MAGNIFY CYBER SECURITY BLOG

Changing the Conversation from One Distracted by Threat to One Focused on Business Risk

June 2020

Simon Crumplin

Author – Simon Crumplin, Founder of Secrutiny

Simon has over 20 years’ experience in the cyber-security marketplace; having previously built, and successfully sold, two managed service security companies. As a disruptive Infosec strategist, his expertise spans multiple disciplines including; information security, IT forensics and security operations.

It’s in our nature to respond to Fear, Uncertainty and Doubt (FUD) which is exactly why threats make for powerful headlines; but out of context they are meaningless. Instead, organisations need to determine the cyber risks that are relevant to their business. And so, we think it is time we change the cyber security conversation from one distracted by threat, to one focused on business risk. Read on to discover how you can take a risk-based approach to cyber security.

‘Threat-mania’ continues to rule the cyber security industry, with the media happy to use FUD to encourage accelerated buying as a defence against these threats. However, when it comes to cyber security, layering technology as a response to threat, isn’t necessarily better. Often resulting in the following issues for businesses: unnecessary expenditure, wasted time and false alerts.

A more rational approach is to look at cyber security in the context of business risk, whereby devices, teams, departments and processes can be rationally assessed to establish not only their likelihood of being exploited but crucially what the impact to the business will be. At Secrutiny, we are huge believers of risk methodologies because it uses the same language that stakeholders endorse.

Organisations need to understand what is the risk you are willing to accept and what controls do you have in place if an event was to occur. This approach allows a business to have constructive discussions at executive level and take logical actions that are commercially and fiscally sound. During my time in the industry, it has become evident that threats translate into risks very differently in each business; therefore, organisations need to align their cyber security spend to their specific business risks, not industry threats.

Risk

What’s the Difference Between a Threat and a Risk?

The first step to changing the cyber security conversation is to establish the difference between threat and risk. Put simply, a cyber threat is a malicious act that seeks to exploit a vulnerability to obtain, damage, or destroy an asset. A threat can be either ‘intentional’ or ‘accidental.

A risk is the potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. The challenge in the context of cyber security is to provide evidence that identifies and quantifies risk so you can take appropriate action. You can’t eradicate all IT vulnerabilities but prioritising remedial activity based on which pose a significant risk to your business is key.

The Value of Context When Considering Threats

To overcome the natural urge to respond to a threat and instead pragmatically assess the business risks, we advocate asking the following context-setting questions to help you determine a programme of security improvement that is rational, proportionate and based on actual risk:

  • Which areas of your business are most at risk of exploitation?
  • What’s making them so susceptible to risk?
  • What impact could these risks have on the ability of your business to operate?
  • What steps do you need to take based on what you know?
  • What you can prove?

To conclude, instead of protecting company data and systems to the same extent from every single threat, you need to identify your organisation’s specific needs in order to align your security budget accordingly. Predominantly, it’s the resource shortage of IT operations and lack of business understanding of security risk, which is generating a lot of the exposure that organisations face.

I work bottom-up from evidence because we shouldn’t be basing cyber security on fear, uncertainty and doubt, you need to be able to sit in front of the board and go ‘here is the evidence and here is the risk we’ve identified’. But to quantify and manage risk, you need to be forensic in your approach. For more information about changing the cyber security conversation from one distracted by threat, to one focused on business risk, check out our white paper, Time for a Cyber Risk Perspective.

Time for a Cyber Risk Perspective

It’s in our nature to respond to fear, uncertainty and doubt (FUD) which is exactly why threats make for powerful headlines; but out of context they are meaningless. Instead, organisations need to determine the cyber risks that are relevant to their business. It’s time for a cyber risk perspective. Read this whitepaper to learn:

1. How to determine if a cyber threat is a business risk needing attention or yet more propaganda
2. The 7 steps for forensic level focus to be able to quantify and manage risk
3. The context-setting questions you need to ask to determine business risk
4. A framework to map cyber risk against business risk 

Resurgene in Emotet Malware

Resurgene in Emotet Malware

SAP has issued patches to fix a critical RECON vulnerability that can lead to total compromise of vulnerable SAP installations. It has been assigned the highest risk score of 10 on the CVSS, the most severe rating possible. It can be launched via HTTP over an internet-facing interface.