Protecting value at risk – the role of a risk operations center

Partner Content For years, celebrities have insured their body parts for vast sums of money. Mariah Carey allegedly insured her voice and legs for $70 million during a tour, according to TMZ; and Lloyd’s of London was reported to have insured a wide range of celebrity body parts, from restauranteur Egon Ronay’s taste buds to the fingers of Rolling Stones’ guitarist Keith Richards, which were insured for $1.6 million. 

Besides leading to a great headline, each of these deals puts a tangible financial value on an asset that is essential to the person involved. Alongside being an actor or singer, these individuals are businesses in their own right. Those insurance deals assign specific monetary values against risk.

For IT security teams, this kind of exercise can also be useful. Being able to put specific costs against threats to core parts of the business can justify the resources needed to fix or mitigate problems that could prevent an attack. Cyber risk quantification, or CRQ, should provide an essential measure that CISOs can use with their boards, and that IT teams can use to prioritize what they work on too.

Getting CRQ right in practice

However, getting CRQ implemented effectively involves more than just the technology. Collaborating with the business on what to measure makes a specific difference. Gartner predicted that half of cybersecurity leaders will have tried and failed to drive enterprise risk decision making with CRQ by this year.

Behind this, security leaders have to look at how they manage risk operations over time. We have security operations centers (SOCs) that act as cyber war rooms, effectively collating data and managing incident response after an attack succeeds. What many organizations lack is that same process in place for risks before they materialize. This ‘peace time’ approach to potential risks prevents problems and improves that overall security posture before problems arise.

Building a risk operations center or ROC to complement the SOC should make it easier to manage those risks before they turn into real attacks. At the same time, you need a way to manage those possibilities so that you can concentrate on the ones that represent a significant threat to the business. One approach is to examine value at risk. This is the monetary impact that a threat might lead to, and how likely that threat is to materialize. It provides a guide to the impact that a risk might have in language that the rest of the business can understand.

However, there will always be new issues that are discovered, new ways to chain attacks together, or old issues that are now significantly more dangerous than they were in the past. Putting a figure on each of these would be a massive undertaking, and each figure would then be out of date within hours as circumstances change or new threat intelligence is released. Rather than looking at one-off figures that are estimates, instead teams should look at a continuous approach to risk management.

In practice, this involves getting information from all your IT tools and security products into one place. But instead of the old ‘single pane of glass’ approach, you should aim for ongoing value at risk information that provides specific details on how much is at stake, and what steps can be taken to eliminate or reduce that risk to acceptable levels.

As part of this, it is important to recognize that not all risks are created equal. Using CVSS scores on critical or high-risk issues alone is not enough. Instead, you have to evaluate risk in your environment for its potential impact.

For example, a couple of medium severity software vulnerabilities on their own would be lower on the list than the latest ‘celebrity’ critical vulnerability. But when those issues could be chained together for an automated attack on your business’ revenue generating applications, that ability to judge risk based on monetary impact suddenly becomes essential.

For CISOs and security leaders dealing with the board, being able to put risks in terms of money and impact will naturally get their attention and support. Delivering this as ongoing insight into what risks potentially exist and what you are doing to reduce them is even better. This makes it easier to understand why IT security teams take action or where they need that additional investment. When it comes to getting that support, it is easier to achieve this when your approach to risk operations already demonstrates how it protects value at risk.

To change how you track risk operationally, think about the value of your organization’s key assets and what it costs to insure them. Then look at how your security controls and preventative steps can cut that cost. You might not be looking at something as eye-catching as celebrity legs on stage, but you can quantify the value of security in a way that is understandable for the business and demonstrates the ongoing impact your team has.

Contributed by Qualys.

READ MORE HERE