Real time is where the cybersecurity risk is

Real time is where the cybersecurity risk is

Credit: Dreamtime

I don’t know how many times I’ve heard cyber security professionals say something like “don’t have multi-factor authentication”. [MFA] It is a great risk for our organization.”

The truth is, that kind of statement can illustrate a control weakness, but unless the unintended result is a dent in an audit report where MFA is required, that’s not the real risk. The real risk is the likelihood of a ransomware incident, for example, or a leak of personally identifiable information (PII) from a customer database.

For businesses, the risk lies in the potential losses associated with unintended outcomes incurred through their computing environments. The cybersecurity piece of this generally focuses on incidents where these outcomes were caused by a clever adversary.

A simple way to think about unintended outcomes is to consider the ways in which CSOs may not meet one or more of their control objectives (confidentiality, integrity, availability, or other objectives) and experience one of the above incidents, among others. .

Once risk is understood, it becomes easier to see that much of what we do in cybersecurity revolves around addressing control weaknesses that essentially act as risk placeholders. We feel that there is no real way to determine risks and assess their likelihood, and therefore rely on best practices and control frameworks to fill in the gaps.

Thus, although most CSOs perform their functions in the service of risk management activities, there is almost never any evidence that correcting control weaknesses would lead to a true reduction in unintended outcomes leading to loss events. .

Cyber ​​security risk lives in real time

I think there’s a big reason this is true: we don’t internalize the fact that the risk we seek to manage “lives” within the real-time activities that occur in our IT environments. That is, the risk exists within the millions, billions, trillions, quadrillions of transactions and messages and sessions and other structured elements.

Leave a Comment