In this new age economy, organizations either get digitized or perish. It is estimated that about 85% of the business assets are in digital form. While digitization creates opportunities, it comes with sizeable risk. But when risks are managed well, it can turn out to be a boon.
COVID-19 has accelerated the digitization process.
Cyber risk is one of the top risks of doing business across geographies. Management and the board want to know about their Cyber Risk and more importantly what it would mean to the business.
i. Complying to broad-based standards like ISO 27001:2013 or NIST-CSF, or vertical/use-case specific ones like PCI-DSS or SOC2:
While this helps adopt a security-hygiene, it is not sufficient as:
It is a Point-in-time report.
Threats are changing on a daily basis.
The resultant posture is not known till the next assessment, even if the gaps are identified and fixed, which may be typically six months to a year away. Till such time, organizations are blind to the ongoing risks.
ii. Performing Vulnerability Assessments (VA): Given the diverse IT environments, across the cloud and on-premise, the VA is performed on different asset types, and issues found are many, typically numbering in the thousands which are classified as High, Medium, Low, using CVSS which is a constant.
Normalizing the findings from various reports, each having their own rating/scoring mechanism.
The number of issues themselves. As no organization can fix them all, how to prioritize?
While the CVSS is constant, the situation & context are not taken into consideration.
The compensatory controls that may be in place are not taken in consideration.
Gaps may exist in management’s understanding of reports.
Given the limited resources, no organization can fix all issues and be “100% secure”
Spending more on security does not mean a better posture.
Cyber insurance is not a substitute for security.
Organizations fix security issues not because they want to, but because they have to with minimal investment.
They only care what the issues mean to their business and how it could be dealt with effectively. Risks are weighed and decisions are taken, which brings us back to Cyber risk is a business risk.
Cyber Risk should be treated as Enterprise Risk and managed accordingly.
Risk, in simple terms means anything which can cause harm. Risk is identifying all the vulnerabilities, and translating them to the impact it can have on the organization.
If you can’t measure it, you can’t improve it!
By knowing the exposure, the management can decide after considering their risk appetite, if to accept or mitigate the risk and appropriate the investment needed thereby.
Digital exposure is an aggregate of all the risks.
An ideal solution would be to adopt a Risk Management model, which identifies, analyses, and prioritizes the risk. As each organization is unique, the organizational context must be considered while assessing the risk. The threat landscape is ever changing, so the model must be continuous and also factor-in Threat Intelligence.
DeRisk Centre helps organizations understand their security posture and exposure, resulting from its digital assets. Organizations can allocate resources economically by following the prioritized recommendations, thereby achieving acceptable risk posture and while concurrently ensuring compliance.
Seconize is a Cloud-based, automated, Holistic Risk assessment offering, which provides a unified view of Cyber Risk for the entire organization.
Seconize enables executives to know the security profile, the overall exposure, and the investments needed to bring the risk posture to acceptable levels. CISO has visibility across the entire organization on a real-time basis, and the IT team can get to the root cause of the problem quickly and apply the appropriate remediations.
Seconize enables organizations to manage their cyber risk, optimize security spend and ensure compliance.