Over the last eighteen years I've seen a lot of board rooms. Meeting with Boards of Directors for companies with as few as one hundred employees to companies as large as 50,000 employees.
In every one of these meetings, I've been asked that inevitable, arguably rhetorical question "are we secure yet?"
No cybersecurity engineer or Chief Information Security Officer looks forward to being asked this question by an EC (Executive Committee) or board, nor are they immune to it, because the answer is never something they want to hear. The rhetorical nature of this question is that the one asking it is usually always trying to make a point that no matter how much money is thrown at the problem, the company continues to see ransomware infections or breaches and really isn't attempting to find an answer to the question in the first place.
Furthermore, the one asking is usually not wanting to invest any more in cybersecurity than they already have and want more positive results from the investment they're already making.
The fact of the matter is, how we look at cybersecurity today is not how we should be looking at it at all. Which is to say, the growing pandemic across the global marketplace is to view cybersecurity as binary -- either 1 or 0 -- secure or not -- and that's simply wrong.
Exacerbating this problem is compliance, where security is relegated to checkboxes creating a perception that security is synonymous with compliance when in fact compliance does not equal security at all. Compliance in my opinion is enforcement through laws and regulations on companies in regulated industries that impose financial and penal punishments for not complying with industry precepts. Even those compliance audits can easily be danced through under the veil of perception over truth as evidence is manufactured in the middle of the audit in order to pass.
Target, in the infamous cardholder data breach of 2013 where 40 million credit cards were compromised resulted from hackers being able to access their cardholder data environment (CDE) where the payment processing systems were hosted through the company's third-party HVAC company. Suffice it to say, the PCI-DSS required them to segregate their payment card systems from the rest of the out-of-scope store network. PCI network segmentation is a common approach to reducing the scope (and therefore the complexity) of card-processing networks.
As a result of the breach, Target faced a $90 fine for each cardholder’s data compromised, which could have translated to a $3.6 billion liability to Target. This is on top of the $10 Mn lawsuit Target settled with cardholders with the total payout from the breach exceeding $218 Mn in last count.
So if being compliant doesn't mean the company is secure, and firewalls, intrusion detection systems, and anti-malware solutions don't make a company secure either, what does?
I believe the very question itself is illogical as there is no such thing as a product or company that is secure. I believe security should be seen as a scoring system, much like a credit score than a simple conclusion of secure or not. While it's an ongoing religious debate by both sides of the aisle as to whether ROI formulas exist in cybersecurity and are defensible, I'm not referring to the ROI on security purchases, rather, a score on the overall security posture of the entire information security management system (ISMS) itself, tracking the score over time as it's improved through the employment of administrative, logical, and technical controls.
So, let's assume for a brief moment that you agree with my opinion that security should be thought of as a score, what scoring system should be implemented and how?
One could implement a risk assessment, doing both an asset-based and scenario-based risk assessment after a full asset register is created of all of the business-critical or regulated data that the company stores, processes, and transmits. From there, each asset would be categorized into asset classes and risk assessments performed against those classes of assets. This would in turn create risk scores and anything over a predefined score that the business determines is "unacceptable risk" would then be treated.
The EC and board would then need to be coached on how to ask the question, instead of asking "are we secure," they would instead ask "do we have any unacceptable risks to the business?"
FICO, is attempting to apply a scoring methodology to organizations through its new Cyber Risk Score, which they offer as a freemium service that through machine learning builds scores on the organization based on a culmination of different data points it pulls together, much like a "personal credit score" applied to organizations based on the empirical data they receive. Unlike a risk assessment though, the score isn't just on specific assets or asset classes, rather a cyber risk score on the entire organization.
This scoring system attempts to assist organizations in trying to determine how risky a third-party/supplier might be before granting them remote access to their network for example. The score is an empirical score that relies on a comprehensive and diverse set of cyber security data signals, collected at Internet scale, to determine the risk profile of any organization. These signals reflect key risk indicators including the health and hygiene of IT systems, network infrastructure and software and services. These current and historical data signal behaviors are compared to past behaviors of organizations that have, and have not, suffered a material data breach. Together, this information is used to train a machine learning model that produces a risk score that forecasts the likelihood of a future breach event for that organization. Similar to individuals who can improve their personal credit score, organizations have the ability to login to the FICO system, run their own report, and improve their current score by addressing the risks that are negatively contributing to it.
Could FICO and competing companies, Bitsight, and SecurityScoreCard be creating a brand new industry of companies who score the security posture of organizations? Because cybersecurity breaches affect the brand of not just the organization targeted, but anyone else that may be involved, we may now be entering a new era where companies begin to vet the cybersecurity hygiene of companies before deciding to enter into business arrangements with them as companies like FICO begin to give them the tools to do it.
While risk assessments aren't new, FICO's attempt to remove the subjective nature of human decision making out of the equation in risk assessments using machine learning models is -- and I have to admit, it's quite intriguing. I am currently researching the FICO product, which will come out as a new report at Aite Group later this year.
About Alissa Knight
Alissa Knight is a senior analyst with Aite Group where she performs focused research into cybersecurity issues impacting the financial services, healthcare, and fintech industries through the assessment of sector trends, creation of segment taxonomies, market sizing, preparation of forecasts, and developing industry models. Alissa provides these industries a combination of syndicated and bespoke market research, competitive intelligence, and consulting services in the cybersecurity market through unbiased, objective and accurate research and content development. Out of her research into the contemporary cybersecurity issues affecting these industries today, Alissa produces research reports and white papers, as well as provides advisory services that include inquiries, briefings, consulting projects, and presentations on study findings as well as bespoke speaking engagements where she often keynotes at cybersecurity conferences, seminars, and roundtables annually.