Story image

Interview: Tenable CTO on how companies should measure cyber risk

05 Feb 2019

At the recent World Economic Forum, the Global Risks Report identified nation-state cyber attacks as one of the threats to global economic prosperity.

Tenable CTO and co-founder Renaud Deraison spoke on a panel of security experts at the Cyber Future Dialogue event in Davos to develop a call to action and issue a resolution for tackling the upcoming year’s cybersecurity priorities.

Techday spoke to Deraison about how cyber risk is measured and why organisations and governments need to be prepared.

What are the global factors causing the constant increase in cybersecurity attacks?

We’re living in an increasingly connected world, where digital transformation and the proliferation of IoT systems have fundamentally changed the way we work and live.

However, this brave new world of connectivity doesn’t come without its risks.

Rising geopolitical tensions coupled with an expanding attack surface have left governments and organisations vulnerable to targeted attacks on sensitive, high-value information.

The significance of this threat was highlighted in the latest World Economic Forum Global Risk Report 2019, with cyber attacks and the breakdown of critical information both making their way into the top 10 global risks in terms of impact.

And the threat is very real.

Tenable Research recently released its Vulnerability Intelligence Report which reveals that enterprises must deal with an average of 870 unique vulnerabilities a day, with more than 100 of these considered to be critical.

What are the major upcoming cybersecurity priorities for the year ahead?

While the rollout of regulatory frameworks such as the General Data Protection Regulation and Notifiable Data Breach scheme have made organisations around the world more accountable for their security practices, there is more to be done.

Organisations this year must ensure security strategies address the emerging risks created by an increasingly connected world.

A recent report by the Ponemon Institute and Tenable found that the majority of organisations surveyed (54 per cent) don’t measure, and therefore don’t understand the business cost of cyber risk.

This is inhibiting their ability to make risk-based decisions backed by accurate and quantifiable metrics, resulting in a lack of actionable insight for the C-suite and board of directors.

In today’s digital economy, cyber risk equates to business risk.

Failure to accurately assess, manage and reduce this risk over time could have a dire impact on the global economy.

Case in point; the devastating 2017 WannaCry ransomware attack.

Global financial and economic losses are estimated to have exceeded $5 billion after the attack infected over 200,000 computers, across 150 countries and brought some of the world’s largest companies to a standstill.

How is cyber risk measured – what are its components and what are some of the common misconceptions of what it does or doesn’t entail?

To accurately measure cyber risk, security teams should adopt strategies such as Cyber Exposure, which helps organisations accurately understand and ultimately reduce risk, giving them the visibility and insight to determine where they’re exposed, what to prioritise based on risk, whether exposure is being reduced over time, and how they stack up against their peers.

This includes identifying the business operations and assets most vulnerable, including OT and IoT assets.

Where many companies fall short is relying on traditional KPIs for evaluating business risks, such as quarterly scans and/or targeting critical systems alone.

These are insufficient for understanding cyber risk, as they fail to factor in the business cost, lack strategic direction and don’t offer insight as to how businesses prioritise risk.

What are the threats that nation-states and enterprises need to be more aware of – are there any region-specific ones and why?

One of the biggest threats facing organisations is the exploitation of poor cyber hygiene.

Cybercriminals would prefer to take advantage of the low-hanging fruit in a network rather than find and exploit a 0-day vulnerability.

The vast majority of breaches are the result of known, but unpatched vulnerabilities or poor identity management practices.

Aerohive launches guide to cloud-managed network access control
NAC for Dummies teaches the key aspects of network access control within enterprise IT networks and how you can secure all devices on the network.
Sungard AS named DRaaS leader by Forrester
It was noted for its disaster-recovery-as-a-service solution’s ability to “serve client needs at all stages of their need for business continuity.”
Gartner: The five priorities of privacy executives
The priorities highlight the need for strategic approaches to engage with shifting regulatory, technology, customer and third-party risk trends.
Thycotic debunks top Privileged Access Management myths
Privileged Access encompasses access to computers, networks and network devices, software applications, digital documents and other digital assets.
Veeam reports double-digit Q1 growth
We are now focussed on an aggressive strategy to help businesses transition to cloud with Backup and Cloud Data Management solutions.
Paving the road to self-sovereign identity using blockchain
Internet users are often required to input personal information and highly-valuable data from contact numbers to email addresses to make use of the various platforms and services available online.
Veeam releases v3 of its MS Office backup solution
One of Veeam’s most popular solutions, Backup for Office 365, has been upgraded again with greater speed, security and analytics.
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Tenable is hedging all of its security bets on the power of predictive, as the company announced general available of its Predictive Prioritisation solution within Tenable.io.