The move toward risk-based security is gathering momentum, and enterprises are increasingly focusing security efforts where they are needed most. The most common way of assessing risk is first to investigate the likelihood of a security incident or breach happening, then second to consider the impact of such an incident or breach occurring. The objective of risk-based security is to prioritize mitigation of those risks that could cause the greatest harm to the organization.
Tolerance levels are applied to determine the likelihood and impact, which will vary between organizations. For example, if the likelihood [of a risk materializing] is below 20%, then it could be classified as "unlikely." If the impact is determined as "minor and containable" or "affects short-term goals only," then the impact could be classified as "low." Multiplying likelihood by impact gives a risk rating: In this instance, the resultant risk rating is likely to be "minimal," and the security controls required to address that risk will be relatively minor (e.g., company user ID and password used to access a piece of data that, if exposed, would not cause problems). The greater the likelihood of the risk occurring, and the greater the impact, the higher the risk rating, and therefore more stringent security controls will be applied.
One of the biggest areas that would benefit from a risk-based approach is patching. A check in early February showed the US National Vulnerability Database (NVD) has 112,573 vulnerabilities of varying severity (low, medium, high). Faced with this volume of vulnerabilities to investigate, enterprises feel as though they have a constantly mountainous challenge, working through scans of their environment to find out which apply to their organization and then to decide on an action plan. Such an action plan generally involves starting at the top of the list, addressing the most critical vulnerabilities according to the NVD. However, these may not be the most critical vulnerabilities for that particular organization.
If the enterprise had a risk-based approach to security, each vulnerability that applied to their environment could be risk-assessed to determine whether addressing a particular vulnerability on a specific IT asset should be prioritized. Naturally, this is not something that can be done manually, but instead enterprises can take advantage of automation to help with this prioritization in the context of their organization.
The benefits of deploying a risk-based approach to addressing security mean that scarce resources – people and money – can be used where needed most. Looking at the example of addressing vulnerabilities, the highest risk will be mitigated first, making it clear to resource-strapped teams where they should be focusing their efforts. The knock-on effect is that enterprises will be better protected against security incidents and breaches – the objective for every organization that takes cybersecurity seriously.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.