August 2, 2022
Cybersecurity risk is dynamic. A company’s exposure to it changes week by week, hour by hour. The bad guys are out there trying to find new and innovative ways to gain access to systems, either to steal money or secrets, or just to simply to make mischief. The position is further compounded by the addition of accidental configuration errors or poorly coded solutions by the company’s teams just trying to get their everyday jobs done. Meanwhile, the company’s staff are working to identify and close vulnerabilities.
What this amounts to is an ever changing environment where a company’s exposure to cybersecurity risk is in flux. For me, having spent many years working in the financial sector, this is akin to dynamic financial risks such as market or credit risk where a company’s position can change from day to day. And just as companies monitor and manage financial risk in real-time, they also need a solution to help them understand their exposure to these risk types in near real-time.
This is where Balbix comes in. As far as I am aware there is no other tool on the market that enables a company to dynamically quantify its exposure to cybersecurity risk on an ongoing basis. There are companies that are trying to build their own solutions in house, and I am acutely aware of how much effort that can take. This is why I’m super excited to be helping Balbix as their chief security strategist. Their solution takes a lot of the heavy lifting away and delivers actionable insights. It helps security and risk leaders manage cybersecurity risk exposure as well as board level reporting within a short period of time. It’s also customisable to help business unit leaders or owners of critical business services understand and manage their contribution to the firm’s cybersecurity risk exposure.
As far as I am aware there is no other tool on the market that enables a company to dynamically quantify its exposure to cybersecurity risk on an ongoing basis.
The answer is that cybercrime is on the rise and “cyber perils are the biggest concern for companies globally in 2022” (Allianz Risk Barometer). As the world becomes more and more digitized, cybersecurity risk is rapidly becoming one of the largest risks facing any firm. It is also perhaps the risk least understood by many company boards.
This is undoubtedly a driver behind the recently announced proposals by the United States Security Exchange Commission (SEC) to require public companies to disclose how they approach cybersecurity risk management, material cyber incidents, and the level of cybersecurity expertise on the boards. With such an all pervasive and dynamic risk threatening every company, it is understandable that investors would wish to know that a board has a handle on its cybersecurity risk exposure and that it has the mechanisms in place to manage that exposure to acceptable levels.
As mentioned above, cybersecurity threats are evolving. Every time new attack paths are identified and new vulnerabilities detected, new solutions are created and need to be deployed. By continuously measuring Cybersecurity Risk Exposure, not only can a board gauge its current exposure, but it can understand how and why that has changed with time. Of course, there will be short-term peaks when new vulnerabilities or new threats are exposed. The time taken to bring these down to an acceptable level will give an indication to the board of the effectiveness of their approach to managing cybersecurity risk. This is perhaps key in helping boards to understand the dynamic nature of the risk they face and why ongoing investment is required. It also provides a measure of how effective that investment has been.
Balbix enables the board to understand, in relatively short order, the company’s exposure to new threats. When a new threat is identified, the extent to which that threat is relevant to the company can be quickly identified. This means the company board will see a delta in their cybersecurity risk exposure. It also means that a set of remediation tasks that will deliver the most effective reduction in risk exposure can be automatically generated and passed to asset owners for action. Furthermore, since the exposure is continuously updated as the remediation activity is undertaken, the board can have oversight (should it wish) of remediation progress. All without the need for significant manual preparation of dashboards and briefing documents.
Balbix enables the board to understand, in relatively short order, the company’s exposure to new threats.
Balbix enables automated posture management. By continuous assessment of vulnerabilities, countermeasures, and threats, CIOs and CISOs can prioritize their approach to managing the organizations cybersecurity risk exposure in an efficient manner. It enables the organization’s governance function to understand that not all vulnerabilities need to be addressed in order to deliver acceptable levels of exposure. This enables an auditable cost-benefit analysis when making remediation decisions.
By maintaining a history of risk exposure over time, this facilitates auditing. An auditable trail of decisions taken and the effect on cybersecurity risk exposure can be clearly seen. Furthermore, by taking a standardized approach to risk assessment, the risk associated with outstanding issues can be clearly understood and agreed.
A further benefit of having a single tool which continuously monitors cybersecurity risk exposure is the transparency across the business. Risk and audit functions can provide effective and ongoing oversight across business units using the same metrics as the business is using to manage its posture. Reporting is also simplified as dashboards can be created using the same underlying data to satisfy the needs of each business function.
For financial services firms operating in the UK who are required to meet new Operational Resilience regulations, breach risk for critical business systems and their dependencies can be calculated and tracked. This will help prioritize the development of solutions to ensure recovery or temporary replacement of these critical business services within the published tolerances.
Continuous cyber risk quantification (CRQ) across companies would have the benefit of helping companies assess their supply chain risk. The sharing of cybersecurity risk exposure data between parties would help businesses manage their supply chain risk and enable the co-ordinated response to new threats. In this scenario a company that can demonstrate its ability to manage cybersecurity risk exposure to acceptable levels could have a commercial advantage in winning contracts over those that do not.
One further advantage of the widespread use of ongoing CRQ tools is for regulators of critical national infrastructures to be able to have a view of the risk exposure across the sector.
As I mentioned, I’m super excited to be a strategic advisor to Balbix. In my mind Balbix has an industry leading solution which can deliver all of the benefits outlined above, and more. Balbix is the only solution that: