Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/20/2018
02:30 PM
Bryan Sartin
Bryan Sartin
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How to Optimize Security Spending While Reducing Risk

Risk scoring is a way of getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data.

Globally, organizations have spent millions on security solutions; however, these purchasing decisions often are not based on fact or data — just hunches, expenditures, and market trends. Senior executives struggle to have complete visibility into their own company's security posture as well as the current threat environment. There is a lack of comprehensive, near-real-time information that organizations can rely on to inform critical business decisions.

Getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data is important to increase a company's security strength while optimizing spending and working to reduce risk.

Identifying the Threat in a Constantly Shifting Landscape
The constantly shifting security landscape can have a negative impact on the way organizations approach security and how security is perceived within an organization. It's important to know where the threats are coming from and the realities of the threat landscape. According to the Verizon 2018 Data Breach Investigations Report, cyberattacks are not always focused on billion-dollar businesses but more opportunistic targets that are unprepared. Moreover, 76% of breaches reported were financially motivated, and 73% of organizations breached were perpetrated by outsiders.

Security is always changing, and the need for it is growing — both in existing threats and in relation to your organization's reputation. Those outside the traditional security realm are interested in your organization's security posture, and for good reason. By 2020, organizations are expected to spend $101.6 billion on cybersecurity software, services, and hardware, according to research by the International Data Corporation. Gone are the days that just technologists and security executives needed to concern themselves with cyber threats.

The Ongoing Requirement for More Visibility
In order to combat the dynamic nature of cyber threats, business leaders need better data at their fingertips to help inform decisions, and security strategies need to evolve.

Security professionals must now spend time gathering and explaining the data they are working with to make assessments that make sense to someone outside of the security space. This can also mean needing to justify security investments to those who may not fully understand the breadth and reasoning behind them. CFOs have become more involved in decisions about cybersecurity in recent years, with many citing cyberattacks as the No. 1 external risk to their company, according to CNBC's quarterly CFO Council Poll.

Not only are the types of people at the table changing, but the rules of the game are changing as well. For decades, security issues were fought in a reactive way. A plan was put in place based on previous knowledge, and situations were handled one at a time. Today, businesses no longer have the luxury to wait for a threat to occur or to lean on historical situations and strategies to be an effective guide.

Key Considerations for Security
When examining solutions to assist with the optimization of your organization's security, there are a few key items to consider. Most importantly, the ability to identify and quantify your risk. To accurately identify risk, you'll need to engage technology that can provide an automated, comprehensive security risk scoring framework that identifies security gaps, weaknesses, and associated risks on a daily basis. (Note: Verizon is among a number of companies that offer risk-scoring services.) By gaining insights into potential threats and unwanted attention such as brand mentions and exposed credentials, you're likely a step ahead of a risk that could expose your organization to cyber-attacks.

Quantifying risk capabilities are evolving along with the threat landscape, but the idea behind being able to put a dollar amount to a potential issue is nothing new. Using data-driven dynamic cyber-risk scoring to calculate potential outcomes can guide towards smarter and more informed decisions as well as be able to help you more completely communicate those decisions with stakeholders outside of the security space. An internal analysis of the current system and external risk reports are additional considerations to take into account. Although this information can be costly to compile, when used effectively, it can help to provide an assessment that gives a comprehensive view of your organization's security posture.

Solving the Problems of Tomorrow
A model for dynamic cyber-risk scoring enables enterprises to evaluate their current exposure to cyber-related risks, obtain an understanding of the probability of a potential future breach, and provide a quantitative and qualitative assessment of preventative measures, all underpinned by a framework for sustainable and measurable improvements. By doing this, enterprises have a better opportunity at proactively addressing weaknesses, preparing for threats, and better mitigating risks. Prioritizing the exploration of, and investment in, updated security technologies can enable a business to calibrate their current vulnerabilities to cyber-risk and put themselves in a place to try to prevent, and better handle, any future issues.

Related Content:

As head of Verizon Global Security Services, Bryan Sartin keeps pace with the leading and bleeding edges of innovation in the security market, while maintaining the highest quality of service in delivery operations. He manages the proactive and reactive span of Verizon's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-2916
PUBLISHED: 2019-11-15
qtnx 0.9 stores non-custom SSH keys in a world-readable configuration file. If a user has a world-readable or world-executable home directory, another local system user could obtain the private key used to connect to remote NX sessions.
CVE-2019-12757
PUBLISHED: 2019-11-15
Symantec Endpoint Protection (SEP), prior to 14.2 RU2 & 12.1 RU6 MP10 and Symantec Endpoint Protection Small Business Edition (SEP SBE) prior to 12.1 RU6 MP10d (12.1.7510.7002), may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt t...
CVE-2019-12758
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to an unsigned code execution vulnerability, which may allow an individual to execute code without a resident proper digital signature.
CVE-2019-12759
PUBLISHED: 2019-11-15
Symantec Endpoint Protection Manager (SEPM) and Symantec Mail Security for MS Exchange (SMSMSE), prior to versions 14.2 RU2 and 7.5.x respectively, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software applicat...
CVE-2019-18372
PUBLISHED: 2019-11-15
Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to a privilege escalation vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user.