While your security staff tends to work the same business hours as everyone else, it often feels like threat actors never take a day off. Because an attack can and will come from any direction at any time, an organization’s cyber readiness is paramount.
Your cyber readiness is the level at which you’re able to identify and respond to an attack. The greater your visibility into risk from outsider attackers, malicious insiders, and third-party risk, the faster you’ll be able to identify an issue. And the faster that you can remediate the issue, the less damage it will do to your business.
As part of the Evolve from Risk Management to Risk Intelligence webinar series, I spoke with Dave Maberry, Cyber Risk Advisor at SecurityScorecard, and Larry Slusser, our Senior Director of Cyber Risk and Resilience. They spoke about why organizations need to rethink their cyber defense strategy to create an “always-on” security approach, along with how organizations can execute such an approach in the face of continued security staffing shortages.
Prioritizing Risk
While risk management programs have been around nearly as long as there has been cyber risk, they are typically designed to react to threats. But to create true cyber readiness, organizations must move towards a risk intelligence approach that is better able to predict which threats are most likely to affect the organization so the security team can prioritize their time and resources there.
“If you just look at threats from a general standpoint, it’s hard to dig into all the variables around why a specific risk is important to your organization,” Maberry said. “Risk intelligence shows an organization why they want to pay attention to how a specific risk can impact their ecosystem.”
By leveraging a risk intelligence approach, organizations can improve their cyber readiness by taking a forward looking view of risk. This is different from a risk management approach, where an organization may have a long governance checklist of processes and technologies but no context about how to apply them with agility.
“Governance tends to create silos, which impacts nimbleness in the event of an attack,” Slusser said. “Organizations need to ensure they establish their governance in a way that provides the flexibility required to meet the needs of their actual threats.”
Planning Ahead
Maberry says that organizations that have already experienced an attack tend to be further along in their evolution to a risk intelligence approach by the simple fact that they’ve had a chance to see the pitfalls of a purely reactive approach.
“Organizations that have experienced friction due to their response have a different view of how they validate and respond to risk going forward,” he said. “With these organizations you see a shift to risk resilience through actions such as continuous auditing and continuous monitoring. You also see how these organizations embrace cyber risk as something that is part of an entire ecosystem of an organization, not just one department’s responsibility.”
Maberry shared an example of two retailers that were each impacted by a breach. One retailer had a plan that they had practiced beforehand, so that when they were hit they were able to quickly solve the problem. The other retailer had no plan in place, forcing them to be reactive in the approach.
“The second retailer spent months dealing with issues both externally and internally, which had a negative impact on their share price. Meanwhile, the first retailer was in and out of the news cycle in about a week,” Maberry shared.
Slusser says that the planning process allowed the first retailer to not only identify their weak spots, but to get the practice necessary to respond effectively in the heat of the moment. “The beauty of a good cyber resilience program is that it allows you to validate as you go,” he said.
Fortunately, organizations have many tools available to improve their risk intelligence and cyber resilience. Rather than one solution, Maberry suggests creating multiple layers of intelligence.
“You’re inundated with information on an hourly basis, so adding these layers of intelligence allows you to automatically sift through that information and start targeting where to focus,” he said. In addition, he recommends leveraging outside advisors to provide the specific cyber risk skills, processes, and tools that are unique to your organization’s individual risk.
“What SecurityScorecard does is meld all the different threat intelligence solutions together. Because our threat intelligence team is on the frontlines actively hunting exploits, we’re able to leverage their intelligence to help organizations look at their tech stack, evaluate what they need in a vendor-agnostic way, and help supplement their team with our services as needed,” Slusser said.
Evolve to Risk Intelligence with SecurityScorecard
A holistic approach to risk – one that combines a 360º view of the attack surface with the ability to communicate risk meaningfully and respond effectively – is critical for business success in today’s cybersecurity threat landscape. With SecurityScorecard’s latest product release, organizations now have everything they need to build a world-class risk intelligence program.
Watch this webinar on-demand to hear the complete conversation for more insights into how you can improve your cyber readiness.