The time is right for an empirical, quantitative risk management measure
Media coverage on cybersecurity stories often focus on the large-scale data breaches and debilitating malware attacks. As the attacks (both large and small) continue in frequency, the American public may have become desensitized to these breaches. That is concerning, because more than ever, companies and their customers should pay closer attention to evolving cybersecurity issues and how they can play a part to mitigate threats.
A recent FICO report, conducted by research and consultancy firm Ovum, shows that senior executives at U.S. firms think their cybersecurity protection is top-notch. The survey reported that 68 percent of respondents said their firm was better prepared than their competitors, and 37 percent said their firm was a top performer. On the surface, there appears to be a disconnect.
To investigate this disparity further we must consider that information security has historically been viewed in terms of absolutes, a network was either secure or it was not. In reality, this is an oversimplification. Security risk is relative and involves a wide range of factors, some fall under the direct control of an organization and others do not. Nobody is impervious to breach and there is no silver bullet.
The best path forward requires a risk-based approach to security that looks beyond transient threats and focuses on technology as well as human-based factors such as skills, training, intent and diligence.
An empirical benchmark
Recently, our company partnered with the U.S. Chamber of Commerce to create the quarterly Assessment of Business Cybersecurity (ABC). The ABC is based on the FICO Cyber Risk Score and utilizes technology that continually measures and monitors billions of cyber risk indicators around the globe. We apply machine learning to interpret the security practices of organizations that ultimately did, and did not, suffer a verified data breach.
By identifying the signals that are most commonly shared across organizations that have suffered material breach events in the past, we can look for similar traits in organizations and project their forward-looking breach risk. The aggregate scores of more than 2500 U.S. businesses, both privately held and publicly traded, were used to develop the ABC which reflects forward-looking security risk across the U.S. economy as well as within specific industry sectors. Organizations can compare their own results to their sector score.
The ABC is a measure of risk, which evaluates both the threat picture as well as organizational effectiveness in dealing with it. FICO’s Cyber Risk Score takes into account both the threat landscape impacting the organization (based on size and sector-specific risk profiles) and the measured cyber posture of the individual organizations in the assessment.
Risk across industry sectors varies widely due to environmental factors. For example, banks face a steadier cadence of aggressive attacks than construction companies. With respect to the ABC, a lower sector score does not imply that banks’ security defenses are inferior, but rather that they are under more pressure from bad actors looking to steal money, data, or both. Risk is at the intersection of threat and preparedness.
Improving the status quo
Over-confidence in cybersecurity requires a shift in the conversation from technological absolutes to empirical, quantitative risk management. As this shift occurs it’s common to hear executives ask, “How do I improve my score?” While there are many dimensions to this question, I can share the most common improvement area as measured across more than 2500 U.S. businesses.
Larger organizations, with more complex networks, often don’t recognize the full inventory of their assets. Frequently, organizations own active infrastructure that (1) has simply been forgotten, (2) came in through acquisition but was not integrated, (3) was presumed to be decommissioned but is still active, or (4) was set up as temporary or part of a skunk-works project and was subsequently allowed to persist in an undermanaged state. If these assets are unknown within the organization, it’s easy to see how over-confidence in security practices would be a likely conclusion.
The objective measurement provided by the U.S. Chamber’s Assessment of Business Cybersecurity and the FICO Cyber Risk Score should give U.S. companies actionable insight to address categorical over-confidence about their own cyber defenses.