The need for governments to adopt a risk-based approach to cybersecurity has never been more important
The SolarWinds hack of the software supply chain, as well as the recent ransomware attack against Colonial Pipeline showed just how easy it is to be targeted by cyber criminals.
The speed and sophistication of nation-state attacks — assisted by a continually expanding attack surface — makes our ability to prioritise and quantify cyber risk accurately an urgent priority.
In recent years, the United States Cybersecurity and Infrastructure Security Agency (CISA) announced its Systemic Cyber Risk Reduction Venture to develop actional metrics and quantify cybersecurity risk across the US’s critical infrastructure. Not long after, the UK’s National Cyber Security Centre (NCSC), provided advice to security teams and IT companies – using tools such as the Cyber Information Sharing Programme (CiSP) – to share technical information to assess an organisation’s risk, and the actions that should be taken if they had been attacked.
The Systemic Cyber Risk Reduction approach
“No longer can cybersecurity conversations be purely focused on IT controls, such as network defence,” said Bob Kolasky, CISA Assistant Director for the National Risk Management Center in the US. “These technical capabilities must be coupled with robust risk-management practices – knowing your major risks, understanding the size of your attack surface, assessing the criticality of your digital infrastructure and then using this awareness to harden systems and add resilience in a targeted and prioritised manner.”
The Systemic Cyber Risk Reduction Venture takes a three-pronged approach to evaluate cyber risk at a national level: building the underlying architecture for cyber risk analysis to critical infrastructure, developing cyber risk metrics, and promoting tools to address concentrated sources of cyber risk.
This new process of risk reduction utilises the so-called Rosetta Stone approach, which translates the technical nature of security into the language of the business or agency. By quantifying cyber risk, CISOs will have the ability to translate cybersecurity into a language that non-technical agency leaders can understand and support from a policy, budgetary, and procedure perspective. Like many businesses, most government agencies don’t know what their exposure is to any given cyber event, including what the potential impacts are in terms of operational disruptions, response costs, and secondary loss. This typically results in a lack of focus on the risks that matter most to the organisation.
It’s time to introduce automated cyber risk quantification
Developing cyber risk metrics offers a starting point for private sector companies who want to raise cyber risk to their boards of directors and improve decision making. Automating this process and supporting it with real-time cyber threat intelligence takes the guesswork, and years of human error, out of the cyber risk quantification equation. Additionally, by connecting monetary value to risk, you can demonstrate to stakeholders what risks matter most and what level of investment is necessary to meet the organisation’s risk tolerance. You will also be able to identify whether your organisation has the right controls in place if an attack was to be successful. Organisations are then able to estimate the potential financial loss of an attack and act accordingly.
Now is the time to introduce automated cyber risk quantification supported by real-time cyber threat intelligence. Government agencies must move quickly to understand their cyber risks – prioritising reducing their risks so that applications, functions, data and critical agency systems are fully protected. The UK must now take note to further develop their policies for improving government and critical infrastructure cybersecurity like that of the Systemic Cyber Risk Reduction Venture.
About the Author

Adam Vincent is Co-Founder and CEO at ThreatConnect. ThreatConnect provides a suite of risk quantification, threat intelligence, orchestration and automation capabilities for security executives and the threat intelligence, security operations and incident response teams that work for them to share a single source of truth.
Featured image: ©Sergey Nivens
