having recently attended RSA 2022One of the largest cybersecurity industry conferences in the US, it is clear that the cybersecurity industry is only just beginning to address the catastrophic and cascading problems of systemic cyber risk.
Respondents in a survey I conducted rated their clients’ understanding of their self-insured financial exposure to cyber risk at 3.25 on a 10-point scale. A rating of 10 indicated that their clients quantified their self-insured economic exposures to cyber risk, and a 1 indicated that they had no idea of the financial impacts of their cyber risk profile.
Lack of understanding of the economic impacts of cyber risk compounds the potential impacts of systemic cyber risk and the challenges faced by boards and leadership teams in cyber governance and management. Some forward-thinking cyber leaders shared their thoughts on systemic cyber risk with me.
Bob Kolasky Senior Vice President at demand he captured the essence of the problem simply but powerfully when he said, “Systemic risk demands systemic solutions.” Exiger’s products and services focus on one of the most visible areas of systemic cyber risk, third party risk. Its solutions focus on supply chain transparency to expose common vulnerabilities and concentration risks. They are addressing the core systemic cyber risk challenge of a distributed cyber risk environment that requires a consolidated understanding of cyber vulnerabilities across an entire business ecosystem.
Systemic risk refers to the risk that exists between the parts of any complex system. This includes third-party vulnerabilities. Being able to understand if any third party introduces critical levels of systemic risk throughout the system through concentration risk is also a critical systemic cyber risk challenge. The phrase “too big to fail” that emerged with the systemic failures of the financial system in 2008 perfectly reflected the catastrophic and systemic impacts of concentration risk on entire complex systems.
Nima Schei, CEO of AI hummingbirds explained systemic cyber risk this way: “Cyber risk is an exponential risk, with real-world consequences, but it is treated as a linear risk. The gap between our needs and our resources is getting exponentially wider and wilder.”
Wider and wilder, how true. One of the key characteristics of systemic risk is its non-linear behavior, which makes predicting its impact and mitigating its risks difficult but not impossible.
Described as the first video-based continuous verification platform (CVIV), the Hummingbirds GuacamoleID product addresses the most common entry point of systemic risk into complex digital systems, the human interface. Its real-time facial recognition AI product strengthens authentication by making it a persistent, real-time process focused on the ability to constantly verify the identity of the person using a device connected to a complex system. The banking and financial sectors are early adopters of this type of real-time authentication technology to reduce the risk associated with this common systemic vulnerability.
Thomas Pore, director of live action, shared his views on systemic cyber risk this way: “Being in business without a cybersecurity strategy is like walking into traffic without using a crosswalk. And seeing encrypted traffic is key to understanding cyber risk. But doing it without affecting performance is crucial. That is why new encrypted traffic analysis technologies that use deep packet dynamics that eliminate the need for payload inspection are important when assessing risks in the network.”
Systemic cyber risk manifests itself through complex digital systems in many ways and threatens the system continuously and in real time. This means that the business value offered by the system must be defended and monitored continuously and in real time, whether it is derived directly from e-commerce revenues, digital products, services or platforms, or supported and/or enable indirectly through complex digital technology. business system.
LiveAction product, ThreatEye NV uses multiple AI-driven approaches for real-time and long-term analysis of network traffic behavior. This enables proactive alerting of anomalies related to pre- and post-exploitation behavior, allowing cyber defenders to take immediate action to stop systemic risk before it spreads, protecting the entire system and the business value it drives.
While these innovative companies are tackling different aspects of systemic cyber risk head-on, one thing became clear during my time at RSA 2022. The vast majority of cyber risk solutions on the market need to catch up with the growing threat of cyber risk. systemic
This will require a deeper understanding and new approaches to cyber risk management. Those who understand the entire digital system and how the parts of it work together to create business value. Only then can risks to that security be systematically identified, monitored, detected and mitigated.
This presents an incredible opportunity for the cyber security industry and for anyone who can solve the problems of governance and management of systemic cyber risk. New solutions are needed that bring innovative approaches to mitigating the complexities of systemic cyber risk.
Who will emerge as a leader in systemic cybersecurity?
RSA 2022 taught me that it is a very open playing field in the cyber security industry related to systemic cyber risk management. What will RSA 2023 bring?