Proactive risk management is the future of cybersecurity

I’ve been having a lot of conversations with board members and security leaders about how cybersecurity spends have progressively grown every year. We are seeing pre-pandemic levels of budget growth with the spending on information security & risk management seeing an upward trajectory. According to Gartner, a total of $137 billion was spent in 2020, $155 billion in 2021, and $172 billion in 2022.?

But a curious correlation is that while the spends are increasing, so have the frequency and sophistication of cyber attacks. According to the World Economic forum, cybersecurity has been identified as a ‘top ten global risk’ in 2021. In fact, through the last two weeks, two major global tech giants have been hit by a cyberattack. A few days ago, Samsung found itself to be the victim of a security breach where the hackers made off with internal company data, including the source code for the operation of the Galaxy smartphones, and NVIDIA has been trying to fend off a major attack for weeks now.?

What’s more worrying is - the group behind both the attacks is the same. As we continue to see the growing list of global companies being compromised, we can understand that cybersecurity is fundamentally broken.?

The question to ask is why?

The answer is something that I’ve been discussing with a lot of global leaders - the approach to cybersecurity right now is siloed, reactive and lacks business context.

This is solidified in the fact that even The JPMorgan International Council considers "Cyber the most dangerous weapon in the world -- politically, economically and militarily."?

The siloed road taken?

The pandemic accelerated digital transformation across industries, making technology the only point of continuity for work across the world. It was remote access that helped businesses and organizations stay afloat, but that meant that data wasn’t confined to security centers on-premise. The perimeter requiring? protection blurred as the attack surface expanded exponentially.?

With the growth in the number of connected devices, the measure taken by companies towards cybersecurity has been to layer products on top of one another. But the problem remains - all of these products continue to work in silos and reactively. A firewall covers only network security, antivirus products fend off virus attacks in endpoint devices and an SOC alerts you to a cyber incident only after it has occurred. While these measures can stop and alert you about these threats during several steps of the ‘kill chain’, refined new attack tools, techniques, and the volume of data can enable some threats to still go undetected for minutes or even months.?

So, by the time action can be taken, it is too late already - organizations' reputation, customer trust, and invaluable data in most cases is already lost. Now, couple this with the complicated cybersecurity jargon that doesn’t provide an aggregated, and unified visibility of cyber risks across people, processes, technology and third parties. The landscape, therefore, becomes fraught with drawbacks that arrest its growth.

Making an impact

Simply put, we need clear, explicit, and impactful communication towards cybersecurity. The impression that the words “just ten cyber attacks in 2021 cost companies $600M” will make on board members will be more indelible than something like “Cyber attack led to company losing 200 GB data”. Dollar is always going to turn more heads than bits & bytes will, which is where cyber risk quantification comes in, because you can’t really manage what you don't measure.?

Cyber Risk Quantification platforms that use a Monte Carlo simulation can make cybersecurity contextual by representing the likelihood of breach as the financial impact. This can immediately help put the magnitude of the cyber risk in perspective for board members. The real-time actionable insights provided by quantification is also beneficial for risk owners as it helps identify signals, threat data, and the business context of organizational risk, which makes it easier to measure, manage, and mitigate.?

Shaping the future

The future of cybersecurity therefore isn’t one that is siloed, reactive, and lacking business context. It is rather proactive, predictive, and one that speaks the language of business. There is a need to take the guesswork out of cyber risk management.?

And to answer the perpetual question of ‘why proactive risk management? is important?’ - Stephane Nappo, CISO, SEB Group said it best, “It takes 20 years to build a reputation, but only a few minutes of a cyber incident to ruin it!”