Maksim Kabakou - Fotolia
Instead of buying a new piece of technology to plug the latest threat or vulnerability, organisations are evolving towards a risk-based approach to security. This requires that enterprises consider the probability of a security threat materialising and, if it does happen, the impact that it could have on their organisation. Appropriate security controls are then determined and applied.
It is not possible to eliminate risk in any digitally connected organisation. Instead, organisations must be able to manage their risk in line with risk appetite. The lower the appetite for risk, the more stringent the security controls.
Moving to a risk-based approach to security, probably from a more tick box-based approach, is rarely undertaken overnight. Understanding the cyber risks that the enterprise is facing is complex. Different organisations have different priorities – for example, the impact of a particular threat on one organisation may be significantly different to the impact of the same threat on another organisation.
As such, an enterprise will typically build a programme to move towards a risk-based approach to security. According to Ovum’s latest ICT Enterprise Insights, fewer than 15% of organisations have a fully developed and proactive approach to cyber security and digital risk, although a further 30% are “well advanced” in building this capability.
Within a programme of moving towards a risk-based approach to security, enterprises require key risk indicators they can use to highlight when risk may be increasing for their organisation.
Maxine Holt, Ovum
Furthermore, ongoing assurance is required that the risk-based approach is having the desired effect of reducing cyber security risk. Security scoring can be used for both key risk indicators and security assurance. It is similar to credit reference scoring: a score about how likely an individual is to repay a loan can be likened to how likely it is that an organisation’s security controls will protect it from being breached.
Most organisations do not have the ability to create their own comprehensive security scoring capability and are either turning to specialist providers or creating their own key risk indicators. Both these approaches incur a cost.
Naturally, using specialists has the higher outlay cost, although some providers offer a free (usually limited scope) service. Building capability within the organisation is possible only if there are the necessary skills and expertise in-house to achieve this.
Those enterprises without funds for external providers or in-house expertise to build security scoring capabilities often start with some basic key risk indicators – which can also be key performance indicators. These may include the number of systems with patches available, but not applied; phishing campaign success rates; levels of unapproved software (shadow IT); number of security incidents and breaches; and completion rates for annual security education training and compliance.
Having a proactive approach to cyber security and digital risk requires investment and a thorough understanding of the organisation’s approach to security. But the benefits are strong: it supports the achievement of organisational objectives by addressing the risk upfront and continuously reviewing risk to ensure that the organisation is operating within its risk appetite.