On a regular Friday project update meeting in my previous role, my client Jim was noticeably animated. He informed the team that two manufacturing sites in Romania had been victims of ransomware attacks which resulted in significant operational disruption.
Jim and his team had been able to proactively assess and articulate the financial impact of this event to the Board. The estimated inherent impact of this event was assessed to be approximately $33M Canadian dollars (CAD), and then reduced to $8M CAD given the effectiveness of current controls. Needless to say, this analysis was very well received by the Board and further elevated Jim’s profile as a security leader within the organization.
This is the power of cyber risk quantification (CRQ).
I had been supporting Jim and his team for over two years as a consultant in building out a series of CRQ models focusing on high risk areas within the organization. The success that Jim and other clients have had by implementing CRQ as a key enabler for risk based business decisions has been a game changer. Whilst the above is but one real life example of the benefits of CRQ, I was left reflecting on the challenges and roadblocks that my clients had typically faced in setting up robust CRQ programmes.
Challenge #1: How do I get started with CRQ?
There is an increasing interest in developing robust CRQ programmes but often customers struggle with getting started. Frameworks such as the factor analysis of information risk (FAIR) have been advocated as the industry standard. However, while the FAIR approach is a good starting point, as one progresses to implementation it quickly unravels and its limitations are exposed.
Challenge #2: What data do I need to build a model and where do I get the data from?
The data challenge is significant. Most clients have large amounts of data but struggle to identify the key data sources, are unable to assess the completeness and credibility of the data. My clients have typically overcome this by using expert judgments as key inputs to the model with the result being a subjective assessment of the cyber exposure.
Challenge #3: How effective are the current controls in reducing risk?
Controls are foundational in influencing the results of a CRQ model and determining the efficacy of controls is at best subjective. Every client that I have worked with has a different view on the effectiveness of controls within their organization, for example, one client assumed that having best in class controls would mitigate risk by 75% whilst another client assessed the efficacy of controls to be 95%.
Challenge #4: What risk remediation activities should be prioritized to reduce risk?
CRQ models typically put a spotlight on high risk areas (often driven by the scenarios being modeled) and attempt to provide high level recommendations for risk mitigation. Whilst this is a step in the right direction, clients typically struggle to justify the business value of these remediation actions.
Challenge #5: How do I communicate the output from the model in a meaningful way?
Linked to the above point, actionable insights are a must for CRQ models. Furthermore, these insights should be quantified and communicated in dollars (or another local currency) and expressed in a consumable manner for senior management, the C-suite and the Board. Clients struggle with defending estimates of risk measured in specific dollar amounts.
There are many ways to answer the above questions and over the last few years a number of CRQ vendors have appeared on the market to try and do so. Most vendor solutions attempt to solve one or maybe two pieces of the puzzle. Whilst these solutions are a good starting point, they haven’t been able to offer a comprehensive dynamic CRQ solution that addresses all the pain points mentioned above.
This is where Balbix comes in!
Balbix is the only solution that:
- Identifies the entire inventory (hardware, software, on prem and cloud). It does so by ingesting data from existing security tools, performing correlation, deduplication and normalization to produce a unified asset inventory.
- Detects, enumerates and assesses breach risk against all known vulnerabilities.
- Maps the deployment of cybersecurity tools and assesses their effectiveness.
- Provides an up-to-date and monetized view of cyber risk for Board consumption.
Now let’s revisit the real life scenario described above but with the Balbix CRQ platform being deployed at Jim’s organization. The Balbix platform would have provided Jim in real time with a unified asset inventory, identified critical vulnerabilities against each asset (and not just the key assets in Romania), proposed risk based prioritization and provided a breach impact in Canadian dollars for Board consumption. Assuming the risks to the manufacturing assets identified by Balbix had been remediated, the business impact would be negligible. With the help of Balbix’s automation capabilities and AI driven models, Jim would have been able to stay ahead of the adversary and communicate the business impact of security risk, making him a superstar at his organization.
I joined Balbix to supercharge the CRQ offering and to ensure all our customers achieve the level of success that Jim would have had he deployed Balbix!
Balbix has all the key ingredients to be super successful in the CRQ space – visionary leadership, a fantastic product offering and a great team. I am delighted to be part of the Balbix family as we move onwards and upwards!