In Part I of this three-part blog series, we discussed building a cyber risk metrics program from the ground up. We also discovered how to implement effective strategies for holistically articulating your cyber risk posture across your organization.
In our second installment, weāll delve deeper into how to elevate your cyber risk profile to drive support of your organizationās attack surface reduction strategy, and weāll review some real-world use cases to help you achieve this mission effectively.
Strategically positioning security metrics to business leaders is a pathway to raise awareness and drive action to reduce your organizationās attack surface.
Letās take these two use cases to understand how this works.
RGE includes computing systems critical to the organization for fulfilling its mission. A business mission could be producing transportation parts or delivering lifesaving services. In a typical business enterprise, RGE is usually seen as providing a product or service that makes revenue for the business and/or adds value to the board of directors or investors.
On the other hand, a business mission supporting blood donation doesnāt generate revenue. Still, it provides life-saving services, and the computing systems that support this mechanism are considered āRGEā ā even though no direct monetary returns are generated for that business.
As such, metrics demonstrating the risk profile of these mission-critical systems are needed based on the previous two examples. Another essential reason to measure the technical and cyber hygiene of RGE is that these systems utilize the lionās share of IT support cycles and require attention by security teams too. Essentially, both technical and business leaders are highly aware of the health of these mission-critical systems, and this is another reason metrics centered around this RGE concept are warranted.
To measure your RGE environment, you must know all the assets comprising this landscape. (Qualys has straightforward, effective technical solutions to meet this foundational requirement.)
To understand more about these solutions, please see the following links: Network Scanners, Qualys Cloud Agent, Passive Sensors, CSAM, and EASM. To gain additional details on how Qualys can assist your company in completing its journey on complete 100% asset visibility, you should schedule a follow-up meeting with our experts.
In short, points 1-3 provide a solid starting point for assisting in discovering which assets make up your RGE and their associated business criticality. As such, this approach will get you 80% there at this stage of the process.
Points 4 and 5 serve to fill in the gaps and bring your RGE picture to completeness. Hence, this step completes the other 20% of this picture. Again, Iām talking about the non-technical approach to gain a complete view of all assets that comprise your Revenue Generating Ecosystem. You will need technical systems similar to the mechanisms I noted above.
To reduce the enterprise attack surface, here are three phases of metrics that are derived from this exercise:
Technical debt is a universal problem within an organizationās IT infrastructure. It is the summation of leftover older systems, applications, or code that never get replaced or upgraded but are still useful to the business and its operations. It typically occurs after upgrades are completed, transitioning to new systems or applications or actions resulting from a merger/acquisition or other significant shifts in IT or business operations.
The usual excuse is: 'Weāll decommission those systems during the next change window.' As a result, the following change window turns to weeks, weeks turn to months, and months become years ā or never.
**Most organizations never eliminate all their technical debt.**This requires spending more on CAPEX or OPEX to keep these antiquated systems running. It includes extending support contracts and maintenance or hiring consultants to manage deprecated systems or applications ā especially when an organization loses internal technical expertise on these older systems.
We must primarily consider principal (one-time cost of removing debt, re-architecture, and migration costs) to determine āinterestā costs (recurring increased maintenance).
Technical shortcomings from old technology add risks to your attack surface due to the lack of security patches or upgrades no longer being produced by the applicable vendors. This scenario is akin to compounding interest for a savings account. Example: Compound interest generates āinterest on interestā and makes the sum of money grow faster than simple interest. Unfortunately, technical debt does not benefit businesses like interest does in this example.
State the costs of maintaining and supporting this unruly computing system when framing a business case to reduce and remove your companyās technical debt. Include previous yearsā costing numbers and projected costs for the next āxā years. The resulting metric will support the IT teamās goal of removing older systems and show which technical risks will be mitigated.
Consider enriching these business numbers with values from analysts such as the Ponemon Institute. For example, a recent Ponemon Institute report noted the average cost of a data breach in 2022 increased 12.7% from $3.86M (in 2021) to $4.35M. The per-record cost of a data breachhit a seven-year high of $164.00, a 1.9% increase from 2021.
By citing these third-party statistics from the Ponemon Institute, it emphasizes the value of reducing technical debt, and grounds, your projected cost savings linked to relatable real-life recent examples.
As a result of this approach, a reduction in your cyber risk posture is achieved by creating and using these tailored metrics for Executives and other IT leaders. These actions also serve as a catalyst to decrease your technical debt catalog with the value gained of a reduction in attack surface.
To close out the first blog in this series, I recommended starting here:
Overall Risk Score: As part of that baseline approach, I noted earlier, using the initial Cyber Risk Score to establish a baseline for your security program is a great place to start. Typically, to get to this initial score, your security solution toolsets will have native scoring and/or dashboard features.
Modern tooling needs to have the flexibility to ingest disparate data sets (See Qualys Enterprise TruRisk Management ETM), and your security team needs the ability to make manual adjustments based on known exceptions and risk mitigation strategies that affect this risk score.
For example, you know things about your technical environment that your tooling will not. When a specific asset is behind three sets of Next Gen Firewalls with advanced logging enabled, the risk of exploiting this asset is significantly reduced.
Security analysts need the ability to adjust accordingly to accurately reflect the True Risk within your enterprise of that asset. _(See Qualys TruRisk to view how to accomplish this step.) _Otherwise, your scoring system will be skewed, and your teams will chase a ghost. The metric numbers will not reflect your true risk posture, and your metric program will be a ātick a boxā deliverable. This doesnāt add value to your organization and will steal precious work cycles from your team while wasting time and money for your business.
My advice: Only go one level down to break out these metrics for leadership using a summarized risk score of the perimeter and a summarized risk score of the inside computing environment, as I noted above.
Pro-Tip: Always define and clearly note on your metric dashboard what the concept āperimeterā and āinsideā means to the audience. This will pre-answer their questions of āWhat do you mean by perimeter? " or " What do_ you mean by the āinside environmentā?_
Based on my 25+ years of experience working in different types of companies, these types of questions seeking clarity from their perspective are always asked. Always.
By pre-answering these questions and clearly defining two computing environments, again solidifies your commitment to seeing this metric program succeed for them and your organization. This action also signals to your leadership that you think beyond the initial ask and paints you as a savvy business operator. Being proactive in this soft skill is an attribute you will be graded on as part of your annual performance evaluation.
BTL metrics comprise Internal and Perimeter environments (Perimeter includes DMZ, edge/internet-facing areas, and Cloud providers.)
Internal (Suggestions to get started)
_Note: Working is measured by the last time it checked into the security console or Active Directory, etc., successfully - the previous 24 hours is an excellent place to start for your āagent last check-in threshold.ā _
This is the approach I took when establishing this baseline for the organizations I worked at previously. Having the binary installed and not working does not protect your organizationās data, reputation, or stock price. This is an important reason to measure this piece of IT for your security posture.
**Pro-Tip: Also, these are the same questions IT auditors will ask you to evidence during an IT audit in terms of security agent coverage AND are the agents working as designed and expected and 'Show me how you demonstrate the success of your patching process and how to do you account for deviations or exceptions in this process?'**Having this information documented and trending demonstrates to the auditors that your cyber defense program is maturing in the right direction.
Perimeter (recommendations to start with)
Pro-Tip: Determine which modules on your NGFW are being used ā L7 Firewall rules, IDS/IPS, WAF, etc. This perspective will provide the details of what layer of the OSI model these attacks are traversing to aid in bolstering your cyber defenses.
Note: Qualys offers CNAPP as part of a cloud-native security solution - called TotalCloud.
Pro-Tip: This is an excellent time to re-evaluate your risk tolerance for your organization after launching and continuously using your metrics program.
As you develop a security metrics program, focus on the crucial outcomes. In particular, be aware of telling the right story to specific stakeholders: technical metrics for IT and security professionals and business-related metrics for executives.
The Qualys platform's clean and actionable data will provide helpful insights to consistently, constantly, and holistically reduce risk throughout your enterprise. As a result, your metrics program will demonstrate how the security team is winning the cyber battle._ _
By actively taking this data-driven approach and using the Qualys platform, your teams can confidently fine-tune the organizationās cyber defense approach, reduce the risk profile, and strengthen your organizationās security posture. Thus, you can elevate the organizationās cyber risk profile to the business by assisting in the attack surface reduction mission to make it the smallest footprint attainable.** **