As I have written about many times before, it is especially
important for a business today to conduct a thorough Risk Assessment to see where
their vulnerabilities lie in, and from there, see which ones are the most prone
to security breach. After that, you will
then want to deploy the appropriate controls to mitigate the chances of any
future threat variant from impacting them.
Although this is far easier said than done, there is also
one factor that I have failed to take into consideration: The money involved. There will be a cost to deploy these
controls, and if you don’t have the money in your present budget, then you will
obviously have to prepare a new one and to present it to C-Suite to get the new
funds approved.
But buying them buy in may not be so as you think. Unfortunately, to many of them, addressing
Cybersecurity Risks is an exceptionally low priority on the totem pole, as they
don’t see that as a revenue generating opportunity. Rather, they see that beefing up the lines of
defenses as one huge expense.
But what they fail to realize is that the steps taken
today, while there might some costs now, will save them from losing their business
if they are hit, especially with a Ransomware Attack.
So, one of the best ways in which you can secure any
future funding is to calculate what your true “Vulnerability Debt” is, so that the
risks of not addressing them can be fully quantified. But first, it can be technically defined as
follows:
“Vulnerability debt is the number of security risks that
accumulate over time when they are not patched.”
(SOURCE: Vulnerability
Debt: Estimating the Impact)
A good example of this is the total number of
applications that you have which have not been patched. Simply look back to when they were all upgraded,
and the last critical patch that was applied.
Whatever the total accumulation is collectively then
becomes what is known as your “Vulnerability Debt”. Therefore, you will want to take the time you need to do this, so that you can present
an effective measure to C-Suite, thereby convincing them that extra money is
really needed.
Here are some tips on how to do this:
1) Risk
Assessment:
Once again, do this critical
task. By doing so, you will have an
inventory of all your digital assets.
But the key thing to remember here is that this is not a one-time deal. Rather, it must be done on a regular basis,
at least once a quarter. But also keep
in mind that you can automate parts of this process, by making use of
Generative AI.
2) Not
All Is Equal:
There is no doubt that all
your digital assets are important, but not all of them can be treated equally,
at least at the outset (though the goal is to address all of them for the long
term). Therefore, as also stated before,
you will want to rank those digital assets that are the most critical to maintain
the mission critical operations. Then from
there, assign a Vulnerability Score to this group, and those that have a high
ranking will need to get first attention.
For example, if you have 100 digital assets, and 20 of them are mission
critical, then you will want to rank the latter based upon how prone they are
to a threat variant. Out of these 20, if
5 have the highest degree, then this will be on the top of your list. One key benefit of doing this is that by presenting
an entire laundry list of items to the C-Suite, you will have a much narrower
one. From there, this will be much more comprehensible, and thus you can get
into a lot more detail as to why the money is needed for these 5 digital
assets.
3) All Are Needed:
In the end, doing all of
this should not fall onto the shoulders of the just the CISO and their IT
Security team. Rather, it takes each
employee to make this kind of thing work, and teamwork is greatly needed. This must be stressed, and one of the net
benefits of all this is that a strong level of Cyber Hygiene will also be
realized, thus fortifying your lines of defenses even more.
4) Don’t
Forget the Metrics:
To help quantify your
Vulnerability Debt, you will also want to include some relevant metrics. The two biggest ones are the Meant Time to
Detect (MTTD) and the Mean Time to Respond (MTTR). These represent how long it takes an IT
Security team to pick up that at threat variant is lurking in the IT and Network
Infrastructure, and the latter represents how long it will take to contain
it. You should present two scenarios
here:
Ø What
the MTTD and MTTR be if funding is not received for those
5 digital assets?
Ø What
the MTTD and the MTTR will be if funding is received for
those 5 digital assets.
My Thoughts on This:
Well, there you have it, some tips on how to strengthen your
need for Cybersecurity funding. But
remember, don’t paint to the C-Suite a complicated Cyber Threat Landscape, just
tell them what is out there and what will happen if it is not done. Also, you will also want to remind them of
the extremely harsh financial penalties for non-compliance with the data
privacy laws.
That enough should get them interested.