By Reuven Aronashvili, Founder & Chief Executive Officer at CYE
In 2021 the number of ransomware attacks doubled, the number of supply chain attacks tripled and threats from state-backed hackers continue to rise. While sectors like finance and healthcare suffered more than others, attacks are up across the board and everyone is vulnerable.
It is now basically inevitable that most organizations will experience some type of cyberattack. That means that there must be a shift in attitude from pure prevention–which is no longer realistic—to fully understanding a company’s exposure to cyber risk and understanding the tools needed for smarter planning and comprehensive decision-making capabilities.
Putting risk exposure, or the cost and likelihood of a potential breach into dollar terms is more important than ever for organizations. This is the only way that companies will be able to protect themselves in the long run and strengthen themselves as they shift the cybersecurity of their organization from a cost-center to a business differentiator and even market advantage. So how exactly can organizations do this?
While the CISO is in charge of security, this is no longer the realm of the CISO alone. Security is a valuable business asset–and risk– and the entire C-suite needs to be involved, including having CISOs sit on management boards. Cybersecurity is increasingly affecting productivity and daily operations in every sector, with attacks or breaches potentially stopping or interrupting operations for hours or days. When cyberattacks interrupt business, as seen in cases like the shutdown of the Colonial pipeline last year, they demand action far beyond technical mitigation. Such situations call for public relations, change in business operations, legal actions and more. Responding to attacks involves all departments, so should planning for attacks and defining security strategy. Rather than being seen as in charge of security, today’s CISOs should be seen as an essential bridge between the business and technical concerns, leading a collaborative effort to protect the organization.
Embrace automatic tools to quantify risk and exposure
In order to have a truly holistic approach to cybersecurity, everyone, including non-technically-minded executives, need to understand the risk and possible solutions. This means that the risk and the company’s exposure to potential threats need to be translated into and explained in dollar terms. A proper risk exposure calculation will take into account each asset, the likelihood of it being attacked and the consequences of such an attack. This way companies can effectively invest in the proper solutions, and decide what is worth protecting, and at what cost.
Automation, data and AI play a growing and important role calculating exposure. The internet is full of cyber risk calculators, and many security companies provide them as well. But most are missing key components and fail to give a breakdown of direct costs, like the price of an in-house IR team, and indirect costs, like fines or crisis communications following breaches. Most also fail to take into account factors like the cost of closing a business or part of a business due to an attack.
That’s why we at CYE provide a SaaS solution that maps out attack routes, and correlates technical vulnerabilities with business insights that optimize the reduction of cyber exposure through scientific analysis of the organizational risk profile. This allows the system to assign a dollar amount to each possible breach, and points to exactly where mitigations are needed. These assessments are unique for each company, and based on an algorithm using the most relevant and up-to-date data. It is not a simulation, but rather delivers a real-life picture of the risk scenario and the bottom line effect it could have on the business through the use of advanced algorithms and graph modeling, but also highly experienced “red teams” with national-level experience. This goes along with our company’s general approach to help users understand their security posture within the bigger business picture.
Look for targeted security solutions, and don’t forget about the human factor
CISOs often get distracted by all the cybersecurity solutions, especially as new one chasing the latest vulnerabilities are constantly released. This has led to a situation of over differentiation in the sector, with many solutions solving very specific issues. Companies should not only look for more holistic solutions and platforms that address several issues together, but should make sure the solutions reduce their actual risk exposure, rather than just aim to solve the latest or trendiest type of general threat.
When implementing solutions, the human team is equally important. Organizations should make sure that the security team knows how to properly execute the tools to get the biggest benefits out of them. Companies should also understand the actors behind the most likely threats, and respond accordingly with specific and qualified cyber talent. This is especially important when it comes to preventing attacks by state-backed actors.
Cybersecurity challenges–and solutions–will only proliferate as the world grows more digital. But the key is matching the solutions to the threats; and deciding which threats require the most immediate solutions and mitigation while also accounting for the human factor.
About the Author
Reuven Aronashvili, Founder & Chief Executive Officer at CYE. Reuven is a serial cybersecurity entrepreneur and a national cybersecurity expert. Reuven is an ex-Matzov and a founding member of the Israeli army’s Red Team (Section 21) and Incident Response Team. His expertise is in designing and developing innovative security solutions for governments and multinational organizations around the globe, as well as conducting high-profile security improvement programs. Reuven serves as a trusted advisor for executives in leading Fortune 500 companies and is certified by the US Department of Homeland Security as a world class ICS and SCADA cybersecurity expert. Reuven completed his Master’s degree in Computer Science from Tel-Aviv University, as part of an excellence program during his military service.