Real-time is where the cybersecurity risk is

I don’t know how many times I’ve heard cybersecurity professionals say something like, “Not having multi-factor authentication is a huge risk for our organization.” The truth is, that type of statement may illustrate a control weakness, but unless the unwanted outcome is a ding in an audit report where MFA is required, that is not the real risk. The real risk is the probability of a ransomware incident, for example, or the leak of personally identifiable information (PII) from a customer database.

For enterprises, risk lay in the potential losses associated with unwanted outcomes incurred through their computing environments. (The cybersecurity piece of this typically focuses on incidents where these outcomes were caused by an intelligent adversary.) A simple way to think about unwanted outcomes is to consider the ways we might fail to meet one or more of our control objectives – confidentiality, integrity, availability, or other objectives – and experience one of the aforementioned incidents, among others.

Once risk is understood, it becomes easier to see that much of what we do in cybersecurity revolves around addressing control weaknesses that essentially act as risk placeholders. We feel like there is no real way to determine risks and assess their likelihood and so therefore rely on best practices and control frameworks to fill in the gaps. So, while most of us perform our duties in service to risk management activities, there is almost never any proof that fixing control weaknesses would ever lead to a true reduction in unwanted outcomes that lead to loss events.

Cybersecurity risk lives in real time

I believe there is one big reason why this is true: We don’t internalize the fact that the risk we aim to manage “lives” within the real-time activities happening throughout our IT environments. That is, the risk exists within the millions, billions, trillions, quadrillions of transactions and messages and sessions and other structured elements. While we can’t definitively measure risk because at its core risk is a prediction about future outcomes, we can at least make those risk predictions and then test their accuracy after the fact by measuring the pertinent activities. Then we can use that data to inform our future risk predictions and their follow-on decisions.

So, when Cisco says, “Spam accounts for nearly two-thirds (65%) of total email volume, and our research suggests that global spam volume is growing due to large and thriving spam-sending botnets. According to Cisco threat researchers, about 8% to 10% of the global spam observed in 2016 could be classified as malicious. In addition, the percentage of spam with malicious email attachments is increasing, and adversaries appear to be experimenting with a wide range of file types to help their campaigns succeed” as it did in its  2017 Annual Cybersecurity Report, you can derive the probability part of risk of getting a malicious email message as about 6%.

Some of my astute colleagues may point out that risk must also include a magnitude element expressed in financial losses. While that is ultimately my goal as well, I don’t consider it a necessary condition as long as one can intuit the losses associated with receiving a malicious email message. This allows us to circle back around not to control weakness, but to its strength, depending on how many of those messages a solution can stop before an incident occurs.

With so much of our cybersecurity activity revolving around people and process, it is easy to become distracted or deceived into thinking incorrectly. It is crucial to understand that amidst the massive amounts of activities occurring in our IT environments, real-time is where the risk is.