The latest data breach report by the Ponemon Institute records the average cost of a data breach in 2021 as US$4.24million, an increase of 10% over 2019. The increasing costs of cybercrime may (for some) initiate a fresh wave of investment in cybersecurity tools, however recent insight strongly indicates this knee-jerk reaction should not be the first move on your agenda.
Complexities experienced as a result of too many security tools can, in fact, hinder an organization’s ability to respond to attacks. A survey of enterprises undertaken in 2020 found that those deploying over 50 cybersecurity tools ranked themselves 8% lower in their ability to detect threats than companies with fewer tools.
So how do security organizations proceed in light of the rise in sophisticated attacks? The answer lies in understanding exactly how effective your tools, people, processes, and third parties are and the likelihood of a successful breach occurring in your environment. Unfortunately, obtaining the metrics that provide actionable information for security leaders to use at Board level to answer key questions such as ‘are we secure?’ and ‘what’s our security risk level?’ have presented a longstanding challenge.
“There are CISOs who don’t have anything—no metrics, no way to quantify—and they’re aware it’s a problem. Or they have metrics, but they’re awful and they want something better,” says Jeff Pollard, vice president and principal analyst, Forrester. “They want a way to know about the effectiveness of their cybersecurity program, to know whether they’re better off than they were.”
Establishing the building blocks of cybersecurity
CISOs today are flooded by news article after news article highlighting the cybersecurity metrics they should be using to determine how well their controls are working and to measure their risk. A quick search on google alone yields numerous articles hailing the top 3, 5, 6, 8 or even 10+ metrics that matter, but what if all you needed was one? Does nirvana truly exist when it comes to measuring your breach likelihood?
It’s sufficient to say that many security leaders don’t believe so (although we know it does). Instead they are amassing data from disparate sources to give them the insight they so desperately need. Some results are proving useful, but most still leave a number of unanswered questions and are highly subjective. In short, this leaves organizations lacking dynamic, real-time and consistent visibility of their enterprise wide cyber risk posture as it evolves, exposing them to significant risk.
For years, Safe Security has been pioneering the translation of an organization’s technical cyber risk into operational risk. Using a supervised machine learning Bayesian network-based prediction engine that delivers a breach likelihood score, combined with the Monte-Carlo simulation method, organizations can now achieve visibility into the expected financial loss or risk they are facing on a daily basis.
The significance of a single score
Removing the complexity and uncertainty from traditional risk assessment practices, Safe Security assigns a single score between 0-5 to every asset – from the technology and cybersecurity products in place, to your people, policies and third-party vendors, with actionable insights. At long last, security leaders can confidently predict the likelihood of a breach , prioritize areas for improvement and accurately present their organization’s risk levels and security performance at Board level without juggling multiple applications or platforms.
More than just a ‘score’, the information now available to security professionals converts cybersecurity into a tangible concern, enabling them to address individual stakeholder requirements such as:
- Whether the company is investing in the right security capabilities, and its impact on overall risk
- Ensuring the company has adequate cyber insurance coverage
- The level of risk the company is exposed to, tracked over time
The resulting effect of our breach likelihood score is the unification and improvement of cybersecurity throughout an enterprise. Simple to understand across all departments, it communicates performance, prioritizes risk mitigation activities and defines the overall accepted level of cyber risk.
As news of increasingly aggressive cyber attacks continue to hit the headlines, security professionals around the world will be scrambling to protect their environments as best they can. While tools and controls are pivotal to cyber defense, without laying the foundations with a robust understanding of your breach likelihood, you will never be fully confident in the performance of the walls you build.