Every organisation knows that their Cyber Security budget is not unlimited, but how do you invest it wisely so you get the best blend of detection/prevention that will have an impact to your cyber security posture?
A starting point to factor into your investment would be to look at your organisations risk profile. What do we mean by risk profile? Well in short, what are your most valuable assets, this could be your e-commerce platform that drives revenue into your business, or it could be your intellectual property stored on servers.
Risk is the probability of an event and its consequence, Risk = likelihood X impact.
So for example, your e-commerce site is publicly available, the risk of an attack is high as it is open to the world, the impact of your site being down or compromised could lead to loss revenue, brand damage and maybe unwillingly contribute to infecting your user base, therefore the impact is high.
Likelihood Scoring below:
Likelihood | Description |
High (Score of 1) | Weak/substandard Controls or mitigation, threat actors are targeting organisation (motivated attack). |
Medium (Score of 0.5) | Adequate controls in place, attackers are motivated however mitigation is in place and may limit attack success. |
Low (Score of 0.1) | Next generation tooling in place, capable of detecting and preventing sophisticated attacks, chances of successful compromise are low. |
Impact Scoring below:
Impact | Description |
High (Score 100) | Successful attack could lead to, loss of assets/data/services, brand damage, customer loss, impact supply chain, financial loss. |
Medium (Score of 50) | Successful attack could lead to, partial loss of data, disruption to services, impact brand, reduce new customers, affect some suppliers or 3rd parties, some financial loss. |
Low (Score of 10) | Successful attack could lead to, low loss of data, minimal impact to brand, customer base, services or third parties. Minimal Financial loss. |
Based on the example above on the e-commerce site, we can now run our calculation based on a successful attack.
Risk of attack, High (1) X Impact to the business, High (100) = 1 x 100 = 100
From the above you can clearly see that something needs to be done to lower the risk, an example could be to introduce vulnerability scanning to your website, so you know the weaknesses. Doing this allows you to implement patches and reduce the vulnerabilities and therefore the Risk.
Risk of attack, Medium (0.5) X Impact to the business, High (100) = 0.5 x 100 = 50
By implementing a vulnerability management program around the web application we have lowered our risk by 50% and invested our Cyber Security Budget well. With the remainder of the budget we introduce a WAF (Web application firewall) to prevent attacks as a mitigation for when there is known vulnerability in the web site. By adding this we can then run our calculation again.
Risk of attack, Low (0.1) X Impact to the business, High (100) = 0.1 x 100 = 10
Brilliant we have reduced our overall risk for our key business asset by investing our Security Budget Wisely! While the impact to the business never changes the controls we have implement have reduced the likelihood of a successful attack.
Many providers would look to see you buy MDR services or capabilities you don't really need, if you complete your risk assessment, your scoring will give you clear indication of where you have sufficient controls in place and where you are at your most vulnerable.
Don't forget this is not designed to say your "safe" in other areas, this is about investing your budget in the areas that leave you most vulnerable and therefore are more probable to see a successful attack/breach, using this method will give you some justification as to your chosen area of improvement based on your own knowledge of your network, application or services!
Comments