Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/20/2018
02:30 PM
Bryan Sartin
Bryan Sartin
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv

How to Optimize Security Spending While Reducing Risk

Risk scoring is a way of getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data.



Globally, organizations have spent millions on security solutions; however, these purchasing decisions often are not based on fact or data — just hunches, expenditures, and market trends. Senior executives struggle to have complete visibility into their own company's security posture as well as the current threat environment. There is a lack of comprehensive, near-real-time information that organizations can rely on to inform critical business decisions.

Getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data is important to increase a company's security strength while optimizing spending and working to reduce risk.

Identifying the Threat in a Constantly Shifting Landscape
The constantly shifting security landscape can have a negative impact on the way organizations approach security and how security is perceived within an organization. It's important to know where the threats are coming from and the realities of the threat landscape. According to the Verizon 2018 Data Breach Investigations Report, cyberattacks are not always focused on billion-dollar businesses but more opportunistic targets that are unprepared. Moreover, 76% of breaches reported were financially motivated, and 73% of organizations breached were perpetrated by outsiders.

Security is always changing, and the need for it is growing — both in existing threats and in relation to your organization's reputation. Those outside the traditional security realm are interested in your organization's security posture, and for good reason. By 2020, organizations are expected to spend $101.6 billion on cybersecurity software, services, and hardware, according to research by the International Data Corporation. Gone are the days that just technologists and security executives needed to concern themselves with cyber threats.

The Ongoing Requirement for More Visibility
In order to combat the dynamic nature of cyber threats, business leaders need better data at their fingertips to help inform decisions, and security strategies need to evolve.

Security professionals must now spend time gathering and explaining the data they are working with to make assessments that make sense to someone outside of the security space. This can also mean needing to justify security investments to those who may not fully understand the breadth and reasoning behind them. CFOs have become more involved in decisions about cybersecurity in recent years, with many citing cyberattacks as the No. 1 external risk to their company, according to CNBC's quarterly CFO Council Poll.

Not only are the types of people at the table changing, but the rules of the game are changing as well. For decades, security issues were fought in a reactive way. A plan was put in place based on previous knowledge, and situations were handled one at a time. Today, businesses no longer have the luxury to wait for a threat to occur or to lean on historical situations and strategies to be an effective guide.

Key Considerations for Security
When examining solutions to assist with the optimization of your organization's security, there are a few key items to consider. Most importantly, the ability to identify and quantify your risk. To accurately identify risk, you'll need to engage technology that can provide an automated, comprehensive security risk scoring framework that identifies security gaps, weaknesses, and associated risks on a daily basis. (Note: Verizon is among a number of companies that offer risk-scoring services.) By gaining insights into potential threats and unwanted attention such as brand mentions and exposed credentials, you're likely a step ahead of a risk that could expose your organization to cyber-attacks.

Quantifying risk capabilities are evolving along with the threat landscape, but the idea behind being able to put a dollar amount to a potential issue is nothing new. Using data-driven dynamic cyber-risk scoring to calculate potential outcomes can guide towards smarter and more informed decisions as well as be able to help you more completely communicate those decisions with stakeholders outside of the security space. An internal analysis of the current system and external risk reports are additional considerations to take into account. Although this information can be costly to compile, when used effectively, it can help to provide an assessment that gives a comprehensive view of your organization's security posture.

Solving the Problems of Tomorrow
A model for dynamic cyber-risk scoring enables enterprises to evaluate their current exposure to cyber-related risks, obtain an understanding of the probability of a potential future breach, and provide a quantitative and qualitative assessment of preventative measures, all underpinned by a framework for sustainable and measurable improvements. By doing this, enterprises have a better opportunity at proactively addressing weaknesses, preparing for threats, and better mitigating risks. Prioritizing the exploration of, and investment in, updated security technologies can enable a business to calibrate their current vulnerabilities to cyber-risk and put themselves in a place to try to prevent, and better handle, any future issues.

Related Content:

As head of Verizon Global Security Services, Bryan Sartin keeps pace with the leading and bleeding edges of innovation in the security market, while maintaining the highest quality of service in delivery operations. He manages the proactive and reactive span of Verizon's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9501
PUBLISHED: 2019-10-22
The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
CVE-2019-16971
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
CVE-2019-16972
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16973
PUBLISHED: 2019-10-22
In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2015-9496
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.