Interview: Tenable CTO on how companies should measure cyber risk
At the recent World Economic Forum, the Global Risks Report identified nation-state cyber attacks as one of the threats to global economic prosperity.
Tenable CTO and co-founder Renaud Deraison spoke on a panel of security experts at the Cyber Future Dialogue event in Davos to develop a call to action and issue a resolution for tackling the upcoming year’s cybersecurity priorities.
Techday spoke to Deraison about how cyber risk is measured and why organisations and governments need to be prepared.
What are the global factors causing the constant increase in cybersecurity attacks?
We’re living in an increasingly connected world, where digital transformation and the proliferation of IoT systems have fundamentally changed the way we work and live.
However, this brave new world of connectivity doesn’t come without its risks.
Rising geopolitical tensions coupled with an expanding attack surface have left governments and organisations vulnerable to targeted attacks on sensitive, high-value information.
The significance of this threat was highlighted in the latest World Economic Forum Global Risk Report 2019, with cyber attacks and the breakdown of critical information both making their way into the top 10 global risks in terms of impact.
And the threat is very real.
Tenable Research recently released its Vulnerability Intelligence Report which reveals that enterprises must deal with an average of 870 unique vulnerabilities a day, with more than 100 of these considered to be critical.
What are the major upcoming cybersecurity priorities for the year ahead?
While the rollout of regulatory frameworks such as the General Data Protection Regulation and Notifiable Data Breach scheme have made organisations around the world more accountable for their security practices, there is more to be done.
Organisations this year must ensure security strategies address the emerging risks created by an increasingly connected world.
A recent report by the Ponemon Institute and Tenable found that the majority of organisations surveyed (54 per cent) don’t measure, and therefore don’t understand the business cost of cyber risk.
This is inhibiting their ability to make risk-based decisions backed by accurate and quantifiable metrics, resulting in a lack of actionable insight for the C-suite and board of directors.
In today’s digital economy, cyber risk equates to business risk.
Failure to accurately assess, manage and reduce this risk over time could have a dire impact on the global economy.
Case in point; the devastating 2017 WannaCry ransomware attack.
Global financial and economic losses are estimated to have exceeded $5 billion after the attack infected over 200,000 computers, across 150 countries and brought some of the world’s largest companies to a standstill.
How is cyber risk measured – what are its components and what are some of the common misconceptions of what it does or doesn’t entail?
To accurately measure cyber risk, security teams should adopt strategies such as Cyber Exposure, which helps organisations accurately understand and ultimately reduce risk, giving them the visibility and insight to determine where they’re exposed, what to prioritise based on risk, whether exposure is being reduced over time, and how they stack up against their peers.
This includes identifying the business operations and assets most vulnerable, including OT and IoT assets.
Where many companies fall short is relying on traditional KPIs for evaluating business risks, such as quarterly scans and/or targeting critical systems alone.
These are insufficient for understanding cyber risk, as they fail to factor in the business cost, lack strategic direction and don’t offer insight as to how businesses prioritise risk.
What are the threats that nation-states and enterprises need to be more aware of – are there any region-specific ones and why?
One of the biggest threats facing organisations is the exploitation of poor cyber hygiene.
Cybercriminals would prefer to take advantage of the low-hanging fruit in a network rather than find and exploit a 0-day vulnerability.
The vast majority of breaches are the result of known, but unpatched vulnerabilities or poor identity management practices.