What’s the worst that can happen…..An Ode to Risk
Risk a widely used word in many walks of life but do we
understand what it means…
“Risk involves uncertainty
about the effects/implications of an activity with respect to something that human’s
value (such as health, well-being, wealth, property or the environment), often
focusing on negative, undesirable consequences.”
Cyber security often talks about risk....
A high-risk vulnerability or the risk of an event occurring. So, risk is related to statistical occurrence of an event and the negative outcome….We often talk about likelihood and impact. The chance of something happening and the effect the of it happening.
As CISO’s or cyber security professionals we try to first
address items with the highest risk or combination of likelihood and impact we
call this prioritization.
The reason we need to prioritize is because we can’t fix all
the issues and not every vulnerability is created equal. We all have
limited capacity, budget and resources we need to do the best we can with what
we have.
We try to discover risks via reviews of designs, procedures,
technical system reviews and testing. Some of these activities are up-front and
others are reoccurring in order to keep pace with change in our environments we
control and the environments we don’t [control].
Keeping pace with risk is hard, we simply don’t have the
man-power or budget to focus deeply on all risks to the business. Again, we
need to focus on risks which are impactful or have a high chance of occurring.
Automation is good for scale and frequency (keeping pace); we
can use automation to detect vulnerabilities but its weak at determining actual
risk (and alone is prone to false positives). The determination of risk is
contextual, based on what the likelihood is, the impact to the systems in
question and ultimately the business impact.
Automation is not good at context. Risk is all about context. Without context we can’t determine priority. Without priority we can’t focus on what matters to the business.
In order to move the cybersecurity dial, improve resilience, detect threats and weakness I believe a combination of automation and human intelligence is required.
At edgescan our mantra is “let’s automate like crazy, but never at the cost of accuracy”.
Accuracy is the combination of a few things…1. No false
positives, 2. Appropriate risk rating & 3. Depth of coverage.
Combining both of these aspects results in reliable vulnerability intelligence
Vulnerability intelligence is actionable, prioritized and helps focus on what matters. – a core aspect of the edgescan approach.
Comments
Post a Comment