This blog is the second in a three part series discussing how to solve the security risk puzzle. Previously, we took a brief look at the history of the security risk gap…or as Gartner dubbed it, “above the line” and “below the line.” Historically, the industry has focused on reactive aspects, namely Security Incident and Event Management (SIEM), Security Incident Response (SIR), and Security Orchestration and Automation (SOA). In this blog, we will shift the focus to the future of security risk management, namely proactive aspects.
Definition of Risk
While there are a number of vendors across the marketspace that speak to computing risk, very few can successfully do it. Most calculations are complex—as they should be—but at the core, security risk is a function of three components: Threat x Vulnerability x Impact = Risk
Threat: Anything that can exploit a vulnerability, intentionally or not, to obtain, damage, or destroy an asset (applications, databases, data, or other critical information). While threats may or may not occur, they have potential to cause such harm.
Vulnerability: A weakness or gap in a security program that can be exploited by threats to gain unauthorized access to an asset. Not limited to common vulnerability enumerations (CVEs), a weakness encompasses misconfigurations or other gaps in protection capabilities.
Impact: Consequence or damage to an asset from the result of a threat successfully exploiting a vulnerability. This typically requires an understanding of the criticality and business value of the asset. If a dollar value is assigned, you can compute the loss exposure of the cyber risk.
The Risk Players
Throughout my career, I spent a large portion of time working in the risk space with a number of mature and emerging vendors. In doing so I have observed particular evolutions of the varying risk spaces that are critical to understanding our current market approach to solving the puzzle (examples of risk players shown below).
Governance, Risk Management, and Compliance (GRC)
GRC vendors have historically been responsible for solving the security risk management problem. However, time has revealed that many of these solutions are light on the Risk component. Investments to improve Risk were focused on broad, sweeping solutions designed to address the problems of operational risk. As a result, these solutions strengthened the alignment of compliance and risk, but lacked the depth of support needed to align security and risk.
Integrated Risk Management (IRM)
Due to the limitations in GRC, a new market—IRM—has emerged, shifting the core focus from compliance to risk. These solutions are open, flexible, and process-oriented. This market is booming, drawing customers ready for a change, and eating into the monstrous GRC market.
GRC vendors are not going to take this lying down. You can expect them to enter this new market. This market provides broader risk management capabilities but early entrants claim it is still not sufficient for the depth to which security and risk intersect.
Value at Risk (VaR)
This risk player measures impact of risk quantitatively by leveraging data from security and the business. These solutions use Monte-Carlo simulations and other frameworks, such as Factor Analysis of Information Risk (FAIR), to quantify cyber risk, typically in dollars. One common challenge is the amount of data and time needed to ensure the results are an accurate reflection of current risks, as opposed to relying on outdated or irrelevant information.
Vulnerability Management (VM)
This market category has been a core component of early regulations. Scanning for vulnerabilities is still critical, but it’s also evolving beyond device vulnerabilities to include device configuration and application vulnerabilities. This evolution is challenged by the lack of business consideration in security and risk—it relies solely upon technical data.
Policy Compliance (PC)
Policy Compliance is an extension of VM. It addresses compliance and security with configuration and hardening standards. This marketspace is comprised of pure play vendors and a handful of VM vendors that have extended their offerings. The market challenges remain the same as for VM; they are focused on security data and neglect the solid business understanding needed to manage security risks.
Threat and Vulnerability Management (TVM)
The VM and PC markets have the depth needed for technical data. However, the lack of business intelligence triggered the emergence of a new market, TVM (this is part of the Security Operations, Analysis, and Reporting (SOAR) categories that I discussed in my last blog). With the addition of asset criticality, business and technical data are correlated to address the impact portion of the risk equation. Because of its integration of business and security intelligence, TVM has the most potential to solve the security risk puzzle. See below for a more detailed assessment of the risk players.
Who is in a Position to Solve the Security Risk Puzzle?
To further this assessment, let’s map the components of the risk function to the marketplace vendors to observe intersections:
While these ratings are high-level, the following bullets clarify these evaluations:
- The GRC and IRM vendors are not able to consume all the vulnerability data on a real time basis. They are not built for this type of scale and I do not expect them to fix it any time soon. While VaR vendors share in these scalability challenges, I give them a little more credit in the potential to address these issues more quickly.
- The VM vendors have access to threat data, but only in the context of CVEs they support. As of now, asset criticality, a core component of the risk function, is not a significant feature of these solutions.
- Unfortunately, PC vendors get a little less credit, as their focus is stuck on compliance as it relates to security. While other features may be more robust, a focus on misconfigurations is far from the context of risk.
Newer entrants into the market are much closer to solving the security risk puzzle compared to the older solutions. Gaps still remain, but we are progressing in the right direction. In the next and final blog, we will explore how market requirements must evolve from their current state to truly solve the security risk gap.