It’s the question that every security leader dreads, but it’s the most understandable query from their senior stakeholders: “How secure are we?”
I’d say that, of all the risks executive leaders face, cyber security risk is one of the most challenging to understand and quantify accurately. Their concerns about cyber safety come from several sides. As a baseline, the proliferation of IT across our professional and personal lives and the seemingly limitless pace of change have many IT users questioning the safety and security of the IT tools they use. On top of this, executive leaders worry about how they can deliver shareholder value while protecting the organisation’s assets. The almost daily media coverage of incidents, vulnerabilities, scams, ransom demands and data loss make it easy to see why leaders require reassurance on their cyber security position. Not only in language they understand but in terms that allow them to easily track and compare cyber risk with their other concerns.
The search for clear cyber risk data
CISOs have been looking for an easy and visual way to answer the big ‘how secure are we?’ question for a while now. The sheer range of innovative and colourful solutions that seek to quantify and visualise cyber risk highlights the complexity of the task. For many years, a lot of CISOs chose the multi-box heat map to demonstrate the risks they faced. On the plus side, this is undoubtedly a useful way to show the impact and likelihood of risks in an easy-to-understand picture. But on the flip side, it can be seen as over simplifying the challenge and failing to provide the detail that allows different risks to be compared at a board level.
At the heart of the problem is the fact that identifying and articulating risks into a common format is often different between organisations, and a risk representation often ends up being abstracted up to a macro-level concern with little science or evidence as to why or how it made it onto the list. The root of the challenge is the range of information that the CISO needs to show. Often, they want to show what the risks are and how they’re being managed, as well as how that risk moves from an individual concern at a fundamental level and then continues up into a collection of concerns with a single value.
If they can’t show how a set of problems come together to form a multi-faceted combined board-level risk, it’s very hard to show where the issues are and the steps they’re taking to mitigate or rectify them. For example, some big things are clearly problematic – such as not having control over assets coming on or off an estate – but being able to easily visualise and demonstrate how fixing this problem reduces exposure, or being clear on the magnitude of impact with any certainty, can be much harder to explain.
Using our organisation as a test bed
Facing similar challenges, we set out to explore ways of identifying and representing risk in a way that would allow us to drill into the individual specific concerns at the same time as combining them into group and organisational level risks.
There were three core factors to take into account:
Risk goes beyond technology, and we needed a real-world view on the likelihood of adverse events and their potential impact. It needed to consider the risks generated by the users of our IT as well as the levels of adherence to, and maturity of, our processes and policies.
Like many global organisations, we rely very heavily on an ever-changing list of thousands of partners, suppliers and joint ventures to deliver our services and this influences the risks our business faces.
It was important to make the most of our existing significant investment in cyber tooling and intelligence capability to enrich our operational view of cyber security. We needed to draw on this resource to gain further insight into micro-level issues that we may not have considered but that, when grouped together, could be material.
It was critical that our key output provided a method of measuring and scoring all risks in a consistent way across individual and groups of assets. It also needed to convert the risk impacts into financial terms. This would allow us to compare cyber risks against other issues concerning stakeholders, and would help build return on investment criteria for cyber security programmes.
Preparing for dynamic and automated risk assessment
It’s clear that, from an innovation perspective, the future of IT, networking and security is likely to be a lot more dynamic and automated. I expect that concepts at scale, such as Zero Trust, will require policy engines that can consume telemetry, apply policy and dynamically adjust individual access to services in real time. The ultimate, ubiquitous policy engine to undertake these changes is still being developed, but we are ready to feed these tools with risk information that will allow context in the decision-making engine, and this forms a key part of the strategy for our Eagle-i threat platform.
To support our cyber security portfolio, we’ve made a strategic investment in a risk quantification company, Safe Security. The SAFE (‘Security Assessment Framework for Enterprises’) platform allows organisations to take a health check of their existing defences and understand their likelihood of suffering a major cyber attack. We’ll use the SAFE platform as part of our managed security services to provide customers with a real-time view of how safe they are against an incredibly fast-moving cyber threat landscape. SAFE is unique in calculating a financial cost to customers’ risks and giving actionable insight on the steps that can be taken to address them.
International Data Corporation (IDC) recognises the value of our investment. Joel Stradling, Research Director, European Security at IDC, said: “BT’s investment in SAFE Security allows BT to layer on risk quantification and breach prediction capabilities along with visibility and control features that are available in its Eagle-i platform. The result? A single integrated, fully managed service for European customers.”
Helping you know the score
I see these developments as a huge step towards building the capability to quantify, visualise and articulate enterprise risk to senior stakeholders. At the same time, it will help in identifying and reporting specific risks to assets, policies, people and suppliers which we can resolve or mitigate. This not only delivers operational visibility and helps resolve issues. It also allows us to show how fixing specific findings and resolving many micro-level issues reduce the top-level risks that we face, before representing it as a risk score.