies that offer risk-scoring services.) By gaining insights into potential threats and unwanted attention such as brand mentions and exposed credentials, you're likely a step ahead of a risk that could expose your organization to cyber-attacks.

Quantifying risk capabilities are evolving along with the threat landscape, but the idea behind being able to put a dollar amount to a potential issue is nothing new. Using data-driven dynamic cyber-risk scoring to calculate potential outcomes can guide towards smarter and more informed decisions as well as be able to help you more completely communicate those decisions with stakeholders outside of the security space. An internal analysis of the current system and external risk reports are additional considerations to take into account. Although this information can be costly to compile, when used effectively, it can help to provide an assessment that gives a comprehensive view of your organization's security posture.

Solving the Problems of Tomorrow
A model for dynamic cyber-risk scoring enables enterprises to evaluate their current exposure to cyber-related risks, obtain an understanding of the probability of a potential future breach, and provide a quantitative and qualitative assessment of preventative measures, all underpinned by a framework for sustainable and measurable improvements. By doing this, enterprises have a better opportunity at proactively addressing weaknesses, preparing for threats, and better mitigating risks. Prioritizing the exploration of, and investment in, updated security technologies can enable a business to calibrate their current vulnerabilities to cyber-risk and put themselves in a place to try to prevent, and better handle, any future issues.

Related Content:

As head of Verizon Global Security Services, Bryan Sartin keeps pace with the leading and bleeding edges of innovation in the security market, while maintaining the highest quality of service in delivery operations. He manages the proactive and reactive span of Verizon's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.