I've seen a lot of board rooms over the last 18 years and have met with boards of directors for companies with as few as 100 employees and companies with as many as 50,000 employees. In every one of these meetings, I've been asked the inevitable, arguably rhetorical question, "Are we secure yet?"
No cybersecurity engineer or chief information security officer (CISO) looks forward to this question by an executive committee or board, because the answer is never something the one asking wants to hear. The person asking this question is usually trying to make a point that no matter how much money is thrown at the problem, the company continues to see ransomware infections or breaches, and really isn't attempting to find an answer to the question in the first place. Furthermore, the one asking usually doesn’t want to invest any more in cybersecurity and wants more positive results from the investment the company has already made.
How we look at cybersecurity today is not how we should be looking at it at all. Which is to say, the growing pandemic across the global marketplace is to view cybersecurity as binary—either secure or not—and that's simply wrong. Exacerbating this problem is compliance, which relegates security to checkboxes and creates a perception that security is synonymous with compliance. But compliance does not equal security at all. Not being in compliance in regulated industries is simply a means to impose financial and penal punishments on companies that aren’t in compliance. Even compliance audits can easily be danced through as evidence is manufactured in the middle of an audit in order to pass.
The Target data breach is one of many contemporary examples of why a company isn’t secure just because it passes a compliance audit.
As a result of the breach, Target faced a US$90 fine for each cardholder whose data was compromised, which could have translated to a US$3.6 billion liability to Target. This is on top of the US$10 million lawsuit Target settled with cardholders, with the total payout from the breach exceeding US$218 million at last count.
So, if being compliant doesn't mean the company is secure, and firewalls, intrusion detection systems, and anti-malware solutions don't make a company secure either, what does?
I believe the question is illogical, as there is no such thing as a secure product or company. Security should be seen as a scoring system, much like a credit score, rather than a simple conclusion of secure or not. While there’s an ongoing debate as to whether return on investment formulas exist in cybersecurity and are defensible, I'm not referring to the ROI on security purchases but rather to a score on the overall security posture of the information security management system, and to tracking the score over time as it's improved through the employment of administrative, logical, and technical controls.
So, let's assume for a brief moment that you agree that security should be thought of as a score. What scoring should be implemented and how?
One could implement both an asset-based and scenario-based risk assessment after a full asset register is created of all of the business-critical or regulated data that the company stores, processes, and transmits. From there, each asset would be categorized into asset classes and risk assessments performed against those classes of assets. This would in turn create risk scores, and anything over a predefined score that the business determines is "unacceptable risk" would then be treated.
The executive committee and board would then need to be coached on how to ask the right question. Instead of asking "Are we secure?" they would ask, "Do we have any unacceptable risks to the business?"
FICO is attempting to apply a scoring methodology to organizations through its new Cyber Risk Score, which it offers as a freemium service, that through machine learning scores an organization based on a culmination of different data points that it pulls together. The Cyber Risk Score, much like a personal credit score, is applied to organizations based on the empirical data FICO receives. Unlike a risk assessment, though, the score isn't just on specific assets or asset classes but is rather a cyber risk score on the entire organization.
This scoring system attempts to help organizations determine how risky a third-party supplier might be before granting it remote access to the organization’s network, for example. The empirical score relies on a comprehensive and diverse set of cyber security data signals, collected at internet scale, to determine the risk profile of any organization. These signals reflect key risk indicators, including the health and hygiene of IT systems, network infrastructures, and software and services. These current and historical data signals or behaviors are compared to the past behaviors of organizations that have, and have not, suffered a material data breach. Together, this information trains a machine learning model that produces a risk score to forecast the likelihood of a future breach event for that organization. Similar to how individuals can improve their personal credit score, organizations have the ability to log in to the FICO system, run their own report, and improve their score by addressing the risks that are negatively contributing to it.
Could FICO and competing companies SecurityScorecard and BitSight be creating a brand new industry of companies that score organizations’ security postures? Because cybersecurity breaches affect not just the brand of the organization targeted but anyone else that may be involved, we may now be entering a new era in which companies vet the cybersecurity hygiene of companies before deciding to enter into business arrangements with them. And these companies are beginning to give them the tools to do it.
While risk assessments aren't new, FICO's attempt to remove subjective decision-making from risk assessments using machine learning models is intriguing. I am currently researching the FICO product, and the results will be published in a new Aite Group report later this year.