If you’re a CISO, you’ve probably wrestled with placing a monetary value on your exposure to cyber-attacks. For example, if your organization was breached thanks to a phishing campaign, how much would it lose in stolen records, device recovery, brand reputation, or even ransom payments? Your board of directors wants to know, especially before green-lighting extra cybersecurity spending.
The plethora of security breaches organizations experience also demand that security officers push back on solution providers and demand proof of value. When they do, CISOs would be wise to ask about overall business value, not just technical value or a solution’s ROI. Specifically, how does a solution help protect business value at risk?
We Need to Change Our Expectations
Too often, we limit the “realization of benefits” conversation to the purchase point of a product. I get it. Talking to security vendors or walking into a security conference main hall can feel a bit like walking into the commerce building at your local state fair, where products you didn’t even know you needed are bought and sold based on features, functions and promises of results that far outweigh their reality.
It’s not until you get your new email gateway or firewall home and attempt to use it that you find out it doesn’t work exactly as promised. Yes, we’ve all experienced it. For decades now, we have bought security solutions and installed them, only to discover the promises made (this product/solution is the silver bullet to end all breaches) can’t be kept.
As a result, CISOs should be prompted to continually review the value of purchases made and change their expectations of realized or ongoing benefits. This further implies that security solutions should provide more than their basic functions or features and address the measurement of value they provide in terms of covering exposure to risk.
Think in Terms of Value at Risk
In other words, they should show how they address value at risk (VaR). Solutions that incorporate a VaR model empower a decision maker to understand more clearly important things: what threats the product or solution is attempting to mitigate; how often those threats appear on the organization’s landscape; and, the current capability of their organization to recognize, respond to, and mitigate the threats.
For example, a true anti-phishing solution will support all three elements. It will help measure the frequency and type of phishing attacks making it past perimeter defenses. It will strengthen your user bases’ ability to identify and report those active threats. And it will help show the value of the data and resources employees have access to or use, until they are negatively impacted by a phishing-related breach.
Applying the VaR model of analysis to anti-phishing programs enables security executives to visualize and measure relative risk of exposure to active phishing threats; prioritize security program activities based on objective risk analysis; and, focus critical resources and time where it is needed most.
Specifically, a phishing-specific VaR model looks at three factors:
1. Known (real) phishing threats—map out the type and frequency of phishing attacks your company currently faces:
- Model phishing simulations on active threat intelligence.
- Utilize both internal and external phishing intelligence as source material.
- Harden your users against known industry attacks.
2. Capability to resist attacks—know your ability to recognize and report various attacks:
- Are email and security tools up to date and configured to stop known threats?
- Which phishing attacks and models are still making it past your perimeter? (E.g. Business Email Compromise scams).
- Measure user resilience (ability to recognize and report known threat models).
3. Value of protected information and assets—understand the value of anything exposed by a phishing-related breach and the costs of recovery.
- Discover and document the type of data that is available on your network.
- Find out who has access to critical or regulated data.
- Estimate the costs of a potential breach by determining the value of intellectual property, reputation damage, price per stolen record, recovery costs (IR, IT hours, etc.).
Stop Guessing and Start Knowing Which Risks to Focus On
When they fail to apply this type of continual analysis, decision makers are in the precarious position of guessing which risks to address, unable to ensure reasonable and effective efforts are being made to protect critical data and assets.
This is not a position that can realistically be maintained. It’s becoming more incumbent upon security managers, directors and CISOs to scrutinize purchases of security infrastructure, training, third party services and consulting.
With the ever-growing strain on IT budgets and the need to maximize the efficiency of existing security staff, understanding value at risk is a critical business capability. It’s time to end the separation of security decisions from derived business value. CISOs should insist security vendors enable them to make the best decisions for their specific environments and business needs, starting with the need to protect bottom-line value.