Making Infosec Jobs Easier: Assessing and Reporting Breach Risk

Rich campagna
July 23, 2020 | 5 min read | Security Posture

This is post 2 in our series on making infosec jobs easier. The first post covered the job of improving overall security posture.

Assessing and reporting on enterprise breach risk is an important part of the CISO’s role. This holds true whether you just joined the company and you’re trying to develop a baseline, or if you’re a company veteran getting ready for your quarterly board report or a budget review. What’s also true is that, regardless of your tenure, accomplishing this job successfully is never easy.

To start with, it’s typically difficult or impossible to quantify the impact of existing controls in reducing breach risk. Dozens (or more) of point security tools, each of which issues a steady stream of alerts, means a deluge of information that’s hard to grasp in its entirety. Because there is no consistent way to compare something like an unpatched software vulnerability to a weak or stolen password, there is no way to objectively compare one issue to the next.

Outside of the security team, issues of alignment and communication abound. Your team understands the technical details of cybersecurity, while the business speaks a totally different language, making it difficult to find common ground. There simply isn’t a breach risk reporting framework that all stakeholders can understand and appreciate.

Assessing and Reporting Enterprise Breach Risk

In spite of the challenges, we still need to find a way to assess and report on enterprise breach risk. Here’s a typical process that CISOs follow in this effort:

Breach Risk Assessment

Unfortunately, for most of us, the majority of this job is difficult to accomplish. Some aspects aren’t easily done at all, and others rely on time-consuming, manual efforts that still only result in partial coverage.

Heatmap for Breach Risk Assessment

We have designed the Balbix platform with breach risk assessment and reporting in mind, helping to turn those reds into greens so that you can accomplish this goal as quickly and easily as possible, and ensuring that you actually have time to execute once the planning, reporting, and approvals have been completed. Here’s a look at the same job heatmap with the power of Balbix automation at work:

Assessing Breach Risk Heatmap with Balbix

The platform provides out-of-the-box and customizable breach risk reporting built around your organizational structure and processes.

A high-level, CISO/CIO view of enterprise breach risk might look like the dashboard below. Inventory and categorization of all assets are performed automatically and continuously, as is asset criticality analysis, ensuring that the discovery stage is always complete and at your fingertips. This organization has also chosen to view breach risk by business segment, by their largest locations, and by attack vector.

For periodic board reporting on breach risk, the CIO/CISO might create an alternative view that quantifies risk in dollar terms, and shows risk reduction progress over time. The dashboard below has been built to demonstrate progress by business segment, but also for the organization as a whole. It is clear to see that the infosec team has made tremendous progress since Q4 2019, but there is still more progress to be made before they hit their goal risk levels.

Finally, budgeting to further reduce risk is always a hot topic. In this case, you’ll likely want to show the expected impact of proposed controls on breach risk reduction, helping to make a business case and budgeting discussions as painless as possible.

With these customizable tools in your arsenal, the job of assessing and reporting breach risk will no longer be at the top of your list of sources of stress.