Shortly after the SolarWinds hack of the software supply chain was disclosed, The United States Cybersecurity and Infrastructure Security Agency (CISA) announced its Systemic Cyber Risk Reduction Venture. This focused on the relationship between threat, vulnerability, and consequence – in an effort to develop actionable metrics and quantify cybersecurity risks across US critical infrastructure. Not long after this, the UK’s National Cyber Security Centre (NCSC) offered guidance to security teams and IT companies on how to assess if an organisation was at risk and the actions needed to mitigate threats.
The SolarWinds hack, and most recently the ransomware attack against Colonial Pipeline has elevated the urgent need for governments to change their approach to cybersecurity. The constantly increasing attack surface stemming from continued digital modernisation makes our ability to prioritise and quantify cyber risks accurately an urgent mission.
Evaluating your cyber risk
“No longer can cybersecurity conversations be purely focused on IT controls, such as network defence,” said Bob Kolasky, CISA Assistant Director for the National Risk Management Centre in the US. “These technical capabilities must be coupled with robust risk-management practices – knowing your major risks, understanding the size of your attack surface, assessing the criticality of your digital infrastructure and then using this awareness to harden systems and add resilience in a targeted and prioritised manner.”
The Systemic Cyber Risk Reduction Venture takes a three-pronged approach to evaluate cyber risk at a national level: building the underlying architecture for cyber risk analysis to critical infrastructure, developing cyber risk metrics, and promoting tools to address concentrated sources of cyber risk.
This new process of risk reduction utilises the so-called Rosetta Stone approach, which translates the technical nature of security into the language of the business or agency. By quantifying cyber risk, CISOs will have the ability to translate cybersecurity into a language that non-technical agency leaders can understand and support from a policy, budgetary, and procedure perspective. Like many businesses, most government agencies don’t know what their exposure is to any given cyber event, including what the potential impacts are in terms of operational disruptions, response costs, and secondary loss. This typically results in a lack of focus on the risks that matter most to the organisation.
The future is cyber risk quantification
Developing cyber risk metrics attaches a monetary value to risk. These can then be used by organisations to determine what matters most, whether the appropriate controls are in place and can estimate the potential financial loss if an attack was to be successful. The level of security investment that is necessary can then be determined to meet the organisation’s risk tolerance. This acts as a starting point for private sector companies, particularly those owning or operating critical infrastructure, to improve future decision making.
Cyber risk quantification removes the risk of human error – no longer relying on human calculation – through automation and supporting it with real-time cyber threat intelligence. Attackers do not take time off, and neither does your agency and its IT infrastructure. Automation becomes a decision support system that operates in real-time opposed to being dependent on individuals waiting for lengthy interviews, training, and manual reviews.
The Systemic Cyber Risk Reduction Venture acts as a starting point for improving government and critical infrastructure cybersecurity, and the UK should take note and further develop their policies. Government agencies must prioritise mitigation efforts and understand immediate cyber risks so that critical energy applications, functions and data are protected. The time to introduce automated cyber risk quantification, supported by real-time threat intelligence and orchestration capabilities is now.