Webinar Recording
Effective Cyber Risk Quantification Through Automation
Continual high-profile cyber incidents demonstrate beyond a doubt that cyber risks exist, but most organizations struggle to quantify cyber risk in a useful way. There is an urgent need for IT security leaders to find a common way to express cyber risk in monetary terms, that business leaders understand to enable effective risk management and security investment.
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Hello, good afternoon. And welcome to this. Coing Cole webinar on effective cyber risk quantification through automation. My name's Mike Small, and I'm a senior Analyst with Coppinger Cole. And I'm joined today by Chris Griffith, who is VP of products at Babas. So to start with, we're going to go through some housekeeping slides, starting off with some information about future events. Don't forget to go onto the Ko website to check out those. During this webinar, you will be muted centrally, and coing Cole will be controlling. These features. There's no need to unmute your unmute yourself. If you want to ask a question, you'll find there is a question and answer panel by the end, and this will be answered by the end of the webinar. We're recording the webinar and recording will be made available in the very near future. Certainly by tomorrow. And during this webinar, we're going to run some polls and we'll perhaps be able to discuss the results during the Q and a.
So with that, I'm going to start off with the first poll, which is which of these risk frameworks does your organization use? So check all the supply and the poll is now open. So please will you take the time to fill this in and we'll give you around 30 seconds or so for you to do that. And then we'll move on to the rest of the webinar. Okay. So the poll has now completed and we'll be able to discuss the results later on. So now let's get into the agenda and this is going to be divided into three parts. The first part will be run by me, where we will be looking at the approaches to quantifying risk. And then I will be followed by risk Ify, who will talk about how to systematically quantify cyber risks in business terms. And then we will have a set of questions and answers.
And so I'm going to start off by saying that risk is a four letter word. Now, those of you that are native English speakers will understand what this means. That a four letter word is a word which has familiar use and can be found offensive to some people. So you have to be careful about how you use it now, in fact risk, or the word risk has been the source of the most extensive miscommunications between cybersecurity professionals and the business that you can imagine, because there is one word risk, which covers so many different areas. And the problem has been that when people use the word risk, different people in different contexts mean different things. And so everybody thinks they're talking about the same thing, but they're not. So let's start off about why this is important.
Everybody has come across all of these, these events, where there have been side cyber attacks that have caused significant losses to different organizations. And when you actually look after the event, you get a very clear quantification of what that cost the business. After the event can come up and say, it costs us a hundred million, it costs us 4 million. It costs us 20 million, but the problem is in advance of these events, figuring out how much it would cost if it occurred and how much it would cost to avoid it. So how can you justify spending money and taking action before these events occur? And I have actually in my lifetime, heard a board arguing that the cost of antivirus needed more justification because there hadn't been any recent malware attacks. So there's clearly a big opportunity for miscommunication. And this comes from the fact that there are several different kinds of risk.
And when you are talking to business people, you will find that most of the time a business person is talking about opportunity, risks, certainly venture capitalists and boards are looking at investing in opportunities. An opportunity risk is really interesting because you can say, well, if I place a hundred dollars in an investment in this, this, this, this particular technology or this company, or whatever, that, you know, how much you are going to lose, and you can also quantify what the possible returns may be, but that isn't the only kind of risk. There are all other kinds of risks, including market risks, operational risk control risk, and the world. The kind of risk that cyber fits into is what are known as hazard risks. And so to be able to compare cyber risks, which are hazard risks with other kinds of risks that the business talk about, you need to be able to express this in business terms.
So the problem is in cyber risk management terms, that from the board's perspective, they are having to make the decision between taking investor money, their shareholders money, to invest in opportunities and to decide whether it is better to invest in those opportunities rather than to invest in a cyber defense. And indeed, once again, I have come across a situation where a board actually made a positive decision because of the size of an opportunity to go into a new app, knowing that there were cyber risks because the business opportunity was in fact so significant. Now that isn't always the case, but the problem is how can you balance those basically in business terms that really comes down to money.
So when you are talking to the board and one of the problems as, as well as one of the opportunities, is that boards like to be able to compare what they're doing with some kind of clear standard, where are we in respect of the industry? Where are we in respect of the standards? Where are we in respective compliance and where are we in respect of the law? And there's no end of different frameworks that you can adopt. And some of these are shown on this slide and they are different really in respect of the extent to which they're involved in the business side of governance versus the technology side, and whether they're looking at it service in general or whether security governance. And in fact, most of them only provide a qualitative measure of risk that you can say, well, our controls don't match or aren't terribly effective.
So that's a challenge. So the challenge is how you can measure risk in a way that is useful. Now, those of you that have been in this industry for a while will understand that the way that you describe a hazard risk is in terms of its probability and its impact. Now, if only we could put a dot on that graph, because the problem is that we don't actually know what the prob probabilities are with any degree of certainty. And we aren't absolutely sure what the impact could be. And so not only do we not have we got to kind of work out where these things are, but we also have a large degree of uncertainty around that. And this is quite different to some other areas where you can say, we've got lots of statistics from the past. So there is a challenge with describing this inherent risk.
What rich risk management is about is about trying to reduce the uncertainty, trying to reduce the impact and trying to reduce the probability and that management has a cost associated with it. And when you go to the board saying, I want to buy this new service security operations control center, or this new piece of technology, or introduce some new controls, that's what you are doing. And that's, you have to be able to justify the spend on that in terms of the return. And since all of these things have a probability associated with them, that makes things even more complicated from a point of view of trying to explain. So how do you do it? Well, if you look at the various frameworks one way or another, they all tell you to go through some kind of, of, of process of describing how you can estimate the impact and the likelihood.
And you can do this from the top down, or you can do it from the bottom up. And in this particular case, we've looked at it from the bottom up, that you have threats, which you really can't do anything about which find and exploit vulnerabilities, which are basically in your staff, in physical access, in privileged access in, in the technology, in the configuration and so forth that you try to mitigate these vulnerabilities through a set of controls, which can be technical. They can be processes, they can be trading. And if the threat can overcome those controls, then they can do damage to your business data. And what, what risk management starts off we're doing is trying to do a process of estimating the, the, the, the, the threats, the probability of them, the effectiveness of the controls to come up with a set of scenarios, which hopefully you focused on the most important business assets, looking at their likelihood and their impact.
Now, even that is a simplification because most of these things come about because of sequences or failures. But nevertheless, what happens is that then you find that you in a qualitative approach, start to plot these risks against these two dimensions of impact and probability. And you can have a risk appetite, which is described in terms of colors on this child where high impact and high probability is in fact red, and you don't want it low impact and low probability are in green, and you may be willing to tolerate it. And the ones in the middle are the ones that you can't tolerate. And the ones in the red are the ones you can't tolerate, and you have to do something in terms of controls. The problem with this is that this is subjective. It's nonlinear because it's very hard for people to estimate these values, different estimators will come up with different values.
And when you get in front of a board and you get questioned by the, the, the legal people, you find, it's very hard to explain why, you know, what these things should be. And so it becomes easy to cheat for you to make things appear, to be worse or better than they are. However, that's what happens. And most organizations have some kind of a risk register, which contains all of these kinds of things here. And here's one that we were doing for a cloud service for a large manufacturing organization, where we were looking at the impact on different assets of a particular scenario associated with risk. And certainly it it's helpful in that it allows you to get some kind of a view of what the situation is with regard to a particular kind of risk. Now, again, if we go back to, well, how do we compare these different reds?
And this comes back to what often happens is that the estimation is they want a single number. They want to say, how much is it really going to cost? So typically what you will do is you will say, we will multiply the impact value by its probability. And that will give us a number, which is a simplification, but at least it provides some important insights on what you can change, because what you can change is by investment. You can invest in controls. You can invest in training, you can invest in technology. You can invest in, you can invest in processes to remove vulnerabilities and whatever you do. You also have to remain vigilant. However, in business terms, the impact that is to say the business value of the assets that could be affected are largely speaking outside of your control because they are business assets.
So that's what you would expect to do. Now, as I said, that was a simplification now to, to, to in fact, make a better estimate, becomes much more complicated. And here is this factor analysis of information risk, where in fact, what you do is you say that you can go down to multiple levels and say that you can have a primary loss, and you can have a secondary loss and that you can have associated with that further, further controls. So to do a very exhaustive and extensive investigation into this takes a great deal, more time and trouble. And so you have to, as always in these things, judge the need for extra complexity, which might give you better accuracy versus the need to do something that is good enough. And so this takes us onto measuring these controls. And again, most of the time we are looking at a qualitative approach where we find what we're going to do is to say that we believe, or we estimate that a control will take us from a red area to a green area.
Or if we spend a little bit less on it, it'll take us to an orange area. So this is done, and you can say, this is the control there. Does it exist? Is it active? Is it effective? And how mature is it? And the problem that you're constantly trying to answer is, well, what's my best return on investment for that particular control. So one of the other ways which boards often like is to compare themselves with other organizations in their, in, in their, their peers, so to speak. And this is often done through maturity models, and this is maturity models are a well understood business approach. And here is an example of a maturity level matrix for identity and access management, which is the kind of thing that Coppinger cold does with our end user customers to allow them to see in different areas, how they compare with best of class and with good in class.
And again, this has a lot of subjectivity associated with it. So in summary, an effective management of cyber risks needs to be measured in business terms. And what we've gone through, this is that the word risk is a fall letter word. You have to be extremely careful about how you use the word risk, especially when you are talking to business people so that there is absolute clarity of what you mean and how you communicate this to business people, because the risks associated with cybersecurity are largely speaking has of risks. That in order to be able to estimate those risks, which are described in terms of probability and impact, you are going to use one or more of the different frameworks, and you have to choose a framework, which is right for your organization and qualitative measures in terms of probability and impact such as my medium high, low frequent infrequent are good for comparison, but have, make it very hard to justify to get investment. What you really are looking for is a good way to quantify risk in a way that allows you to describe risks in business terms and business understands money.
So now we're going to have the second poll. And so in this, what I'm going to ask you is how do you measure cyber risks in your organization? Do you do it using qualitative assessments, such as based on ISO 27,005 or risk it, do you have quantitative assessments based on a methodology or a model or a product? Do you use maturity models such as the Carnegie Mellon maturity model, or do you do assessments that another way that it's often done is through a GRC tool or do you do it in any other way? So the poll is now open and it will take around 30 seconds and we would appreciate you taking the time to fill this in. Okay. Thank you. So the poll is now completed. So we're now going to move on to the second part of the, the presentation, which will be given by Chris Griffiths from Eck. So can I ask the moderator to please share the, give Chris control of the screen?
So excellent overview, Mike. I think it's a, it's just a fascinating topic and I give everyone who's on this webinar credit for taking that first step to really get a handle on cyber risk and, and the process of quantifying cyber risk. Cause it's not an easy topic, but it's a, it's an extremely important one. So as mentioned, so I run the product team at BIC at BIC, we're a product company. We help our customers to automate their cybersecurity posture and that process of quantifying their cyber risk and making their, the cyber environment much better for the organization. It's a super important topic.
And if you think about you kind of step back and think about this for organizations that have not yet made the investment are still early in the process and not yet finding an effective way to quantify cyber risks. You know, a lot of processes get kind of painful, you know, things, get things, get hard. What I'm showing here is the result of a recent industry survey of, you know, cyber security and risk leaders who are taking advantage of the process of quantifying their cyber risk. And just some of the top use cases around cyber risk quantification. And so you can see some of these examples, so prioritizing the cyber risk within their environment, what are those areas that they should be focused on addressing first versus those that can wait communicating, you know, across the business to those owners of risk. It might be the business owners, application owners, service owners, lines of business owners, as well as to the C-suite might be to the CFO, CIO, CEO, and all the way up to the board of directors.
And the last item here is then around aligning the, the cyber risk process with other risk practices within the organization. So you can kind of see the themes here, communication, alignment, and prioritization. It's very, very difficult to think about managing these processes effectively without having a good way to communicate in a way that everyone can understand as you know, Mike, as you you're very clearly outlined here just to just a moment ago. So having that ability to communicate in money terms is critical because you think of the kind of questions that are being asked of you, you know, can be from the board or your, your CFO. These are really difficult questions and it becomes pretty, you know, gut-wrenching, if you're asked these questions and are not in the position to answer with credibility, with confidence and with data. So for example, you know, what is the risk of breach of our business by business unit line of business or geography or service that we're offering when we're talking about risk transfer, are we making the right decisions for areas such as cyber insurance?
When we think about residual risk that we consider this appropriately, we're making investments in controls in our cybersecurity program. Now we're getting the return on that investment from a, you know, a dollar Euro perspective, looking at this in terms of you a true business ROI. And then let's think of those key metrics that we use to manage our business from a cybersecurity perspective. Are we meeting our SLAs, our compliance levels? Are we focusing on those most important items to fix? When we think about making the, the cyber operational environment better over time. So really difficult questions to answer if we don't have the right approach.
And so we view that, you know, from a BICS perspective, we view that there are, you know, a couple of very necessary characteristics and components of a process that is quantifying cyber risk appropriately. So you think about it being a practical approach. This is something we can implement. If there's data that's required for the, the approach for the model, is it available to us? Is it something we can actually do? And secondly, is it automated? So can we run the process on a continuous basis? Can we scale it across our organization? Can we do this on a, in a mechanism where we can adjust to the changes that are inevitably happening to our business? And thirdly, is it inspectable? So meaning, can I double click into my cyber risk quantification outcome and see what's actually driving those numbers, what's under the covers and it, if you have the ability to share what's under the covers and it becomes very credible and you can debate the assumptions where you're not debating the approach. And then lastly, thinking about an approach that is actionable, and perhaps this is the most important, because this is then informing our teams with the right decisions and actions to take. So what can we do to make things better?
So, conversely, an approach is quite difficult when we see these kinds of characteristics and we've seen our customers struggle in the past with different approaches that, that have these, these kind of attributes. It may be overly theoretical, so it looks good on paper, but we actually don't have the data available to actually plug into this approach to feed the model. And so it's really challenging to put this into practice or maybe overly manual. And we're all limited in terms of, you know, time and resources. Is this something that our, our teams can do on an ongoing basis? Or is it just very hard?
And do we get outputs from this overall process that are, you know, look like a black box or do we understand what's what's underneath? And then lastly, are we getting results that are, you know, telling us something spec, you know, specific to do, or is it very fuzzy? You know, we're getting question marks about what the, what the next step is that shouldn't be the case, particularly when we're presenting to the C-suite or the board. It should be very clear what this is telling us. So these attributes of approaches we find generally don't work well in practice. And so what we recommend, what we work with our customers around is an ongoing process that enables the right kind of quantified risk visibility, but also the right outcomes as a, as a result. So if you kind of start at the top here and think about your business, your environment, it's a very dynamic, you know, ever-changing thing you are expanding into new businesses, lines of businesses think about acquisitions or divestitures making technology changes around the architecture. So it's a very dynamic environment and the threat landscape is also changing all the time. Threat actors are innovating, unfortunately, and finding new and better ways to exploit weaknesses within our environments.
So we need to have the data around these that then can populate a cyber risk model in an automated way that provides a dollar based view of what that cyber risk is for your organization. And that's that cyber risk model then needs to feed the right outcomes for both executives, from a reporting standpoint that enables right decisions to get made at the senior levels of C-suite and the board level, as well as specific actions to take, particularly from an operational perspective, what are those steps that should be taken to improve the situation and reduce the risk profile of the business? And this is an ongoing process. It's certainly not static as the environment changes, the threat landscape changes. The process needs to be a continuous loop so that the data and telemetry is available to then update a risk model to then drive the right reporting and the right actions.
And so drilling in here a little bit in terms of where BAIC really focuses and helps our companies, our customer companies, you know, approach cyber risk quantification. So it's really these three areas. The first is getting that insight from your data within your, your enterprise environment to build what is a unified risk model in monetary terms, in an automated way that then drives the outputs in a that's consumable for both executives, but also for the operational people in the environment. So let's kind of drill kind of drill into each of these in turn. So the first step is data, and this is really the foundation of any model. And there's really two categories. It's the data that's represents your environment, your security posture, and the data that represents the external environment, you know, the threat landscape. So within your environment, you may have many or all of these tools already, you know, CMDB, you know, configuration management database, all the assets and business context around those, you know, tools like ServiceNow.
For example, you may already have an investment in an enterprise data lake. And this data lake is pulling in data for many different tools and systems within your environment that can drive different use cases. You may have endpoint tools deployed, you know, cybersecurity tools like EDR. XDR like a CrowdStrike, for example, vulnerability scanners, you know, unified endpoint management tools. You may have new types of assets within your environment, such as, you know, IOT, you know, internet of things. If you're a manufacturer or around critical infrastructure, operational technology assets, many of our customers are expanding their hybrid environments into cloud, or so there's a mix of on premise and, and cloud assets and resources think about network specific information, you know, IP address management, DNS, you, everything around what the network environment looks like. And then this goes on and on, including a number of, you know, typically, you know, internal tools and processes and policies.
And so key here is to be able to extract the right data out of this kinda the sets of systems and tools and existing data that can then build a very detailed cleanse, correlated, normalized asset inventory model of what your environment looks like, and not only your environment, but also where your, your weaknesses within your environment, where those vulnerabilities, where are misconfigurations, where credential issues, where are these, these weaknesses from a cybersecurity posture perspective, in a way that's all of this can be normalized in one unified model, including business context about your environment. What parts of your environment are, are regulated, which are not, where is there PII we need, we need to consider rather legal or regulatory issues. So that's the internal view. And then the external view is, is just as important. It's this understanding of the global threat model, what vulnerabilities have been noted and used and exploited in the wild what's fashionable with the adversary, what are those threats that are most likely to hit your organization? And so this it's important to then correlate that with your security posture.
So this then gives you the basis for then building a unified detailed bottoms up risk model, cyber risk model for your business and the asset by asset and vulnerability by vulnerability basis. The second step is to layer on the monetary based risk model on top of this. And so here at BAIC, we focus on perhaps, you know, the key threat scenario facing your business, which is the risk of a massive breach of your organization, but, you know, by a typical adversary or adversary group. And then this enables us to automate this process of building this cyber risk model in a very detailed way. And here, we're looking at the components of this model where the breach risk and monetary terms, it can, could be dollars pound Sterling euros yen is split into the likelihood of a breach and the impact of a breach. And at both levels get quite granular and comprehensive.
So breach likelihood, we're looking at, you know, what is the likelihood that an adversary will utilize weaknesses in your environment and successfully successfully breach your environment. And we look at a multi-pronged approach. So understanding the severity of vulnerabilities that are in your environment, the exposure of different assets to those vulnerabilities, whether your assets are sitting in the perimeter of your network and the core of your environment, whether the services that are vulnerable are actually being run or not run. And then the threat level correlating in that global threat model is that likely adversaries will actually exploit those vulnerabilities. And then your security controls and existing mitigations that you put in place. All of this together enables you to drive a, an increasingly accurate view of likelihood on an asset by asset basis. And then the breach impact side of the equation is equally important. And this, and here it's really critical to have the business context, so that there's an understanding of which parts of your environment are more important than other parts of your environment. So that then enables you to align the results, you know, much more realistically and accurately to your business. And so, and the important element, you know, within all this is that this model needs to be based on data, that you have your telemetry, your enterprise data, so that it's limiting the manual inputs and maximizes the ability to be automated.
And then the result is then, you know, ensuring that we have outcomes for both executive level, as well as operational levels. So we've built this unified source of truth based on a, a comprehensive cyber risk model asset by asset, within your environment. And here we're able to then enable reporting for all those questions that the board members or the C-suite CFO, maybe asking. So for example, which my breach risk by my business unit, by region my application or service with the linkage to what's under the covers, the operational facts on the ground, the individual vulnerabilities that are driving that combined view of risk in a way that's fully automated, fully inspectable at the same time, be able to then drive workflows for the operational teams that are looking to fix the issues. If our digital business unit has an acceptable, unacceptable level of risk, what do we need to do? What are those prioritized actions that we need to take with specific detail, even to what's the superseding patch I need to apply for this important domain controller server, or if I need to adjust the configurations for a exposed S3 bucket in your AWS environment, down to that level of detail, such that the operational teams can make progress.
And what enables all this to happen is our VALIC security cloud platform. It's a SA based platform that is really based around three pillars in an integrated way. The basis is the realtime asset inventory. It's kind of bottoms up asset by view consolidated, normalized de fully categorized view of your asset inventory, including your materials on environments, view of your assets. Everything that you need to protect in your environment is risk based vulnerability management. So it's that unified view of vulnerabilities that is prioritized based on risk. And the third layer is then adding on the, the organization hierarchy as well as impact model and risk model to enable cyber is quantification in a very integrated way and the outcomes that we just talked about.
So all this is only meaningful to the extent that our customers are seeing results. And so just sharing, you know, a sample quote here from, you know, Rhonda gas CIO at Stanley black and Decker major fortune 500 manufacturer where Stanley black and Deckers essentially using Bix as the brains of their proactive cybersecurity program and their unified risk model. This is a typical outcome that we'll see for organizations that we work with here. We're enabling Stanley black and Decker to have immediate visibility into their cyber risk and the unified way drive, reporting to their board and actually driving the prioritized steps that their team should take to improve the situation and, and make continual improvement. And these are, you know, typical of the outcomes that we provide for customers. It's this alignment around the board and the executives and the business teams, being able to measure your cybersecurity, posture and improvements, and also the ROI of specific security investments along with benchmarking both externally, as well as against internal teams and business units. And then there's the operational element, which is how do we actually make improvements? What are the prioritized items that I need to take care of and ensuring that the teams can be very, very efficient at making that happen.
So with that, turn it back to Mike.
So before we go onto the Q and a, we've got one further poll to do. And so I'm, I'm going to share my webcam in a moment, but before we share my webcam, let's do this poll. How does your organization judge investments, does it do this based on qualitative judgements or risk factors? Does it do it on judgment of quality, judgements of control effectiveness? Does it do it based on financial return on investment, or do you use some other, some other process? So the poll is now open and we'll take 30 seconds for you to fill that in. And when the polls, the results of the polls already, the organizer will notify me so that we can discuss any of the, the results. And so we should see both of the webcams and now we're going to go onto the Q and a, if I can finally find it. So there we are. There's the, the question. So remember, if you have any questions that you can ask these via the Q and a panel, and as soon as you ask any questions, I'll be notified of them. So thank you very much, Chris, for that really good talk. And I've got a, a couple of questions here that I'd like to ask you. So one of the things that I talked about was this fair model. And so how does BICS compare with the fair model?
Yeah, that's a, that's an excellent question. So I would say that at Bix we're inspired by fair. And what I mean by that is the outcome that we're driving is a similar outcome that we're looking at the ability to quantify in monetary terms, what is a cyber risk for key threat events that are related to your business? So that's, that's kind of the key outcome that users fair and also BICS are, are looking for. I'd say we differ in the way that we kind of approach the calculation and approach the model. So very much a bottoms up view where we're looking at an asset by asset unified risk model within the organization versus focusing primarily on, you know, threat scenarios and trying to determine a range of different threat scenarios and the, the, the quantifying the cyber risk around those. So if you look at the BICS risk model and the likelihood piece and impact piece, these map quite well to the, you know, respective components in fair.
So you think about the, you know, the vulnerability side of the, you know, the threat events and the, the, the impact side certainly mapping to the, the loss category from a fair perspective. But what we're really focused on is ensuring that the model can be a practical, we have the data available to drive it, that it can be automated and is not overly manual, can be inspected in terms of what's happening under the covers, and then can drive really specific, tangible act, you know, actions and outcomes. You know, these are the things that you can do and should do, and prioritize order to make things better. And so we find that many of our customers have previously looked at fair and maybe struggled with fair implementation. And so we, we find that ensuring that we have those attributes of kinda the BIC approach has helped their customers.
Yeah, that, that's very interesting. So basically to you, you have a bottom up approach, which is that you are able to scan the assets, the, the, the look for vulnerabilities and so forth. And you, you put this together with industry data on the relevance of these individual vulnerabilities, is that right? You're using industry data about the, how easy it is to exploit them and that's you. Yeah,
Exactly. So, so we're building a unified cyber risk model based on all the data that, you know, companies have been have available within their environment scans and asset databases and security tools and business context, and layering on, as you mentioned, that external view of how vulnerabilities that are found are being exploited in the wild, as well as the business context that informs how important different assets are to each other and the overall dollar values within the, within the environment.
Yeah. So it's not just the CVSs score or something like this. It's a combination of multiple sources of data to come up with this probability.
Exactly.
Yeah. And that, that's the, that's the important thing that it's very hard for an individual organization to gather that kind of information together. And this is presumably one of the big values that you are adding, which is gathering it all together.
Oh, absolutely. And that's where a lot of the value of automation comes in. This is not a human scale challenge, right. To think about, yeah. Continuously tracking all the assets in your environment, it can be tens of thousands, hundreds of thousands, millions of assets and resources, and then keeping up with all the vulnerabilities and the current threat model attached to all those vulnerabilities, are they being exploited in the wild and, and how so and how much? So that's just not a human scale problem to throw at this. So that's why we have to use machines and data to really drive that, that risk model.
Thank you. Yes. So we've got a question from the audience, which says fair can use Monte Carlo simulations for providing a range of quantified risk and medium values. Does BIC have a similar approach?
So at Bix refocus. So I think I'll touch on two aspects of the question. So at BA we focus on the data that we're seeing within the environment, in terms of the risk model, the likelihood of breach, given a, a specific risk vector, as well as the impacts. And we track this along with confidence, confidence levels, based on the data that we're gathering,
What we're focused on rather than running Monte Carli simulations across a range of different threat scenarios. What we do is we focus on that key threat scenario for the organizations that we find as we talk with our customers, which is what is the risk of a massive breach within your organization by a typical threat adversary or threat threat group, based on that very granular data asset by asset vulnerability, by vulnerability model that covers the likelihoods and impacts at each level. So that's, that's how we, we approach the calculation. It's a little bit of a different approach, but the goal is to drive to a key quantified number in a way that's very much inspectable.
Yeah. So you're not trying to produce probability graphs. You you're, you're, you're going for the, the, the number which represents the, the risk.
Correct? Correct. With respect to that, we recognize that there is a confidence level associated with it. Yeah. But driving to a number is, is important because then people can communicate around that number, recognizing that nothing is perfect in this world, but it's much easier to communicate around a number and how discussions around that versus a distribution we found in, yeah.
Distribu distributions are hard for people to get their head around. Okay. So one of the key things, and, and this is really one of the key things that when you go into the board and you want your money, you get this forensic analysis of why you want it, and whether it's going to be worthwhile. And so this is where often the argument falls down because it's difficult to justify the underlying assumptions. And this is one of the key things that you are providing. Isn't it? So perhaps you could just explain what would happen if, if the board member said, well, explain to me how this risk has come about. How, how does it, do you do it? You have an interactive tool, or how do you do it?
Yeah, absolutely. So we shared in the, in some of the slides earlier, some of the example, dashboards, these are live dashboards that we provide that can be discussed, live with a board member. You know, our customers have done that or dropped into presentations, but these dashboards are live based on the current risk model and fully inspectable. So you can double click into there's a bar for risk. You know, it's maybe, you know, a hundred million euros for your digital business unit. What's under the coverage. You can double click into that and understand exactly what assets are in that digital business unit. What are the risk factors that we're seeing, whether it's unpatched vulnerabilities, misconfigurations credential, risk, trust, relationship risk, for example, what's the level of breach likelihood attached to each of those risk factors, as well as the impacts of the individual, both the, the group of assets to that make that business as well as the individual assets. And then you can even triple click into that to understand where are those greatest risks that we're seeing and exactly what are the observations and telemetry that relate to it. So it's fully inspectable down to the individual vulnerability or weakness and asset itself. So the senior people can take it as far as they want, and the operational people can go fully into details and fix those items that are, that are most important.
Yeah. Okay. And so the value of the assets is presumably the piece that the end user organization, that the company that's actually using your tool has had to put in. So if you've got a database, the value of that database is set by the, the organization. Is that right?
So, yes. However, what we do is we provide our customers with a guidance tool. So essentially based on data that we've analyzed from, you know, many thousands of actual data breaches around the world for different organizations, different size of organizations, employee count revenue, different verticals. We enable our customers to provide some specific inputs about the, their business. And then we provide them guidance about what are the typical loss of loss event, dollar numbers, or Euro numbers, pound numbers that would apply for a business that looks like them, and they can make changes, make adjustments, user expert knowledge, to make adjustments, and then apply that estimate at both an overall organization level or whatever level, the hierarchy that they're looking at, whether it's a different business unit, business line geography, or even individual database, like you mentioned.
So that's taking account of factors like compliance failure finds for compliance failure, the, the need, for example, to re-engineer a product because you've lost the intellectual property or, or that kind of thing is, is these are the factors that you are looking at, are they
Correct? So the, those, those impact estimates, those, those monetary impacts of a major breach are, you know, complete across those different aspects, whether it's the cost of, you know, operationally dealing with the breach, whether it's, you know, notification costs, loss, business costs, fines, all that is included within the model. So that we provide the customers like guidance to say, look for a company like me, you know, my profile, this is a typical cost that I would be expecting to see. And we essentially slow that down the full business and, and apply that to the full risk model.
And this is based on once again, information that you've gathered from around the world on the impact of similar losses from other organ on other organizations. So this is exactly, and that gives you what you describe as the expectability that if somebody says, well, where's that figure come from, you can probe into it and get this kind of detail.
Exactly. Yeah. And it's, expectable on both the app, the impact side, as well as the likelihood side, because both are, are very, very important.
Good. So having, having done that, you then have the third question, which is evaluating what you can do about it and how Val the VALIC tool can lead you to remediate the risks that you've identified.
So you've hit on a really important topic, which is now what, so what right now that I have this risk model, what can I do with it? What should we be doing? So that's actually a very important focus for VALIC, which is not only to provide your reporting around your risk, but also provide the guidance on what to do about it. And so what we provide are basically prioritized views of the risk issues that we're seeing within your business in a way that the teams can knock them off. You know, what's at the top five things that I should do this week or today to reduce my risk the most. And it might be around, you know, a, a new vulnerability. It might be around a key misconfiguration for an important asset. So having that visibility and also then the workflows, so that operational teams can actually go in, create a project, say these are the top things that I need to take care of. We help them track that track the burn down of risk, ensure they have all the information that they need to provide to their business teams. The it teams, the folks are actually gonna do the work to, to fix, fix the, the issues. So all that is ensured to be very, very accurate and available to the people who need to do their work. So that's in a very important part of the process because quantifying the risk is important, but being able to make changes and take action is, is equally. So
Yes. And, and does it help you say, for example, different actions have different costs? Does it, well, I mean, I suppose, how do you choose between different potential actions?
Yeah. So the focus from a ALX model is where is risk going to be reduced the most? Right. So what are those, what are those assets that are driving the most risk for your business? What are those vulnerabilities and weaknesses that are driving the most likelihood of breach? And we then enable it to be very easy for our users to, to find those highest risk assets and items yeah. To be able to knock them off.
Yeah. And that's the important thing, isn't it? Exactly. Yes. So I think we're now coming to the end of this. So is there anything final that you'd like to say Chris, before we finish?
I, I just say, you know, again, thank you for the time I applaud everyone. Who's listening to the webinar, you're taking an important step on the journey of making your organization better from a cyber risk perspective. And we're happy to work with organizations on that journey and you Mike well, for the, for the opportunity.
Yeah. Thank you very much, Chris, for a really informative talk and thank you to all of the audience for participating. So over to the organizer now to end the event. Thank you very Chris. Thank you.
Thank you, Mike.
So with that, I'm going to start off with the first poll, which is which of these risk frameworks does your organization use? So check all the supply and the poll is now open. So please will you take the time to fill this in and we'll give you around 30 seconds or so for you to do that. And then we'll move on to the rest of the webinar. Okay. So the poll has now completed and we'll be able to discuss the results later on. So now let's get into the agenda and this is going to be divided into three parts. The first part will be run by me, where we will be looking at the approaches to quantifying risk. And then I will be followed by risk Ify, who will talk about how to systematically quantify cyber risks in business terms. And then we will have a set of questions and answers.
And so I'm going to start off by saying that risk is a four letter word. Now, those of you that are native English speakers will understand what this means. That a four letter word is a word which has familiar use and can be found offensive to some people. So you have to be careful about how you use it now, in fact risk, or the word risk has been the source of the most extensive miscommunications between cybersecurity professionals and the business that you can imagine, because there is one word risk, which covers so many different areas. And the problem has been that when people use the word risk, different people in different contexts mean different things. And so everybody thinks they're talking about the same thing, but they're not. So let's start off about why this is important.
Everybody has come across all of these, these events, where there have been side cyber attacks that have caused significant losses to different organizations. And when you actually look after the event, you get a very clear quantification of what that cost the business. After the event can come up and say, it costs us a hundred million, it costs us 4 million. It costs us 20 million, but the problem is in advance of these events, figuring out how much it would cost if it occurred and how much it would cost to avoid it. So how can you justify spending money and taking action before these events occur? And I have actually in my lifetime, heard a board arguing that the cost of antivirus needed more justification because there hadn't been any recent malware attacks. So there's clearly a big opportunity for miscommunication. And this comes from the fact that there are several different kinds of risk.
And when you are talking to business people, you will find that most of the time a business person is talking about opportunity, risks, certainly venture capitalists and boards are looking at investing in opportunities. An opportunity risk is really interesting because you can say, well, if I place a hundred dollars in an investment in this, this, this, this particular technology or this company, or whatever, that, you know, how much you are going to lose, and you can also quantify what the possible returns may be, but that isn't the only kind of risk. There are all other kinds of risks, including market risks, operational risk control risk, and the world. The kind of risk that cyber fits into is what are known as hazard risks. And so to be able to compare cyber risks, which are hazard risks with other kinds of risks that the business talk about, you need to be able to express this in business terms.
So the problem is in cyber risk management terms, that from the board's perspective, they are having to make the decision between taking investor money, their shareholders money, to invest in opportunities and to decide whether it is better to invest in those opportunities rather than to invest in a cyber defense. And indeed, once again, I have come across a situation where a board actually made a positive decision because of the size of an opportunity to go into a new app, knowing that there were cyber risks because the business opportunity was in fact so significant. Now that isn't always the case, but the problem is how can you balance those basically in business terms that really comes down to money.
So when you are talking to the board and one of the problems as, as well as one of the opportunities, is that boards like to be able to compare what they're doing with some kind of clear standard, where are we in respect of the industry? Where are we in respect of the standards? Where are we in respective compliance and where are we in respect of the law? And there's no end of different frameworks that you can adopt. And some of these are shown on this slide and they are different really in respect of the extent to which they're involved in the business side of governance versus the technology side, and whether they're looking at it service in general or whether security governance. And in fact, most of them only provide a qualitative measure of risk that you can say, well, our controls don't match or aren't terribly effective.
So that's a challenge. So the challenge is how you can measure risk in a way that is useful. Now, those of you that have been in this industry for a while will understand that the way that you describe a hazard risk is in terms of its probability and its impact. Now, if only we could put a dot on that graph, because the problem is that we don't actually know what the prob probabilities are with any degree of certainty. And we aren't absolutely sure what the impact could be. And so not only do we not have we got to kind of work out where these things are, but we also have a large degree of uncertainty around that. And this is quite different to some other areas where you can say, we've got lots of statistics from the past. So there is a challenge with describing this inherent risk.
What rich risk management is about is about trying to reduce the uncertainty, trying to reduce the impact and trying to reduce the probability and that management has a cost associated with it. And when you go to the board saying, I want to buy this new service security operations control center, or this new piece of technology, or introduce some new controls, that's what you are doing. And that's, you have to be able to justify the spend on that in terms of the return. And since all of these things have a probability associated with them, that makes things even more complicated from a point of view of trying to explain. So how do you do it? Well, if you look at the various frameworks one way or another, they all tell you to go through some kind of, of, of process of describing how you can estimate the impact and the likelihood.
And you can do this from the top down, or you can do it from the bottom up. And in this particular case, we've looked at it from the bottom up, that you have threats, which you really can't do anything about which find and exploit vulnerabilities, which are basically in your staff, in physical access, in privileged access in, in the technology, in the configuration and so forth that you try to mitigate these vulnerabilities through a set of controls, which can be technical. They can be processes, they can be trading. And if the threat can overcome those controls, then they can do damage to your business data. And what, what risk management starts off we're doing is trying to do a process of estimating the, the, the, the, the threats, the probability of them, the effectiveness of the controls to come up with a set of scenarios, which hopefully you focused on the most important business assets, looking at their likelihood and their impact.
Now, even that is a simplification because most of these things come about because of sequences or failures. But nevertheless, what happens is that then you find that you in a qualitative approach, start to plot these risks against these two dimensions of impact and probability. And you can have a risk appetite, which is described in terms of colors on this child where high impact and high probability is in fact red, and you don't want it low impact and low probability are in green, and you may be willing to tolerate it. And the ones in the middle are the ones that you can't tolerate. And the ones in the red are the ones you can't tolerate, and you have to do something in terms of controls. The problem with this is that this is subjective. It's nonlinear because it's very hard for people to estimate these values, different estimators will come up with different values.
And when you get in front of a board and you get questioned by the, the, the legal people, you find, it's very hard to explain why, you know, what these things should be. And so it becomes easy to cheat for you to make things appear, to be worse or better than they are. However, that's what happens. And most organizations have some kind of a risk register, which contains all of these kinds of things here. And here's one that we were doing for a cloud service for a large manufacturing organization, where we were looking at the impact on different assets of a particular scenario associated with risk. And certainly it it's helpful in that it allows you to get some kind of a view of what the situation is with regard to a particular kind of risk. Now, again, if we go back to, well, how do we compare these different reds?
And this comes back to what often happens is that the estimation is they want a single number. They want to say, how much is it really going to cost? So typically what you will do is you will say, we will multiply the impact value by its probability. And that will give us a number, which is a simplification, but at least it provides some important insights on what you can change, because what you can change is by investment. You can invest in controls. You can invest in training, you can invest in technology. You can invest in, you can invest in processes to remove vulnerabilities and whatever you do. You also have to remain vigilant. However, in business terms, the impact that is to say the business value of the assets that could be affected are largely speaking outside of your control because they are business assets.
So that's what you would expect to do. Now, as I said, that was a simplification now to, to, to in fact, make a better estimate, becomes much more complicated. And here is this factor analysis of information risk, where in fact, what you do is you say that you can go down to multiple levels and say that you can have a primary loss, and you can have a secondary loss and that you can have associated with that further, further controls. So to do a very exhaustive and extensive investigation into this takes a great deal, more time and trouble. And so you have to, as always in these things, judge the need for extra complexity, which might give you better accuracy versus the need to do something that is good enough. And so this takes us onto measuring these controls. And again, most of the time we are looking at a qualitative approach where we find what we're going to do is to say that we believe, or we estimate that a control will take us from a red area to a green area.
Or if we spend a little bit less on it, it'll take us to an orange area. So this is done, and you can say, this is the control there. Does it exist? Is it active? Is it effective? And how mature is it? And the problem that you're constantly trying to answer is, well, what's my best return on investment for that particular control. So one of the other ways which boards often like is to compare themselves with other organizations in their, in, in their, their peers, so to speak. And this is often done through maturity models, and this is maturity models are a well understood business approach. And here is an example of a maturity level matrix for identity and access management, which is the kind of thing that Coppinger cold does with our end user customers to allow them to see in different areas, how they compare with best of class and with good in class.
And again, this has a lot of subjectivity associated with it. So in summary, an effective management of cyber risks needs to be measured in business terms. And what we've gone through, this is that the word risk is a fall letter word. You have to be extremely careful about how you use the word risk, especially when you are talking to business people so that there is absolute clarity of what you mean and how you communicate this to business people, because the risks associated with cybersecurity are largely speaking has of risks. That in order to be able to estimate those risks, which are described in terms of probability and impact, you are going to use one or more of the different frameworks, and you have to choose a framework, which is right for your organization and qualitative measures in terms of probability and impact such as my medium high, low frequent infrequent are good for comparison, but have, make it very hard to justify to get investment. What you really are looking for is a good way to quantify risk in a way that allows you to describe risks in business terms and business understands money.
So now we're going to have the second poll. And so in this, what I'm going to ask you is how do you measure cyber risks in your organization? Do you do it using qualitative assessments, such as based on ISO 27,005 or risk it, do you have quantitative assessments based on a methodology or a model or a product? Do you use maturity models such as the Carnegie Mellon maturity model, or do you do assessments that another way that it's often done is through a GRC tool or do you do it in any other way? So the poll is now open and it will take around 30 seconds and we would appreciate you taking the time to fill this in. Okay. Thank you. So the poll is now completed. So we're now going to move on to the second part of the, the presentation, which will be given by Chris Griffiths from Eck. So can I ask the moderator to please share the, give Chris control of the screen?
So excellent overview, Mike. I think it's a, it's just a fascinating topic and I give everyone who's on this webinar credit for taking that first step to really get a handle on cyber risk and, and the process of quantifying cyber risk. Cause it's not an easy topic, but it's a, it's an extremely important one. So as mentioned, so I run the product team at BIC at BIC, we're a product company. We help our customers to automate their cybersecurity posture and that process of quantifying their cyber risk and making their, the cyber environment much better for the organization. It's a super important topic.
And if you think about you kind of step back and think about this for organizations that have not yet made the investment are still early in the process and not yet finding an effective way to quantify cyber risks. You know, a lot of processes get kind of painful, you know, things, get things, get hard. What I'm showing here is the result of a recent industry survey of, you know, cyber security and risk leaders who are taking advantage of the process of quantifying their cyber risk. And just some of the top use cases around cyber risk quantification. And so you can see some of these examples, so prioritizing the cyber risk within their environment, what are those areas that they should be focused on addressing first versus those that can wait communicating, you know, across the business to those owners of risk. It might be the business owners, application owners, service owners, lines of business owners, as well as to the C-suite might be to the CFO, CIO, CEO, and all the way up to the board of directors.
And the last item here is then around aligning the, the cyber risk process with other risk practices within the organization. So you can kind of see the themes here, communication, alignment, and prioritization. It's very, very difficult to think about managing these processes effectively without having a good way to communicate in a way that everyone can understand as you know, Mike, as you you're very clearly outlined here just to just a moment ago. So having that ability to communicate in money terms is critical because you think of the kind of questions that are being asked of you, you know, can be from the board or your, your CFO. These are really difficult questions and it becomes pretty, you know, gut-wrenching, if you're asked these questions and are not in the position to answer with credibility, with confidence and with data. So for example, you know, what is the risk of breach of our business by business unit line of business or geography or service that we're offering when we're talking about risk transfer, are we making the right decisions for areas such as cyber insurance?
When we think about residual risk that we consider this appropriately, we're making investments in controls in our cybersecurity program. Now we're getting the return on that investment from a, you know, a dollar Euro perspective, looking at this in terms of you a true business ROI. And then let's think of those key metrics that we use to manage our business from a cybersecurity perspective. Are we meeting our SLAs, our compliance levels? Are we focusing on those most important items to fix? When we think about making the, the cyber operational environment better over time. So really difficult questions to answer if we don't have the right approach.
And so we view that, you know, from a BICS perspective, we view that there are, you know, a couple of very necessary characteristics and components of a process that is quantifying cyber risk appropriately. So you think about it being a practical approach. This is something we can implement. If there's data that's required for the, the approach for the model, is it available to us? Is it something we can actually do? And secondly, is it automated? So can we run the process on a continuous basis? Can we scale it across our organization? Can we do this on a, in a mechanism where we can adjust to the changes that are inevitably happening to our business? And thirdly, is it inspectable? So meaning, can I double click into my cyber risk quantification outcome and see what's actually driving those numbers, what's under the covers and it, if you have the ability to share what's under the covers and it becomes very credible and you can debate the assumptions where you're not debating the approach. And then lastly, thinking about an approach that is actionable, and perhaps this is the most important, because this is then informing our teams with the right decisions and actions to take. So what can we do to make things better?
So, conversely, an approach is quite difficult when we see these kinds of characteristics and we've seen our customers struggle in the past with different approaches that, that have these, these kind of attributes. It may be overly theoretical, so it looks good on paper, but we actually don't have the data available to actually plug into this approach to feed the model. And so it's really challenging to put this into practice or maybe overly manual. And we're all limited in terms of, you know, time and resources. Is this something that our, our teams can do on an ongoing basis? Or is it just very hard?
And do we get outputs from this overall process that are, you know, look like a black box or do we understand what's what's underneath? And then lastly, are we getting results that are, you know, telling us something spec, you know, specific to do, or is it very fuzzy? You know, we're getting question marks about what the, what the next step is that shouldn't be the case, particularly when we're presenting to the C-suite or the board. It should be very clear what this is telling us. So these attributes of approaches we find generally don't work well in practice. And so what we recommend, what we work with our customers around is an ongoing process that enables the right kind of quantified risk visibility, but also the right outcomes as a, as a result. So if you kind of start at the top here and think about your business, your environment, it's a very dynamic, you know, ever-changing thing you are expanding into new businesses, lines of businesses think about acquisitions or divestitures making technology changes around the architecture. So it's a very dynamic environment and the threat landscape is also changing all the time. Threat actors are innovating, unfortunately, and finding new and better ways to exploit weaknesses within our environments.
So we need to have the data around these that then can populate a cyber risk model in an automated way that provides a dollar based view of what that cyber risk is for your organization. And that's that cyber risk model then needs to feed the right outcomes for both executives, from a reporting standpoint that enables right decisions to get made at the senior levels of C-suite and the board level, as well as specific actions to take, particularly from an operational perspective, what are those steps that should be taken to improve the situation and reduce the risk profile of the business? And this is an ongoing process. It's certainly not static as the environment changes, the threat landscape changes. The process needs to be a continuous loop so that the data and telemetry is available to then update a risk model to then drive the right reporting and the right actions.
And so drilling in here a little bit in terms of where BAIC really focuses and helps our companies, our customer companies, you know, approach cyber risk quantification. So it's really these three areas. The first is getting that insight from your data within your, your enterprise environment to build what is a unified risk model in monetary terms, in an automated way that then drives the outputs in a that's consumable for both executives, but also for the operational people in the environment. So let's kind of drill kind of drill into each of these in turn. So the first step is data, and this is really the foundation of any model. And there's really two categories. It's the data that's represents your environment, your security posture, and the data that represents the external environment, you know, the threat landscape. So within your environment, you may have many or all of these tools already, you know, CMDB, you know, configuration management database, all the assets and business context around those, you know, tools like ServiceNow.
For example, you may already have an investment in an enterprise data lake. And this data lake is pulling in data for many different tools and systems within your environment that can drive different use cases. You may have endpoint tools deployed, you know, cybersecurity tools like EDR. XDR like a CrowdStrike, for example, vulnerability scanners, you know, unified endpoint management tools. You may have new types of assets within your environment, such as, you know, IOT, you know, internet of things. If you're a manufacturer or around critical infrastructure, operational technology assets, many of our customers are expanding their hybrid environments into cloud, or so there's a mix of on premise and, and cloud assets and resources think about network specific information, you know, IP address management, DNS, you, everything around what the network environment looks like. And then this goes on and on, including a number of, you know, typically, you know, internal tools and processes and policies.
And so key here is to be able to extract the right data out of this kinda the sets of systems and tools and existing data that can then build a very detailed cleanse, correlated, normalized asset inventory model of what your environment looks like, and not only your environment, but also where your, your weaknesses within your environment, where those vulnerabilities, where are misconfigurations, where credential issues, where are these, these weaknesses from a cybersecurity posture perspective, in a way that's all of this can be normalized in one unified model, including business context about your environment. What parts of your environment are, are regulated, which are not, where is there PII we need, we need to consider rather legal or regulatory issues. So that's the internal view. And then the external view is, is just as important. It's this understanding of the global threat model, what vulnerabilities have been noted and used and exploited in the wild what's fashionable with the adversary, what are those threats that are most likely to hit your organization? And so this it's important to then correlate that with your security posture.
So this then gives you the basis for then building a unified detailed bottoms up risk model, cyber risk model for your business and the asset by asset and vulnerability by vulnerability basis. The second step is to layer on the monetary based risk model on top of this. And so here at BAIC, we focus on perhaps, you know, the key threat scenario facing your business, which is the risk of a massive breach of your organization, but, you know, by a typical adversary or adversary group. And then this enables us to automate this process of building this cyber risk model in a very detailed way. And here, we're looking at the components of this model where the breach risk and monetary terms, it can, could be dollars pound Sterling euros yen is split into the likelihood of a breach and the impact of a breach. And at both levels get quite granular and comprehensive.
So breach likelihood, we're looking at, you know, what is the likelihood that an adversary will utilize weaknesses in your environment and successfully successfully breach your environment. And we look at a multi-pronged approach. So understanding the severity of vulnerabilities that are in your environment, the exposure of different assets to those vulnerabilities, whether your assets are sitting in the perimeter of your network and the core of your environment, whether the services that are vulnerable are actually being run or not run. And then the threat level correlating in that global threat model is that likely adversaries will actually exploit those vulnerabilities. And then your security controls and existing mitigations that you put in place. All of this together enables you to drive a, an increasingly accurate view of likelihood on an asset by asset basis. And then the breach impact side of the equation is equally important. And this, and here it's really critical to have the business context, so that there's an understanding of which parts of your environment are more important than other parts of your environment. So that then enables you to align the results, you know, much more realistically and accurately to your business. And so, and the important element, you know, within all this is that this model needs to be based on data, that you have your telemetry, your enterprise data, so that it's limiting the manual inputs and maximizes the ability to be automated.
And then the result is then, you know, ensuring that we have outcomes for both executive level, as well as operational levels. So we've built this unified source of truth based on a, a comprehensive cyber risk model asset by asset, within your environment. And here we're able to then enable reporting for all those questions that the board members or the C-suite CFO, maybe asking. So for example, which my breach risk by my business unit, by region my application or service with the linkage to what's under the covers, the operational facts on the ground, the individual vulnerabilities that are driving that combined view of risk in a way that's fully automated, fully inspectable at the same time, be able to then drive workflows for the operational teams that are looking to fix the issues. If our digital business unit has an acceptable, unacceptable level of risk, what do we need to do? What are those prioritized actions that we need to take with specific detail, even to what's the superseding patch I need to apply for this important domain controller server, or if I need to adjust the configurations for a exposed S3 bucket in your AWS environment, down to that level of detail, such that the operational teams can make progress.
And what enables all this to happen is our VALIC security cloud platform. It's a SA based platform that is really based around three pillars in an integrated way. The basis is the realtime asset inventory. It's kind of bottoms up asset by view consolidated, normalized de fully categorized view of your asset inventory, including your materials on environments, view of your assets. Everything that you need to protect in your environment is risk based vulnerability management. So it's that unified view of vulnerabilities that is prioritized based on risk. And the third layer is then adding on the, the organization hierarchy as well as impact model and risk model to enable cyber is quantification in a very integrated way and the outcomes that we just talked about.
So all this is only meaningful to the extent that our customers are seeing results. And so just sharing, you know, a sample quote here from, you know, Rhonda gas CIO at Stanley black and Decker major fortune 500 manufacturer where Stanley black and Deckers essentially using Bix as the brains of their proactive cybersecurity program and their unified risk model. This is a typical outcome that we'll see for organizations that we work with here. We're enabling Stanley black and Decker to have immediate visibility into their cyber risk and the unified way drive, reporting to their board and actually driving the prioritized steps that their team should take to improve the situation and, and make continual improvement. And these are, you know, typical of the outcomes that we provide for customers. It's this alignment around the board and the executives and the business teams, being able to measure your cybersecurity, posture and improvements, and also the ROI of specific security investments along with benchmarking both externally, as well as against internal teams and business units. And then there's the operational element, which is how do we actually make improvements? What are the prioritized items that I need to take care of and ensuring that the teams can be very, very efficient at making that happen.
So with that, turn it back to Mike.
So before we go onto the Q and a, we've got one further poll to do. And so I'm, I'm going to share my webcam in a moment, but before we share my webcam, let's do this poll. How does your organization judge investments, does it do this based on qualitative judgements or risk factors? Does it do it on judgment of quality, judgements of control effectiveness? Does it do it based on financial return on investment, or do you use some other, some other process? So the poll is now open and we'll take 30 seconds for you to fill that in. And when the polls, the results of the polls already, the organizer will notify me so that we can discuss any of the, the results. And so we should see both of the webcams and now we're going to go onto the Q and a, if I can finally find it. So there we are. There's the, the question. So remember, if you have any questions that you can ask these via the Q and a panel, and as soon as you ask any questions, I'll be notified of them. So thank you very much, Chris, for that really good talk. And I've got a, a couple of questions here that I'd like to ask you. So one of the things that I talked about was this fair model. And so how does BICS compare with the fair model?
Yeah, that's a, that's an excellent question. So I would say that at Bix we're inspired by fair. And what I mean by that is the outcome that we're driving is a similar outcome that we're looking at the ability to quantify in monetary terms, what is a cyber risk for key threat events that are related to your business? So that's, that's kind of the key outcome that users fair and also BICS are, are looking for. I'd say we differ in the way that we kind of approach the calculation and approach the model. So very much a bottoms up view where we're looking at an asset by asset unified risk model within the organization versus focusing primarily on, you know, threat scenarios and trying to determine a range of different threat scenarios and the, the, the quantifying the cyber risk around those. So if you look at the BICS risk model and the likelihood piece and impact piece, these map quite well to the, you know, respective components in fair.
So you think about the, you know, the vulnerability side of the, you know, the threat events and the, the, the impact side certainly mapping to the, the loss category from a fair perspective. But what we're really focused on is ensuring that the model can be a practical, we have the data available to drive it, that it can be automated and is not overly manual, can be inspected in terms of what's happening under the covers, and then can drive really specific, tangible act, you know, actions and outcomes. You know, these are the things that you can do and should do, and prioritize order to make things better. And so we find that many of our customers have previously looked at fair and maybe struggled with fair implementation. And so we, we find that ensuring that we have those attributes of kinda the BIC approach has helped their customers.
Yeah, that, that's very interesting. So basically to you, you have a bottom up approach, which is that you are able to scan the assets, the, the, the look for vulnerabilities and so forth. And you, you put this together with industry data on the relevance of these individual vulnerabilities, is that right? You're using industry data about the, how easy it is to exploit them and that's you. Yeah,
Exactly. So, so we're building a unified cyber risk model based on all the data that, you know, companies have been have available within their environment scans and asset databases and security tools and business context, and layering on, as you mentioned, that external view of how vulnerabilities that are found are being exploited in the wild, as well as the business context that informs how important different assets are to each other and the overall dollar values within the, within the environment.
Yeah. So it's not just the CVSs score or something like this. It's a combination of multiple sources of data to come up with this probability.
Exactly.
Yeah. And that, that's the, that's the important thing that it's very hard for an individual organization to gather that kind of information together. And this is presumably one of the big values that you are adding, which is gathering it all together.
Oh, absolutely. And that's where a lot of the value of automation comes in. This is not a human scale challenge, right. To think about, yeah. Continuously tracking all the assets in your environment, it can be tens of thousands, hundreds of thousands, millions of assets and resources, and then keeping up with all the vulnerabilities and the current threat model attached to all those vulnerabilities, are they being exploited in the wild and, and how so and how much? So that's just not a human scale problem to throw at this. So that's why we have to use machines and data to really drive that, that risk model.
Thank you. Yes. So we've got a question from the audience, which says fair can use Monte Carlo simulations for providing a range of quantified risk and medium values. Does BIC have a similar approach?
So at Bix refocus. So I think I'll touch on two aspects of the question. So at BA we focus on the data that we're seeing within the environment, in terms of the risk model, the likelihood of breach, given a, a specific risk vector, as well as the impacts. And we track this along with confidence, confidence levels, based on the data that we're gathering,
What we're focused on rather than running Monte Carli simulations across a range of different threat scenarios. What we do is we focus on that key threat scenario for the organizations that we find as we talk with our customers, which is what is the risk of a massive breach within your organization by a typical threat adversary or threat threat group, based on that very granular data asset by asset vulnerability, by vulnerability model that covers the likelihoods and impacts at each level. So that's, that's how we, we approach the calculation. It's a little bit of a different approach, but the goal is to drive to a key quantified number in a way that's very much inspectable.
Yeah. So you're not trying to produce probability graphs. You you're, you're, you're going for the, the, the number which represents the, the risk.
Correct? Correct. With respect to that, we recognize that there is a confidence level associated with it. Yeah. But driving to a number is, is important because then people can communicate around that number, recognizing that nothing is perfect in this world, but it's much easier to communicate around a number and how discussions around that versus a distribution we found in, yeah.
Distribu distributions are hard for people to get their head around. Okay. So one of the key things, and, and this is really one of the key things that when you go into the board and you want your money, you get this forensic analysis of why you want it, and whether it's going to be worthwhile. And so this is where often the argument falls down because it's difficult to justify the underlying assumptions. And this is one of the key things that you are providing. Isn't it? So perhaps you could just explain what would happen if, if the board member said, well, explain to me how this risk has come about. How, how does it, do you do it? You have an interactive tool, or how do you do it?
Yeah, absolutely. So we shared in the, in some of the slides earlier, some of the example, dashboards, these are live dashboards that we provide that can be discussed, live with a board member. You know, our customers have done that or dropped into presentations, but these dashboards are live based on the current risk model and fully inspectable. So you can double click into there's a bar for risk. You know, it's maybe, you know, a hundred million euros for your digital business unit. What's under the coverage. You can double click into that and understand exactly what assets are in that digital business unit. What are the risk factors that we're seeing, whether it's unpatched vulnerabilities, misconfigurations credential, risk, trust, relationship risk, for example, what's the level of breach likelihood attached to each of those risk factors, as well as the impacts of the individual, both the, the group of assets to that make that business as well as the individual assets. And then you can even triple click into that to understand where are those greatest risks that we're seeing and exactly what are the observations and telemetry that relate to it. So it's fully inspectable down to the individual vulnerability or weakness and asset itself. So the senior people can take it as far as they want, and the operational people can go fully into details and fix those items that are, that are most important.
Yeah. Okay. And so the value of the assets is presumably the piece that the end user organization, that the company that's actually using your tool has had to put in. So if you've got a database, the value of that database is set by the, the organization. Is that right?
So, yes. However, what we do is we provide our customers with a guidance tool. So essentially based on data that we've analyzed from, you know, many thousands of actual data breaches around the world for different organizations, different size of organizations, employee count revenue, different verticals. We enable our customers to provide some specific inputs about the, their business. And then we provide them guidance about what are the typical loss of loss event, dollar numbers, or Euro numbers, pound numbers that would apply for a business that looks like them, and they can make changes, make adjustments, user expert knowledge, to make adjustments, and then apply that estimate at both an overall organization level or whatever level, the hierarchy that they're looking at, whether it's a different business unit, business line geography, or even individual database, like you mentioned.
So that's taking account of factors like compliance failure finds for compliance failure, the, the need, for example, to re-engineer a product because you've lost the intellectual property or, or that kind of thing is, is these are the factors that you are looking at, are they
Correct? So the, those, those impact estimates, those, those monetary impacts of a major breach are, you know, complete across those different aspects, whether it's the cost of, you know, operationally dealing with the breach, whether it's, you know, notification costs, loss, business costs, fines, all that is included within the model. So that we provide the customers like guidance to say, look for a company like me, you know, my profile, this is a typical cost that I would be expecting to see. And we essentially slow that down the full business and, and apply that to the full risk model.
And this is based on once again, information that you've gathered from around the world on the impact of similar losses from other organ on other organizations. So this is exactly, and that gives you what you describe as the expectability that if somebody says, well, where's that figure come from, you can probe into it and get this kind of detail.
Exactly. Yeah. And it's, expectable on both the app, the impact side, as well as the likelihood side, because both are, are very, very important.
Good. So having, having done that, you then have the third question, which is evaluating what you can do about it and how Val the VALIC tool can lead you to remediate the risks that you've identified.
So you've hit on a really important topic, which is now what, so what right now that I have this risk model, what can I do with it? What should we be doing? So that's actually a very important focus for VALIC, which is not only to provide your reporting around your risk, but also provide the guidance on what to do about it. And so what we provide are basically prioritized views of the risk issues that we're seeing within your business in a way that the teams can knock them off. You know, what's at the top five things that I should do this week or today to reduce my risk the most. And it might be around, you know, a, a new vulnerability. It might be around a key misconfiguration for an important asset. So having that visibility and also then the workflows, so that operational teams can actually go in, create a project, say these are the top things that I need to take care of. We help them track that track the burn down of risk, ensure they have all the information that they need to provide to their business teams. The it teams, the folks are actually gonna do the work to, to fix, fix the, the issues. So all that is ensured to be very, very accurate and available to the people who need to do their work. So that's in a very important part of the process because quantifying the risk is important, but being able to make changes and take action is, is equally. So
Yes. And, and does it help you say, for example, different actions have different costs? Does it, well, I mean, I suppose, how do you choose between different potential actions?
Yeah. So the focus from a ALX model is where is risk going to be reduced the most? Right. So what are those, what are those assets that are driving the most risk for your business? What are those vulnerabilities and weaknesses that are driving the most likelihood of breach? And we then enable it to be very easy for our users to, to find those highest risk assets and items yeah. To be able to knock them off.
Yeah. And that's the important thing, isn't it? Exactly. Yes. So I think we're now coming to the end of this. So is there anything final that you'd like to say Chris, before we finish?
I, I just say, you know, again, thank you for the time I applaud everyone. Who's listening to the webinar, you're taking an important step on the journey of making your organization better from a cyber risk perspective. And we're happy to work with organizations on that journey and you Mike well, for the, for the opportunity.
Yeah. Thank you very much, Chris, for a really informative talk and thank you to all of the audience for participating. So over to the organizer now to end the event. Thank you very Chris. Thank you.
Thank you, Mike.
Stay Connected
Related Videos
How can we help you