For an industry barely 20 years old, cyber security has become more confusing and complicated each year thanks to competing vendors, resellers and ‘expert opinions’. The ‘strength in depth’ approach to cyber security previously trusted by organisations is increasingly being acknowledged as impractical with more and more organisations turning to risk-based approaches.
Cyber Threats are NOT all Risks
Industry ‘threat-mania’ has driven huge cycles of product development and enterprise adoption in the hunt for ‘perfect’ protection. However, the waves of publicised high-profile breaches have demonstrated that hype around annual additions to the layers of the security onion is not the answer. Even those with heavy cyber investment in protection and detection technologies fall foul to breaches on a daily basis.
Secrutiny has looked at the thousands of ‘cyber threats’ in existence and tried to align them to business risk across our customers. It quickly became evident threats translate into risks very differently in businesses. The discovery suggested that threats are NOT always risks!
There Has To Be A Better Way?
We realised that businesses need a method of identifying and evidencing issues that cause risk to increase, enabling the business to define appetite and investment strategies.
- Take time out from buying cyber snake oils!
- Audit your infrastructure; understand real risk based on YOUR data.
- Follow a cyber maturity programme.
- Align cyber technology spend to your organisation risk – not industry threats.
It was a light-bulb moment and Secrutiny’s Cyber Risk Audit (CRA) was created to help organisations simplify the process of cyber security.
Initially, the CRA provides a point-in-time snapshot of risk, hygiene, infection and compromise to offer a good starting point for security improvement. But repeated at a frequency over time, Secrutiny’s CRA provides ongoing analysis of risk to drive gradual hygiene and posture improvement and progressively reduce risk. Allowing security to stay current, controls to be tuned in line with threat and business developments and progression to be tracked.
Auditing helps organisations to evidence issues within their cyber security posture and IT ecosystem, determining current risk position and the actions required to mitigate and reduce risk. Without auditing, organisations are looking at ‘threats’ which have little context and as a result, these can often be ‘noise’ which has no relevance to contextual organisation risk.