Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

Similar documents
SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cyber Risk A Corporate Directors' Briefing Webcast Q&A Summary

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

SAP Security Remediation: Three Steps for Success Using SAP GRC

INTELLIGENCE DRIVEN GRC FOR SECURITY

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Department of Management Services REQUEST FOR INFORMATION

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

COST OF CYBER CRIME STUDY INSIGHTS ON THE SECURITY INVESTMENTS THAT MAKE A DIFFERENCE

MITIGATE CYBER ATTACK RISK

SOLUTION BRIEF Virtual CISO

RSA Cybersecurity Poverty Index

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

The value of visibility. Cybersecurity risk management examination

State of South Carolina Interim Security Assessment

Introducing Cyber Observer

SAP Security Remediation: Three Steps for Success Using SAP GRC

CYBER RESILIENCE & INCIDENT RESPONSE

CYBERSECURITY MATURITY ASSESSMENT

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Big data privacy in Australia

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Cybersecurity and the Board of Directors

THE POWER OF TECH-SAVVY BOARDS:

People risk. Capital risk. Technology risk

How To Build or Buy An Integrated Security Stack

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Defensible and Beyond

SOC for cybersecurity

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Leading our discussion today

RSA Cybersecurity Poverty Index : APJ

Symantec Data Center Transformation

SEC Issues Interpretive Guidance on Public Company Cybersecurity Disclosures

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

PAIN AND PROGRESS THE RSA CYBERSECURITY AND BUSINESS RISK STUDY

Cybersecurity and the Board of Directors

Mastering The Endpoint

Pave the way: Build a value driven SAP GRC roadmap March 2015

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Why you should adopt the NIST Cybersecurity Framework

The Fine Art of Creating A Transformational Cyber Security Strategy

2 The IBM Data Governance Unified Process

Information Security Continuous Monitoring (ISCM) Program Evaluation

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

OVERVIEW BROCHURE GRC. When you have to be right

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Securing Your Digital Transformation

The new cybersecurity operating model

Clarity on Cyber Security. Media conference 29 May 2018

Turning Risk into Advantage

It s Not If But When: How to Build Your Cyber Incident Response Plan

Incident Response Services

NCSF Foundation Certification

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Continuous protection to reduce risk and maintain production availability

Developing your GDPR response for competitive advantage. EU General Data Protection Regulation (GDPR)

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Implementing ITIL v3 Service Lifecycle

Advanced IT Risk, Security management and Cybercrime Prevention

Automating the Top 20 CIS Critical Security Controls

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

SEC Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

Buyer s Guide. What you need to know before selecting a cyber risk analytics solution

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

with Advanced Protection

Run the business. Not the risks.

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Best Practices in Securing a Multicloud World

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

locuz.com SOC Services

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Business Continuity Management Standards A Side-by-Side Comparison

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

PROTECT YOUR DATA AND PREPARE FOR THE EUROPEAN GENERAL DATA PROTECTION REGULATION

Health Care Industry Cybersecurity Task Force Report Recommends Urgent Improvement

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Quantifying Cyber Security Risk in Dollars and Cents to Optimize Budgets

Security in India: Enabling a New Connected Era

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

SIEM: Five Requirements that Solve the Bigger Business Issues

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Symantec Security Monitoring Services

Transcription:

A CLOSER LOOK Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification A major cybersecurity event can dissolve millions of dollars in assets and tarnish even the strongest company s reputation. As cybersecurity concerns grow and evolve, companies need to be prepared for the inevitable cyber attacks with strong defenses to identify breaches and minimize damage. But how does leadership know where to invest in cybersecurity? How much is at risk? What should be prioritized? Why are traditional cyber risk assessments failing us? Our clients struggle with similar issues in their cyber risk programs. We see boards of directors pushing for cybersecurity risk reduction and asking if the existing cyber insurance policy has enough coverage due to near-miss cyber incidents. Chief information security officers (CISOs) are tasked with producing updates to the board despite being plagued with resource constraints. On top of that, the need to comply with various regulations has transformed the cyber risk assessment process into a plethora of checklists and gap assessments in turn focusing the cyber risk program on controls rather than risk. How can you answer the board s questions with traditional risk assessment methods? Do we have enough cyber insurance? Are we doing enough to minimize risk? How much would a breach cost us? Are we spending our cybersecurity budget on the right things? What is the ROI? How much risk do we have? Are we spending too much or too little? Risk management, at its core, is a fundamental exercise in decision-making - but if you can t use the output of your assessment for risk decisions, what s the point? Internal Audit, Risk, Business & Technology Consulting

Traditional Risk Assessment Methodologies We see traditional risk assessment methodologies deployed for cybersecurity risk with the following objectives, approaches and results: OBJECTIVE APPROACH RESULT Understand the cybersecurity risk to the organization Fulfill regulatory obligations for risk assessment Rely on either top-down or bottom-up assessment Multiple annual assessments to fulfill separate obligations Stakeholders determine risk based on opinion of likelihood and impact Heat map or similar view of risk based on likelihood and impact Generally, more qualitative than quantitative Produces list of identified control gaps Issues Issues Issues No clear definition of risk vs. threat vs. vulnerability Subjective scoring I think that is a Low, not a Medium. Without the ability to speak the same language, no one in the organization can measure risk or compare one risk/threat/asset to another Cyber risk is spoken about differently than other business risks Series of competing frameworks (ISO, NIST, CSF, homegrown) Deterministic model of risk (risk = likelihood * impact) that doesn t take into account probability of risk event Allows stakeholders to game the system to get the rating they want Organizational stakeholders assessed multiple times a year and asked a similar set of questions each time Results of each assessment seem to be different depending on who shows up for the meeting Utilizes a scoring model - but that doesn t mean you can add or multiply the risk for a holistic view Results are a laundry list of gaps with no prioritization Given no one uses the assessment for decision-making, it has devolved into a check-the-box exercise CISOs often take the information from a multitude of control gap assessments along with operational metrics and attempt to build dashboards to cover cyber risk. Yet, they still cannot answer the board s questions or know if they are spending too much or too little on cybersecurity. What are forward-thinking companies doing to increase transparency on cybersecurity risks? The good news is, there are better methodologies for cyber risk assessment that allow organizations to truly understand their cyber risk landscape and appropriately mitigate that risk. Quantitative models, such as Factor Analysis of Information Risk (FAIR), can be used to measure the financial impact of cyber risk and provide a standard risk language to ensure consistency. Using methods like FAIR, an analyst can demonstrate the risk reduction of a control in financial terms and evaluate potential investments in cybersecurity technology. Being able to demonstrate return on control the same way as for any other capital investment is a powerful tool for any organization. protiviti.com A Closer Look 2

How does cyber risk quantification work in practice? concept. This kind of risk analysis involves the business Cyber risk quantification uses existing models and been previously included in cyber risk assessment. probabilistic simulation methods to more accurately These are the people who are closest to the potentially describe the cyber risk facing an organization. These threatened assets the crown jewels and who are not new models or techniques for risk management know the value of what needs to be protected from a but the application to cybersecurity risk is a newer users, asset owners and other people who may not have business standpoint. Cyber Risk Quantification Process 1 Identify Threat Scenarios Determine the events that could result in harm to an asset and/or the organization 2 Gather Data Hold discovery workshops to obtain objective and subjective data points on various threat scenarios 3 Model Data Apply gathered data to probabilistic models to describe the cyber risk facing the organization 4 Quantify Risk Assessment results provide a meaningful view on the magnitude of cyber risk facing an organization serving as a powerful decision-making tool Quantifying the risk starts with determining the with subject-matter experts and control owners, different threat events that could result in harm to and collection and review of objective data from an asset and/or the organization, such as weather, system-generated reports, management reports geological events, malicious actors, errors and failures. and manually collected metrics. These different threat scenarios are determined based on a review of external threat intelligence products and published breach data. Data on the likelihood and magnitude of these events at an organization, both objective and subjective, is collected through a series of discovery workshops organized by the cybersecurity function in which subject-matter experts are interviewed to understand how controls function to protect against a series of threat scenarios. Data comes from a diverse variety of sources, including review of The information gathered through various discovery exercises is modeled statistically so that Monte Carlo simulation can be used to quantify the cyber risk the organization faces based on the probable frequency and probable magnitude of each threat scenario. The results show risk plotted on a continuous curve showing the frequency and magnitude of threat events. Risk is quantified organizations know, in monetary terms, how much is at risk and with what confidence. existing and proposed policies and standards, interviews protiviti.com A Closer Look 3

We commonly find companies that struggle to adopt more mature cyber risk quantification approaches share one or more of the following misconceptions: cybersecurity is too complex to measure accurately, they don t have enough data or cyber risk quantification requires expensive tools. But as Douglas Hubbard, author of How to Measure Anything in Cybersecurity Risk, says, it s good to keep these four things in mind: 1. Your problem is not as unique as you think. 2. You have more data than you think. 3. You need less data than you think. 4. There is a useful measurement that is much simpler than you think. 1. Quantify 2. Simplify 3. Inform THE ADVICE Cyber risk can and should be measured through quantitative and probabilistic methods. Proven mathematical and statistical methods work even with limited data. Cyber risk is business risk and should be modeled as such. Models allow practitioners to collaborate around likelihood and consequences using common vocabulary. Focusing on the organization s threats as they pertain to corporate objectives and crown jewels gets the whole organization on the same page about security priorities. Transforming to Cyber Risk Quantification Take, for example, the current state we outlined previously for companies using traditional risk assessment methodologies in a matter of months, these companies can transform to employing cyber risk quantification. MONTH 1 2 3 4 5 6 7 8 Advisory ;)7-5'*8+5%*7-2%5+"&*'1/&'1"+"*#.5<'*=#"-'.+"'+28>%*+*-5$+?1#."-<-2#"-'. services throughout transformation to cyber risk quantification Stakeholder training Conduct crown jewels discovery project Establish a framework for discussing cyber risk within the organization based on a common set of definitions and terms Conduct risk-discovery exercise to rationalize current risk register Define cyber risk appetite and tolerances in financial terms using top-down risk-based approach Replace one-off risk assessments with single quarterly risk analysis Update reporting with charts showing probability of dollar amount lost Update board reporting Optional depending on desired maturity: Build custom tool to collect objective data used in risk analysis, eliminating the need to interview the same stakeholders multiple times per quarter protiviti.com A Closer Look 4

The transformation lifecycle begins with training key stakeholders and defining a framework for discussing cyber risk within the organization and culminates with updated reporting based on the deployed probabilistic models. In addition to training and awareness, another recommended approach to establishing cyber risk quantification as a better alternative is to initially use the methodology on a single decision that needs to be made something that is relevant and involves cybersecurity risk. This gives an organization the opportunity to pilot cyber risk quantification in a contained and tangible way, but also results in a valuable output. Once the organization completes the pilot analysis, stakeholders can begin to socialize results and discover more use cases for risk-quantification capabilities. Many organizations have a lot of momentum in their cyber risk processes; transforming to cyber risk quantification is only successful when tangible benefits are brought to light early and often. PILOT IN PRACTICE Protiviti assisted a mid-sized life insurance company in piloting cyber risk quantification for a single-scope risk assessment to fulfill requirements of the New York Department of Financial Services (NYDFS) Part 500 cybersecurity regulation. The single scope of the assessment, and focus only on threats to non-public information, created a contained environment for piloting cyber risk quantification. Protiviti leveraged the FAIR model to frame and describe the assessed threat scenarios. Results of the assessment followed a common vocabulary, allowed for comparisons to be made across different threats, and ultimately fulfilled obligations of the regulation by providing insight to the organization on the impact of their cyber risk landscape. Internal stakeholders could articulate the methodology and defend the assessment to the board using the common language and explain the risk assessment process and results clearly to the regulator. The broad acceptance and understanding of the risk assessment results paved the way for the organization to deploy cyber risk quantification across a multitude of risk assessments and decision-making activities, with transformation continuing throughout the organization. Why should an organization take the leap to cyber risk quantification? Risk management is fundamentally about making decisions and making those decisions becomes much easier when cyber risk is measured through quantitative methods. Cyber risk quantification is not a silver bullet preventing cyber attacks, but it is a useful tool. Key Benefits of Cyber Risk Quantification Complete cyber risk assessments at a lower cost, with better results Prioritize security stack in monetary terms Determine the appropriate amount of cyber insurance Understand how much a breach would cost Clarify the return on investment for changes to the cybersecurity environment Increase the engagement of organization executives on cyber risk discussions Make better decisions and fulfill regulatory requirements protiviti.com A Closer Look 5

How Protiviti Can Help Protiviti helps companies measure, quantify and report on risk by: Clearly defining a risk vocabulary and establishing a risk taxonomy to allow practitioners and the business to take a threats-based approach to cybersecurity risk and provide consistent risk register statements. Assessing cyber threats facing your organization using open quantitative risk measurement methodologies such as Applied Information Economics (AIE) and FAIR. Contacts Scott Laliberte +1.267.256.8825 scott.laliberte@protiviti.com Andrew Retrum +1.312.476.6353 andrew.retrum@protiviti.com Vince Dasta +1.312.476.6383 vince.dasta@protiviti.com Designing and implementing the programs and processes required to shift from a controls orientation of cybersecurity to a business risk orientation and optimizing compliance frameworks based on risks. Building cybersecurity datamarts to collect, process and store relevant metrics for analysis and reporting, including customized interactive reports and dashboards to replace legacy PowerPoint decks and spreadsheets. Conducting training and organizational change management to help your organization embrace a culture of data-driven informed decision-making. Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 75 offices in over 20 countries. We have served more than 60 percent of Fortune 1000 and 35 percent of Fortune Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-1018-107187 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback