With security leaders facing an onslaught of attacks from ransomware and other cyberthreats, it can be tough to know where to focus their energy. That’s where a “cyber risk score” promises to come to the rescue.
These ratings are like a credit score for cybersecurity. A cyber risk score provides an assessment of an organization’s unique level of exposure to cyberattacks, its performance in terms of dozens of necessary mitigation strategies, and the remaining weak links in its security armor.
Cyber risk scoring can highlight these issues before they lead to a breach. They provide an easy-to-understand, evidence-based way to develop a targeted ransomware prevention strategy, and they are particularly useful when communicating the urgency of improvements to the C-suite and the board or to government agency leadership.
With everything from insurance rates to M&A deals relying on cyber risk scores, chief information security officers (CISOs) would be wise to heed their call. But these simple-looking numbers are only one piece of the security puzzle. And not all risk scores are the same. It pays to look under the hood before relying on these scores to make mission-critical decisions.
The price of inaction
A spate of disruptive and damaging ransomware attacks over the past 18 months has rattled even the most heavily secured organizations. Cybersecurity Ventures estimates ransomware costs will surpass $265 billion by 2031. Nearly 40% of executives surveyed by the market-research firm IDC had experienced one or two ransomware attacks in the preceding 12 months that required them to allocate significant resources to remediation. Thirty-seven percent of leaders said an attack had caused a disruption of a week or more.
As the pace and intensity of attacks accelerate, worried CISOs are assessing their security postures and trying to understand the level of risk their organizations face. According to IDC, about 50% of IT security decision-makers and influencers said concern over ransomware attacks had pushed them to conduct periodic stress tests on their cyber-response procedures during the previous year. And 37% had led an organization-wide review of security, data-protection, and recovery practices using publicly available information. Despite all this work, more than three-quarters of leaders don’t have confidence in their organization’s security profile, according to another study by the consultancy IDG Connect.
Understandably, many CISOs have turned to cyber risk scores to provide much-needed insights into their organization’s level of exposure. While the scores can be useful in identifying weaknesses, they are more useful when they help prioritize threats and the actions organizations must take to guard against those threats.
“A plain old score doesn’t give cyber executives the ability to make those kinds of business decisions,” says Bob Maley, chief security officer (CSO) at Black Kite, a cyber risk rating platform founded by a certified ethical hacker (CEH) for NATO. “You need to have information that helps you make the decision that you have to do something—and ensures your actions are appropriate.”
As ransomware attacks proliferate, corporate boards and government agency leaders are pressing CISOs and CIOs for data-driven assurances that their organizations have increased security. Nearly 30% of the organizations IDC surveyed said that in the previous year, their boards had requested a presentation on ransomware response procedures and current data protection and recovery practices.
“While leadership teams generally have a good handle on understanding risk, quantifying risk for cybersecurity has proven difficult,” says Shawn Marriott, director of product management at Tanium. That’s in part because data relevant to security is scattered across silos in large, complex organizations. And IT and security teams often use different tools and metrics to gauge whether they’ve achieved their objectives.
“The biggest problem we have right now is that few frameworks exist to identify, quantify, and prioritize cyber risks,” explains Nadav Zafrir, a co-founder at tech venture capital firm Team8. Organizations cannot protect everything, Zafrir says. Because their networks are interdependent with clients, supply chain partners, and even the government, he says, business leaders must understand the risks, prioritize them, and then optimize their approach so that they can decrease the probability of a successful attack.
What to look for
Even as CISOs turn to cyber risk scores to assess the threats their organizations face, the Colonial Pipeline attack underscores the folly of putting too much stock in a single number.
“In terms of their security rating, they had a decent score,” says Maley, who previously served as head of global third-party security and inspections at PayPal, as a risk consultant at Wells Fargo, and as CISO for the state of Pennsylvania. “But there were some clear signals in a couple of components that indicated to us how they became victims.”
Colonial Pipeline had a decent [risk] score. But there were some clear signals that indicated to us how they became victims.
Colonial Pipeline is not an outlier. Security incidents are frequently the result of weak spots in an organization’s security practices. To be truly useful, a risk score must include security information that will compel a company to fix weaknesses that the score helps identify.
“There are compensating controls that don’t eliminate risk, but configuring or enabling them helps mitigate the risks,” says Marriott of Tanium. They include things like ensuring that you have antivirus software installed and that it’s up-to-date. “It’s not unusual to see antivirus software that hasn’t been updated for 10 years,” he says.
Existing risk-scoring solutions typically fall short in their analysis of internal security data. “They struggle to get organizations timely and accurate information of their entire estate,” says Marriott, “but the data are inconsistent and ad hoc,” which can skew risk calculations.
Instead, Marriott says a cyber risk solution should do the following:
Provide a rich set of security data
Armed with information about internal security controls, likely attack vectors, top vulnerabilities, and compliance requirements, CISOs can better uncover risks and put resources toward those likely to have the greatest impact on their organizations.
For example, a missing laptop of someone in the C-suite is more critical than the laptop of an entry-level employee. The best systems highlight the precise number of endpoints that need remediation and the level of concern for each. “Once security teams have that information, they can perform analytics to understand and then prioritize what needs to be fixed to bring down the risk level,” says Marriott.
Enable smarter prioritization
A risk score can provide a snapshot of an organization’s cyber health at a single point in time. But more useful is a continuous, holistic score that helps a busy IT team see patterns in real time and quickly address the most urgent risks. “You could hand someone a list of 20 endpoints to take care of, which would actually be a reasonable thing to work with,” says Marriott.
Extend the organization’s security profile
With organizations increasingly relying on cyber insurance to offset payouts to criminals, insurers are keenly interested in having evidence of a client’s cyber hygiene. Likewise, third parties have a vested interest in understanding the risk their supply chain partners pose. And if the government eventually creates a National Cybersecurity Safety Board to probe cyberattacks, holistic scoring could prove useful to investigators.
For the time-being, however, organizations should be sure their risk-scoring solution ties back to their larger organizational goals. That will enable business leaders—from the board and C-suite to technical team leaders—to understand how a score translates into dollars lost or saved.
Ultimately, a shared understanding of business outcomes will ensure that a risk-scoring solution offers a complete roadmap to preventing ransomware attacks and retaining operational resilience.