Improve cybersecurity program performance with a risk-based approach

Identify, prioritize, protect: How companies can adopt a risk-based approach to cybersecurity.

There is no shortage of data when it comes to the topic of cybersecurity, given how vast and relevant this topic has become in contemporary times. However, most technology leaders, from Chief Information Officers (CIO), Chief Technology Officers (CTO), IT managers or Chief Information Security Officers (CISO), know that there is no one-size-fits-all solution given their diverse needs and vast scope for applying these technologies.

To help security-program stakeholders and influencers peel through the layers of this topic and understand newer and better ways to deal with cyber threats, Skybox Security, in association with RAH Infotech, organized a discussion on how to improve cybersecurity program performance by taking a risk-based approach.

When it comes to modern cybersecurity, no single tactic can do it all, given that malicious actors continually develop newer ways to bring down the defenses an organization builds. Debjyoti Guha, Technical Director for Skybox Security, started the discussion by showing some interesting facts from a ThoughtLab survey in May 2022 titled Cybersecurity Solutions for a Riskier World, which covered C-suite decision makers from 1,200 organizations across 16 countries.

Report

Cybersecurity solutions for a riskier world

The largest global cybersecurity benchmarking study reveals how business and government can protect themselves in the emerging risk and threat landscape.

Report

Cybersecurity solutions for a riskier world – executive summary

The largest global cybersecurity benchmarking study executive summary reveals how business and government can protect themselves in the emerging risk and threat landscape.

Plugging holes constantly

When it comes to modern cybersecurity, no single tactic can do it all, given that malicious actors continually develop newer ways to bring down the defenses an organization builds. Debjyoti Guha, Technical Director for Skybox Security, started the discussion by showing some interesting facts from a ThoughtLab survey in May 2022 titled Cybersecurity Solutions for a Riskier World, which covered C-suite decision makers from 1,200 organizations across 16 countries.

The average annual cybersecurity spending in Asia Pacific was amongst the highest at 33%, while it was 25% for the US (including 8% for Canada). However, when sliced and diced country-wise, the same average for India stood at 4%, pales in comparison to 17% in the US.

Guha stated that a digitally connected ecosystem creates a wider threat surface, exposing strategic infrastructure to more significant attacks. “Conventional compliance-based cybersecurity maturity models might be unable to discriminate what they need to protect and how. This overarching approach often results in protecting non-critical assets, leaving the more important ones open to threats, which is a waste of time, money, and effort,” he noted.

This evolving threat landscape and interdependence on each other on an integrated platform has made C-suite leaders feel unprepared to deal with a new world of risk. Around 50% of CEOs, CIOs and COOs say their organization’s growing use of partners and suppliers exposes them to a major cybersecurity risk.

According to an EY Global Information Security Survey, cybersecurity is involved right from the planning stage of a new business initiative in only 36% of surveyed organizations. Moreover, 59% of surveyed organizations stated that the relationship between cybersecurity and the lines of business is, at best neutral, mistrustful or nonexistent.

Talking about the cybersecurity solutions that can combat these with a risk-based approach, it is critical to have a risk-based approach in place that covers IT and OT. This should be well-documented, regularly updated, and tested so everyone can jumpstart it when needed.

This is where the prioritization strategy kicks in. First, companies need to identify the cyber risks they are facing or likely to face and then rank their critical assets that need to be safeguarded in order of importance. Next, they also need to determine the cybersecurity solution that is most relevant in covering these risks in terms of coverage while offering a better return on investment.

Making the most of little

Moreover, companies need to deploy their precious security resources to mitigate cyber risks to levels acceptable to stakeholders across the entire ecosystem. That is the very basis of data-driven decision-making. Some participants mentioned that cybersecurity is a risk that will always remain, and while companies would like a proactive approach, they end up having a reactive one.

According to Ashish Bele, National Sales Director at RAH Infotech, this occurs largely because various systems operate in silos which makes it challenging to contain breaches. And while there is talk about automation in cybersecurity, it is easier said than done.

Another participant concurred, noting how even automation requires some manual intervention making the entire process an exercise in futility at times. Moreover, it can be difficult to pinpoint the exact source of a breach when all systems are automated, given that there are several moving parts.

During the free-wheeling discussion, a CISO pointed out that the biggest hurdle in implementing a holistic cybersecurity policy is getting management buy-in. “When there is a problem, they start looking for a solution, instead of understanding that cybersecurity risk is the business issue,” he said.

Others agreed, noting the need to flip the narrative by convincing the top management about the merits of risk-based cybersecurity. This can be best done by quantifying probable risks and prioritizing assets to get better protection and, in turn, a higher return on investment.

The key takeaway from the discussion was that a risk-based approach to cybersecurity is not just effective, it is also efficient. In addition, it helps companies become more resilient at an organizational level by empowering them to respond suitably to any cyber threat.