We live in insecure times, and it’s not for lack of trying to develop effective cyber defenses. Naturally, C-level executives want to know what good looks like and how to measure it. Penetration tests, internal vulnerability scans, and IT control checklists remain go-to tactics, but a new generation of tools is taking things to the next level.
Cyber risk ratings firms. Boston-based BitSight Technologies leads an industry that continuously monitors externally visible risk factors that indicate an organization’s vulnerability to a data breach. Ratings are expressed in numerical and alphabetic scores non-technical leaders can easily grasp. These firms don’t purport to offer a comprehensive assessment, as you would need permission to look inside a company to do that. Nevertheless, it’s amazing how much you can objectively determine about a company’s security posture by looking from the outside.
Each of the ratings firms takes a unique approach to risk factor selection and weighting in its algorithm and may tweak them periodically in the pursuit of a high correlation to breaches. Getting it right requires investing heavily in threat intelligence infrastructure to track IP addresses, proprietary and third-party data feeds on observable risk factors, such as open ports and patching cadence, as well as data scientists to curate inputs and make adjustments where necessary. With such rich intelligence at hand, every organization should know its rating and seek to maximize it.
Cloud access security brokers. About 20 years ago, Salesforce.com became the first notable company to offer software as a service (SaaS), delivered from the cloud, a radical alternative to traditional, licensed software products. Over 30,000 companies operate as SaaS application providers, including Microsoft’s Office 365, Workday, ServiceNow, and Box, as well as infrastructure as a service providers like AWS and Azure. Because these providers require a connection to the customer’s network, numerous data security and privacy compliance issues need proactive management.
The not-for-profit Cloud Security Alliance (CSA) has developed dozens of security and privacy risk factors that are distinct to cloud service providers. For example, once a user enters data into a SaaS app, ownership can switch to the app provider. In which geographic locations is that data stored? Is that data erased upon cancellation of service? Cloud-based vendors require scrutiny that goes beyond the security risks measured by cyber risk ratings firms.
The CSA’s work has been commercialized by a group of companies that Gartner calls Cloud Access Security Brokers, or CASBs (“caz-bees”), led by Santa Clara, California-based Netskope.
Organizations use a CASB to identify and risk-assess cloud-based providers, which are increasingly popular as work shifts to the other side of the firewall. It’s not unusual to find more than a thousand SaaS apps on a network used by just 100 employees, and fewer than 10% of those apps are likely to be enterprise-ready. Netskope’s Cloud Confidence Index, for example, rates each app on a 1 to 100 point scale, so users can easily distinguish vendors of concern and steer employees to more secure and privacy compliant apps.
Unlike cyber risk ratings firms, CASBs tend to give control over the factor weightings to the customer to customize the scoring, as some factors may be more relevant than others.
It’s FAIR to measure risk. Well-respected organizations such as NIST and CIS have developed control frameworks that guide IT teams and are foundational to proper management. Compliance with the elements of these frameworks typically gets measured qualitatively in traffic light indicators.
To augment this approach, the FAIR Institute promotes a quantitative model to measure an organization’s cybersecurity and operational risk. FAIR principles consider the probability of an event and its magnitude to calculate an expected value of a risk, expressed in dollars and cents. FAIR helps organizations prioritize the areas in which to reduce risk and guides cybersecurity spending decisions to maximize return.
Third/fourth party applications. An organization is only as strong as its weakest connected partner, and you can also apply these tools to the ecosystem of third and fourth parties. The 2013 Target breach via an insecure and obscure HVAC vendor and, most recently, vulnerabilities associated with the SolarWinds Orion platform highlight the need for quantitative, real-time data on vendors.
Platforms like OneTrust’s Vendorpedia and ProcessUnity automate workflows associated with periodic assessment questionnaires and integrate cyber risk ratings. An organization can continuously verify, then trust the security posture of its vendors and draw attention to issues that a sudden rating decline might indicate.
M&A and private equity. The implications for Wall Street are significant. It’s now possible to factor an acquisition candidate’s security posture into the valuation and negotiation process much earlier. Private equity firms can monitor portfolio companies and identify those in need of attention before a crisis occurs.
The availability of tools that objectively quantify risk and convey assessments in a language that non-technical business leaders can comprehend can help make us more secure.
Craig Callé is CEO of Source Callé LLC, a consulting firm focused on data security, privacy, and value creation. He is a former CFO of Amazon’s Digital Media and Books businesses and other companies and was an investment banker at Salomon Brothers. Prior to starting his firm, he was chief strategy officer at SHI International.