The stakes have never been higher when it comes to cybersecurity. Global cyber attacks such as the recent WannaCry ransomware attack is a sobering reminder that cybersecurity is the existential threat of this generation. A new report from Lloyd’s of London estimates a serious cyber attack could cost the global economy more than US $120 billion - as much as catastrophic natural disasters such as Hurricane Katrina and Sandy.
According to the report, the most likely scenario is a malicious hack that would take down a cloud service provider at an estimated loss of US $53 billion. With all of the attention and the hundreds of vendors in the security industry, why are we still here in this same situation, with it only getting worse and more severe?
The reality is these "future" technologies and compute platforms, such as IoT and cloud, are no longer the future. They are here and now. This means the cyber attack surface is no longer a laptop or a server in a data centre.
According to “Business Intelligence”, there will be nine billion active IoT devices in the enterprise by 2019. That’s more than the entire smartphone and tablet markets combined. According to a 2016 IDG Enterprise Cloud Computing Survey, 70 percent of organisations already have apps in the cloud and 16 percent more will in 12 months. We’re also seeing development shifts such as DevOps become mainstream, and with that comes the rise of containers and microservices as a way to make changes to smaller parts of the application in a more agile way. According to 451 Research, the container market is the fastest growing market of cloud-enabling technologies, with a CAGR of 40 percent through 2020, growing from US $762 million to US $2.7 billion by 2020.
So What Do We Do in Response?
We throw hundreds of tools at the problem, each designed to protect the organisation from a niche, many times advanced "threat of the week" style attack. We have Configuration Management Databases (CMDBs) which give the organisation an IT view of assets and configurations, but weren’t built to keep pace with modern assets and aren’t a security view. Vulnerability Management (VM) technologies are used by most organisations to scan the network to identify issues, but the problem with legacy VM tools is they are a "one size fits all" approach designed in the world of client/server and on-premise data centres which only assess "known" assets which are running at the time of the scan or that can have an agent deployed on them.
We are in the new, modern world of IoT, cloud, SaaS, mobile and DevOps, which means organisations need to approach understanding their cyber risk in a way that adapts to this new world of modern assets.
For example, IoT and mobile devices may be undetectable with traditional tools, containers and cloud workloads which, as opposed to other types of assets that have lives of months to years, may have a life of minutes to hours, making them extremely hard to see and protect.
There are also safety-critical infrastructure and Operational Technology like Industrial Control Systems which are a rising attack vector. These systems were designed to be walled off from the network and isolated from threats, and therefore not designed for frequent change or software deployments. As software permeates through every industry, these Industrial IoT devices which are now connected devices need to be protected but the old way is too intrusive.
Welcome to the Modern Era of Cyber Exposure
We believe that Cyber Exposure is the next frontier for empowering organisations to accurately understand, represent and ultimately reduce their cyber risk against the rapidly changing modern attack surface. Cyber Exposure transforms security from a static or fragmented view to live and holistic visibility across every asset - whether that’s IoT or traditional IT devices, cloud infrastructure or Industrial Control Systems. From this live picture then you can start to accurately assess and analyse these assets for areas of exposure. This could be misconfigurations but it could also be other hygiene types of health indicators such as out-of-date antivirus or flagging high-risk users. By correlating this information with additional sources of data, such as a CMDB or threat intelligence, you can get a more complete picture of the business criticality and severity of the issue to prioritise remediation and work with IT to fix it.
Cyber Exposure is analogous to IT Service Management and how the execution of ITSM processes is supported with specialised software technology. At the core of ITSM software suites are a workflow management system (service desk) for managing incidents and maintaining a knowledge base system of record, and a Configuration Management Database (CMDB) for discovering and mapping Configuration Items and their dependencies.
Bringing these technologies together creates an intuitive way to link incidents with change and service requests together, but also provides a view of business services and the underlying IT infrastructure to help accelerate troubleshooting and change impact analysis, for example. Just as ITSM provides a process for planning, delivering and operating IT services to better support customers, Cyber Exposure provides a discipline and a process for managing and measuring cyber risk against the modern attack surface.
This will help security and IT teams collaborate to more effectively and efficiently identify and resolve issues, but will also provide an objective way for the CISO, CIO and the business to measure cyber risk and use it for strategic decisions and planning.
Cyber Exposure technologies will provide the data, visualisation, process management and metrics to help drive a new way to manage security to reduce risk, make better business decisions and actually enable digital transformation instead of being the impediment to it.
Communicating Cyber Risk to the Board
There has also been a lot of conversation around cybersecurity awareness and readiness within the C-suite and the board of directors: how do you represent and communicate cyber risk in non-technical, business terms?
Today the CISO has to translate a mountain of data in multiple spreadsheets into intuitive insights the business can use to make decisions from. Cyber Exposure will help the CISO drive a new level of dialogue with the business. If you know which areas of your business are secure - or exposed - and you can measure your organisation against a larger set of data, this opens up a whole new set of discussions and decisions about where the organisation needs to focus. For example, how much and where to invest to reduce risk to an acceptable amount and help drive strategic business decisions.
Every function has its organisational system of record to manage, measure and predict the business exposure relevant to that function. For example, CRM for revenue and forecasting exposure, ERP for financial and supply chain exposure and Human Capital Management (HCM) for employee satisfaction and attrition exposure.
Imagine a future where every strategic business decision factors in Cyber Exposure data as a key risk metric, just as the business does with all of these types of exposures. We believe the future doesn’t need to be in the future. We believe the future is now.