Revolutionizing cyber-risk assessments
Cyber risk assessments have existing for very long but businesses continue to be suffer from various types of attacks including phishing and ransomware attacks. It is time to step back and look at what causes this and what needs to be done differently. One of the critical aspects we realised in our analysis, business risks are performed merely for compliance purposes and independently technical risks are handled on a need-basis.
This, in our opinion, also are the primary reason for businesses' inability to comprehend CISO constant demand for upgrading technical protection while being exposed to newer threats. The super-technical and very capable security teams are unable to provide sufficient justification in business parlance, which they can make sense and approve budgets. This rift is growing wider and bigger as the type of attacks get more technical.
"Companies spend millions of dollars on firewalls, encryption, and secure access devices, and it’s money wasted; none of these measures address the weakest link in the security chain.”
- Kevin Mitnick
Our aim and focus, based on a ton of background research, is that businesses need to understand risks in their parlance, which will automatically enable approvals. When the risks are translated into financial, business/operational or legal risks, the impact becomes much more clearer and obvious. For instance, most businesses now would not have hesitation to upgrade to an appropriate backup solution having seen the kind of financial and business damage ransomware attacks can cause.
Enough said about the problem, let's talk about the solution. Financial and business operations cyberrisks are introduced due to obvious metrics like the number of employees, percentage of contractors or remote workers. This is the primary risk and HOW they need to be tackled is the technical part, which might include simple VPN/tunneling solutions all the way to ZTNA/SASE solutions. Hope you are able to see what we are getting at.
We are breaking the risks into Financial, Business, Legal/Compliance and Technical buckets. This provides clarity to the top management as well as individual business heads sufficient clarity on what is at stake for them and therefore support the demand for protecting these risks. The business start asking how to solve those risks and the technical folks provide multiple solutions. The one that balances the business value being protected and cost for protection is chosen, not the other way around.
