Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 블로그

구독

Communicating Business Risk: Why Existing Cybersecurity Metrics Fall Short

How do you communicate the business risk context of your cybersecurity program to your organization’s C-level executives? This is a question I grapple with every day in my role as a cybersecurity leader.

Security and risk management leaders have an arsenal of frameworks and controls at our disposal with which we can measure the most granular facets of our programs. While such metrics are invaluable in helping us manage the day-to-day operations of our teams, they fall short when it comes to finding a way to speak to our business leaders.

When you're interacting at the C-level or even at the audit committee level — which more often than not is the board entity responsible for security — executives want to understand what impact your cybersecurity program is having on the organization’s ability to fulfill its core value proposition. Yet, a global commissioned study of more than 800 business and cybersecurity leaders conducted by Forrester Consulting on behalf of Tenable reveals that 66% of business leaders are — at most — only somewhat confident in their security team’s ability to quantify their organization’s level of risk or security.

This is not to suggest that security leaders are doing something wrong. Rather, it shines a clear spotlight on an unavoidable reality: Current ways of measuring cyber risk don’t provide the business context organizations require. Over half of security leaders surveyed lack confidence that they have the technology or processes to predict cybersecurity threats to their business while roughly two-fifths are unsure they have the data.

Cesar Garza, CISO at Home Depot Mexico in San Pedro, Mexico, describes the challenges in a single word: “Findings.” In an interview with Tenable, Garza said “For us, determining our level of cyber risk is not that hard. We have maturity assessments, vulnerability assessments, penetration tests and all sorts of audits and assessments sent to us by [global corporate headquarters]. The hard part is what to do with all the findings. Most of the findings require investment, OpEx for the rest of eternity, increasing workforce or investing in new technology.”

How do we calculate cyber risk?

Cyber risk is a function of your assets, security controls, threats and vulnerabilities at any given point in time. Without knowing which assets are most critical to your core business value, it’s impossible to arrive at an understanding of which cyber risks represent an actual threat to your business. Once you’ve determined your most critical assets, the next step is to understand which of the tens of thousands of threats and vulnerabilities facing your organization each year actually pose the greatest risk to those core assets.

According to the Forrester study, fewer than 50% of security leaders are framing the impact of cybersecurity threats within the context of a specific business risk. The majority of security leaders polled (56%) are not applying business risk management objectives to their vulnerability prioritization processes. Only half (51%) say their organization works closely with business stakeholders to align cost, performance and risk-reduction objectives with business needs. And just one in four report that they regularly review the security organization’s performance metrics with their business counterparts.

The Forrester study also reveals:

  • More than half of security leaders (56%) say their organization lacks good visibility into the security of their most critical assets.
  • Approximately 60% of respondents report high or complete visibility into risk assessments for on-premises employees, but only 52% can say the same when employees are remote or working from home.
  • Just 51% report having high or complete visibility into systems used by contractors or partners and 55% report the same for their third-party vendors.

You can’t calculate cyber risk without business context

The two most common questions I get asked by senior business leaders and the board include: “Are we secure?” and “How does our program compare to peers?”

But, unlike our business counterparts, security leaders have limited objective data upon which to build the cyber risk equation of assets, security controls, threats and vulnerabilities required to answer both questions. No existing framework captures the entirety of our operation, leaving security leaders to cobble together a hodgepodge of measures. Without an objective measure of the business context for each of our assets, our cyber risk calculations can only take us so far.

Indeed, according to the Forrester study, fewer than half of security leaders consider the industry benchmarking frameworks they use to be very effective in accurately reporting on business risk. And more than half say they are not doing an adequate job benchmarking their security controls.

At the same time, there are so many variables involved in any organization’s attack surface that achieving industry-wide consensus on security metrics is likely to remain a holy grail for the foreseeable future. No organization can ever claim to be 100% secure. All we have is our informed calculation of what’s considered an acceptable level of risk, which allows us to make business decisions about how far to go once we’ve addressed a reasonable level of exposure.

So, how can you work with what you have in order to begin bridging the disconnect between cybersecurity and the business?

There’s no one-size-fits-all answer but we can turn to LafargeHolcim IT EMEA in Madrid for one example. “We evaluate our penetration ratio throughout the different layers of protection in place,” said Jose Maria Labernia Salvador, the company’s head of IT security and internal control, in an interview with Tenable. “This helps our business to understand the potential exposure in our landscape and determine their risk appetite throughout the cybersecurity value chain. Our model is KPI-oriented and is data- or segment-oriented agnostic, as you never know what will be the initial attack vector with potential to move laterally and harm our organization.”

Using the data you have to get to where you need to go

Risk is relative, not absolute. We will always have risk within the enterprise. The question is whether we reduced or increased our risk by taking a particular business action. What the currently available security assessment options do is give you the ability to snap a chalk line, so you have a starting place from which you can begin to identify the work needed to further refine your security program.

At Home Depot Mexico, Garza turns to Tenable.io with Lumin to achieve “visibility in almost real time of our current level of cyber exposure. We can prioritize cyber risks and have all this in one screen.” He noted that the organization is in the process of building an executive dashboard that will give visibility to its C-level executives.

There is no one-size-fits-all approach to identifying the key risk indicators that matter most to your organization. All we can do, as industry professionals, is work together to begin formulating the kinds of business risk metrics that will be most meaningful to C-level business leaders.

To that end, I leave you with the following list of the questions I’ve been asked by boards and C-level executives in the course of my career:

  • What and/or where are our most critical risks, functions, and assets?
    • What are you doing to protect them?
  • How mature is our program compared to the industry and our peers?
    • What is your roadmap to improve our maturity?
  • How is our security program resourced compared to competitors or peers in our industry sector?
  • Are our most business-critical functions more secure today than they were a year ago?
  • What are we doing about (insert latest headline-grabbing vulnerability here)?

My hope is that these will spark your own ideas for other business risk indicators worth measuring so that, collectively, we can find better ways to achieve alignment between cybersecurity and the business.

Read the blog series: How to Become a Business-Aligned Cybersecurity Leader

Blogs in this series focused on the challenges of aligning cybersecurity and business and why cybersecurity leaders struggle to answer the question "how secure, or at risk, are we?". We also examined what COVID-19 response strategies reveal about the business-cyber disconnect, discussed why existing cybersecurity metrics fall short when communicating cyber risk, explored five steps for achieving alignment with the business and provided a view into a day in the life of a business-aligned cybersecurity leader.

자세히 알아보기:

관련 기사

도움이 되는 사이버 보안 뉴스

이메일을 입력하여 Tenable 전문가에게서 적시에 알림을 받고 보안 참고 자료를 놓치지 마십시오.

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable Vulnerability Management 평가판은 전 세계를 대상으로(UAE 제외) 만들어졌으며 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구입하십시오.

100 자산

구독 옵션 선택:

지금 구입

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable Vulnerability Management 평가판은 전 세계를 대상으로(UAE 제외) 만들어졌으며 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구입하십시오.

100 자산

구독 옵션 선택:

지금 구입

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오.

Tenable Vulnerability Management 평가판은 전 세계를 대상으로(UAE 제외) 만들어졌으며 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Vulnerability Management

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구입하십시오.

100 자산

구독 옵션 선택:

지금 구입

Tenable Web App Scanning 사용해보기

Tenable One - 위험 노출 관리 플랫폼의 일부분으로 최근의 애플리케이션을 위해 설계한 최신 웹 애플리케이션 제공 전체 기능에 액세스하십시오. 많은 수작업이나 중요한 웹 애플리케이션 중단 없이, 높은 정확도로 전체 온라인 포트폴리오의 취약성을 안전하게 스캔합니다. 지금 등록하십시오.

Tenable Tenable Web App Scanning 평가판은 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Web App Scanning 구입

비교할 수 없는 정확도로 모든 자산을 확인하고 추적할 수 있는 최신 클라우드 기반 취약성 관리 플랫폼 전체에 액세스하십시오. 지금 연간 구독을 구입하십시오.

5개 FQDN

$3,578

지금 구입

Tenable Lumin 사용해 보기

Tenable Lumin으로 위험 노출 관리를 시각화하여 파악하고 시간에 걸쳐 위험 감소를 추적하고 유사한 조직과 대비하여 벤치마킹하십시오.

Tenable Lumin 평가판은 Tenable Lumin 및 Tenable Web App Scanning을 포함합니다.

Tenable Lumin 구입

영업 담당자에게 문의하여 어떻게 Tenable Lumin이 전체 조직에 대한 통찰을 얻고 사이버 위험을 관리하는 도움이 되는지 알아보십시오.

무료로 Tenable Nessus Professional 사용해보기

7일 동안 무료

Tenable Nessus는 현재 구입 가능한 가장 종합적인 취약성 스캐너입니다.

신규 - Tenable Nessus Expert
지금 사용 가능

Nessus Expert는 외부 공격 표면 스캔닝과 같은 더 많은 기능 및 도메인을 추가하고 클라우드 인프라를 스캔하는 기능을 추가합니다. 여기를 클릭하여 Nessus Expert를 사용해보십시오.

아래 양식을 작성하여 Nessus Pro 평가판을 사용해보십시오.

Tenable Nessus Professional 구입

Tenable Nessus는 현재 구입 가능한 가장 종합적인 취약성 스캐너입니다. Tenable Nessus Professional은 취약성 스캔 절차를 자동화하고 컴플라이언스 주기의 시간을 절약하고 IT 팀과 참여할 수 있도록 합니다.

여러 해 라이선스를 구입하여 절감하십시오. 연중무휴 전화, 커뮤니티 및 채팅 지원에 액세스하려면 Advanced 지원을 추가하십시오.

라이선스 선택

여러 해 라이선스를 구입하여 절감하십시오.

지원 및 교육 추가

무료로 Tenable Nessus Expert 사용해보기

7일간 무료

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

이미 Tenable Nessus Professional을 보유하고 계십니까?
7일간 Nessus Expert로 무료 업그레이드하십시오.

Tenable Nessus Expert 구입

최신 공격 표면을 방어하기 위해 구축된 Nessus Expert를 사용하면 IT부터 클라우드까지, 더 많은 것을 모니터링하고 조직을 취약성으로부터 보호할 수 있습니다.

라이선스 선택

여러 해 라이선스를 구입하여 비용을 더 절감하십시오.

지원 및 교육 추가