In my last blog, I addressed the concept of risk quantification (CRQ), what it is, and how it is applied. Frankly, the intent was to include cyber risk optimization (CRO) as well; however, each one of them is such a robust topic that it was impossible to cover them both well enough to my satisfaction in one blog. So here is the basic description of cyber risk optimization.
The Limits of CRQ Tools
It was critical to cover cyber risk quantification first, because you can’t optimize risk if you’re not measuring (AKA quantifying) it. The unfortunate reality is that most cyber risk quantification tools stop there. They provide a number and some attractive graphs, so that you can share with management and present at board meetings. Again, that can have some use, and makes executives feel like they have a grasp of the situation, and it can largely satisfy governance requirements, which in and of itself can be critical. The problem is that to provide better cybersecurity, it has minimal use. Having a CRQ number that may or may not be accurate doesn’t actually help improve your risk posture.
Going back to the basics of CRQ, you have the total possible loss, and then determine the probability of the loss being realized. The probability of the loss being realized is where most CRQ efforts fall apart. FAIR is a great model, but it asks people to guess the probabilities of losses occurring. The probability is dependent on many things, including ease of exploiting given vulnerabilities, the skill levels of given threats to exploit them, etc. You need a model to take all those factors into account. A tool or model that cannot incorporate true probabilities is not going to give you anywhere near accurate CRQ.
How CRO Bolsters CRQ
Cyber risk optimization actually makes CRQ useful. The way you optimize risk is by being able to assign costs to given vulnerabilities and compare that to the costs of mitigating the vulnerabilities. Then you can calculate a real return on investment (ROI) for mitigating a vulnerability, and then decide how to make the best use of available resources to mitigate those vulnerabilities that would have the highest ROI.
Clearly, this is not an easy task. It requires a variety of methods that determine how probabilities of all vulnerabilities are being exploited, which assets they can access, and then calculating the cost of the vulnerability. In short, the cost of the vulnerability is the probability of a vulnerability being exploited times the total cost of all assets the vulnerability is tied to.
Once you understand the costs of the vulnerabilities, you then need to determine the cost to mitigate each vulnerability. This involves factoring in a wide variety of concerns, including the costs of tools, maintenance, labor to implement countermeasures (including factoring in geographies where they are located), among a variety of other concerns.
You can create your own methods to implement CRO. Frankly, you need to implement some form of CRO, even if it is rough. You should try to rationalize your cybersecurity efforts by determining how to optimize your spending.
How Hyver Helps You Save Money
It is complicated, and that is frankly the reason why I joined CYE. We’ve been refining our Hyver platform for more than seven years to accomplish this. We’ve been optimizing the AI and other algorithms constantly to improve the results. The results allow our customers not just to improve their cybersecurity programs, but to save money as well, as CRO also allows you to determine unnecessary countermeasures in place.
While I believe everyone should use Hyver, for many people that might not be a choice. However, you should attempt to implement the principles of CRO either way. You shouldn’t just blindly spend money on what you have been spending it on. Your cybersecurity program should be a living program that is modified as circumstances change. CRO is the way you put life in your program.
Want to learn more about how Hyver can help you quantify and optimize your cyber risk? Schedule a demo.