If don’t know what you could lose in a cyber incident versus how much you spend on what trying to protect, then you cannot know your ‘value at risk’ (VAR) level.

Speaking at the EMEA Qualys Security Conference in London, CEO and President Sumedh Thakar said a company’s VAR is what the potential loss is if you’re offline for a number of days, and what the loss is. “No one knows it exactly, but any investment in cybersecurity is to know what value at risk is, and most CISOs don't know.,” he said.

Saying that businesses have moved from attack surface management (ASM) to risk surface management (RSM), despite attacks remaining the same, Thakar said businesses need to take an approach to know “what really matters and what matters most.”

Anchor Yourself

He encouraged businesses to ‘anchor’ what they do and consider what would matter most if it is was lost. He said this has led to more consideration of risk management and while businesses would never have ‘zero risk’, know what the outcome and financial loss is when you have an attack and when that does happen, know how much is at risk, and what you need to do to reduce that? “Risk management can figure out the most efficient way to reduce a major financial loss,” Thakar said.

One way to get ahead on VAR is to use that calculation to present to the board, he recommended using this to explain the view of cybersecurity as not doing it can “mean losing $50M a week” and while surface management tools don’t tell you “what your state of security is,” it can help you.

“Make sure you’re not wasting the business’s time, as stealing time from the business could be when they could be creating, so it is upon us to repair critical stuff and move from millions of risky data points - and find more we’re not fixing - to indicators of exposure.” 

Business Acumen

Speaking to SC UK, Paul Baird, director of cyber security operations and engineering, OneAdvanced, said financially-driven risk management is part of the business acumen. “I've done the techie side, for me now, it is about understanding the organisation,” he said.

“Years ago it would be “why can't I patch that box? Why can't I take that box down? Well, it's either connected to some loss of life service or production lines, and I started to get it years ago. For me, understanding an organisation and understanding how the business works really helped me deliver my cybersecurity services back into the organisation.”

Baird commented that the risk conversation is about the concept that everyone in the organisation talks cyber, and the security team is “always sitting on the sidelines by talking their own language, which for the most part was noisy, scary, acronym-led.”

“So why not talk about risk now, so everybody around the exec board can understand it from the CFO to the CTO to the CEO,” he said. “It is not just about a CVE, it is about a CVE that is the most risky to an organisation.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.