Edgescan CEO/Founder Eoin Keary shares his blog on Risk
Risk a widely used word in many walks of life but do we understand what it means?
“Risk involves uncertainty about the effects/implications of an activity with respect to something that human’s value (such as health, well-being, wealth, property or the environment), often focusing on negative, undesirable consequences.”
Cyber security often talks about risk.
A high-risk vulnerability or the risk of an event occurring. So, risk is related to statistical occurrence of an event and the negative outcome. We often talk about likelihood and impact. The chance of something happening and the effect the of it happening. As CISOs or cyber security professionals we try to first address items with the highest risk or combination of likelihood and impact; we call this prioritization.
The reason we need to prioritize is because we can’t fix all the issues and not every vulnerability is created equal. We all have limited capacity, budget and resources we need to do the best we can with what we have.
We try to discover risks via reviews of designs, procedures, technical system reviews and testing. Some of these activities are up-front and others are reoccurring in order to keep pace with change in our environments we control and the environments we don’t control.
Keeping pace with risk is hard, we simply don’t have the manpower or budget to focus deeply on all risks to the business. Again, we need to focus on risks which are impactful or have a high chance of occurring.
Automation is good for scale and frequency (keeping pace); we can use automation to detect vulnerabilities but its weak at determining actual risk (and alone is prone to false positives). The determination of risk is contextual, based on what the likelihood is, the impact to the systems in question and ultimately the business impact.
Automation is not good at context. Risk is all about context. Without context we can’t determine priority. Without priority we can’t focus on what matters to the business.
In order to move the cybersecurity dial, improve resilience, detect threats and weakness I believe a combination of automation and human intelligence is required.
At Edgescan our mantra is “let’s automate like crazy, but never at the cost of accuracy”. Accuracy is the combination of a few things:
- No false positives
- Appropriate risk rating
- Depth of coverage
Combining these aspects results in RELIABLE VULNERABILITY INTELLIGENCE.