Why it's time for a reset of security metrics [Q&A]
Historically, security metrics have focused on measuring how many attacks are successful and how long it takes for a successful attack to be detected. This is perhaps unsurprising since the bulk of the industry has focused on building tools to detect adversaries.
We spoke to Nicko van Someren, chief technology officer at Absolute Security, to learn why companies focusing purely on defense can create more risk for their organizations, and why instead of focusing on 'time to detection,' it's time to reset security metrics to focus on 'time to recovery.'
According to van Someren, there is growing evidence that prioritizing cyber resilience is helping organizations minimize the impact of attacks, reduce downtime, and mitigate financial and reputational damage.
BN: How does focusing on detection and defense lead to greater risk?
NvS: There's nothing wrong with focusing on detection, unless you are doing it at the expense of response. Detection without response leaves you with breached systems. There has been a mindset in the past that spending time and effort worrying about recovery is defeatist, but in the current cybersecurity environment, we have to be willing to admit that, at some level, a breach is almost inevitable.
In light of that, planning how to speed up recovery is wise because the risk to your organization's overall ability to operate depends very much on how long you're down. If you detect that a device is breached and the machine is down and out of action for a week, that's a week of lost productivity for your employee, and a week of lost revenue. If the same device can be back online and in a safe state within an hour from when you detect the issue, maybe your employee just goes and gets lunch.
BN: So what other metrics should organizations be looking at?
NvS: We can't improve what we can't measure. As an industry, the ultimate metrics that we should care about is how long it takes to get machines working again, and get your staff working again, after an incident. Since large scale incidents are rare, and it is hard to get good metrics for rare events, second order metrics are also necessary. Since a lot of this boils down to preparation, for second-order metrics organizations need to assess their tooling to ensure they can recover quickly, whether the disruption is due to a data breach, misconfiguration or other non-malicious occurrence.
BN: Why is time to recovery such an important factor?
NvS: Simply stated, time is money. It doesn't matter whether you are a law firm that bills by the hour or whether you are any other sort of business that relies on knowledge workers being able to do things with their IT; the fact is that downed systems cost you money. You only need to look at the recent ‘blue screen of death’ incident. We are still learning just how much that incident cost all sorts of industries, not just in the IT sector but everywhere. Downed systems lose you money. So, if we're trying to minimize the overall risk to our organization, we've got to be able to minimize the amount of time that we're down.
BN: How much impact will legislation like the recent EU Cyber Resilience Act have?
NvS: The EU CRA is part of a much larger set of initiatives that will be necessary to make organizations truly resilient. It is addressing part of the problem, which is trying to ensure that manufacturers are more transparent about the cybersecurity of their products and trying to give buyers more transparency about for how long they can expect to receive cybersecurity fixes to the products that they buy. This transparency will hopefully lead to better information being available to customers, and also better and more reliable information feeds for companies building tools that keep your products up to date and repair your products when they fail.
BN: What can we expect in security metrics in response to emerging threats like AI?
NvS: In terms of AI, the same metrics apply because the risk to your business is much the same even if the threat vector is different. That said, I'm an optimist, and I think that AI tools are going to be part of the solution for delivering resilience more than a new threat in themselves. Effective reaction to breaches, and to the release of information about vulnerabilities, requires a rapid response. Rapid response is hard to achieve with people alone, especially when organizations have tight budgets and limited staff. So, automation is key to achieving cybersecurity resilience, and sifting out the 'signal from the noise' requires a degree of intelligence. Sifting through those signals and providing your limited staff with actionable insights is something that AI can do now, and soon we expect to be able to also automate much of the response process as well.
AI is going to enable us to do more automation in that space and that is going to allow us to get faster response times and therefore deliver more cyber resilience to your organization.
Image credit: IgorVetushko/depositphotos.com