Top 5 Initiatives for High Impact Risk Reduction in 2023 Cybersecurity Projects
January 2, 2023 | By: Stephen Boals
Getting the Biggest Bang for Your Cyber-buck
With cybersecurity spending expected to grow at 11% in 2023 (Gartner), many CISOs are looking at how to spend their budgets, and where to get the greatest impact, from a risk reduction perspective. Where do most CISOs focus? In a study by Moore, Dynes and Chang “Identifying How Firms Manage Cybersecurity Investment” that interviewed a cross-industry sample of 40 CISOs, when it comes to investing to reduce those risks, the majority of CISOs focus on two key areas:
- Perceived Risk Reduction
CISO Survey: Top Drivers of Cybersecurity Investment
Source: Identifying How Firms Manage Cybersecurity Investments
The use of “perceived” is intriguing in this context. Hard and true statistics are often difficult to ascertain in the cyberworld. Most CISOs invest to reduce risk based on experience, staff/business input, business needs and the input of 3rd parties (peers, consultancies, board, etc.). But what is the overall effect on true risk in the wild? Does moving that incident response plan to maturity level 3 or training the board on cybersecurity policies and procedures make a marked difference? There must be a better way than “perceived”, right? Although experience can guide us, how can we leverage a foundation for risk (probability and cost of breach).
Another Way to View Your Investments: The Stochastic Model
Stochastic modeling can be a huge help when it comes to examining investments in business, and cybersecurity investments can be analyzed through this method. So, what is stochastic modeling? Definition from Investopedia:
Stochastic modeling is a form of financial model that is used to help make investment decisions. This type of modeling forecasts the probability of various outcomes under different conditions, using random variables.
- Stochastic modeling forecasts the probability of various business outcomes under different and varying conditions, using random variables.
- Because cybersecurity events can never be eliminated as a risk, a stochastic model represents a fair way to predict an otherwise random event.
- Stochastic modeling presents relevant data and predicts outcomes that account for certain levels of unpredictability or randomness in the results.
- In the banking/financial services industry, planners, analysts, and portfolio managers use stochastic modeling to manage all assets and liabilities and optimize their portfolios for maximum growth.
- The opposite of stochastic modeling is deterministic modeling, which provides exact results every time for a particular set of inputs to the model.
In cybersecurity, stochastic modeling can provide a detailed representation of risk, surfaced as the probability of an attack and cost of breach. It can be a great source for project planning and “what if” scenarios, as well as returning risk management practices in cybersecurity to established practices in enterprise risk management generally in use for other kinds of business risk. This helps transform executive and board opinions about “perceived” cybersecurity risks by quantifying them more precisely.
cybermetrIQs leverages Stochastic Modeling for Breach Probability and Cost
5 Top Risk Impact Initiatives – Derived From Stochastic Modeling
So, I thought it would be helpful to run some scenarios through cybermetrIQs and provide some insight into the top impact programs and projects that can have a significant impact by reducing breach probability and/or cost. Note: We derive our statistics for the modeling from many of the public breach reports, cyber-crime databases, government, and private statistical sources, as well as our own technical data. Controls can have an impact on probability, cost, or both.
So here are the top 5 high impact risk reduction projects in accordance with our cybermetrIQs Dashboard:
- A Layered/Continuous Training Program (Probability) – Deploying a robust, layered, and quarterly cybersecurity training program can have one of the biggest impacts on overall risk reduction in the shape of probability and cost of breach. Legacy content security awareness is no longer helpful, and content only programs are almost useless in today’s complex attack environment.
- Board/Management Level Training and Involvement (Cost) – In breach scenarios, speed is life, and the faster decisions are made, breaches are isolated, and response plans are initiated, the lower the cost of the total breach.
- Incident Response Plan Maturity Level Advancement (Probability+Cost) – From a framework/maturity level perspective, IRPs can have a massive impact on risk. Speed is essential to containing risk, and response processes and procedures that are executed quickly and maintained/updated over time, can ensure a rapid response to detected cybersecurity incidents.
- Cyber Hygiene Maturity Level Advancement (Probability+Cost) – advanced cyber hygiene programs reduce risk on both dimensions and are a key area of focus in protecting both IT and OT networks.
- Business Continuity Plan (Probability+Cost) – having a maturity plan where the organization’s mission, objectives, stakeholders, and activities are understood and prioritized, and leveraging this information for broad reaching risk reduction.
These are all based on a standard cybermetrIQs risk profile for a 10,000-person financial services organization in the US. Want to run through some scenarios with our cybermetrIQs tool? Read more here: Cyber Risk Dashboard and Calculator.