Topics In Demand
Notification
New

No notification found.

Need to measure cybersecurity risks
Need to measure cybersecurity risks

June 13, 2021

19

0

Every time there’s another massive cybersecurity breach, which like SolarWinds finds its roots in a security issue at a third party, policymakers and security experts ask, “Where do we go from here?” 

 

The private sector and they government haven’t figured out how agencies can best address risks posed by their vendors. The problem is especially acute for small- and mid-sized organizations. Individually engaging, evaluating and auditing every vendor, from custodial services to cloud providers, is cost prohibitive and unrealistic for the vast majority. 

 

One thing is clear: What we are doing is not working. Our check-the-box approach to third-party risk neither improves the security of suppliers nor effectively informs the recipients of software and services about its real risk. What’s worse, it’s still practically impossible to determine just how effective our efforts are.

 

Today, those of us in cybersecurity are just like medieval barbers doing our best not to kill our patients. We struggle to know if an organization was breached due to poor security or if it was doing everything right and was simply overpowered by a nation-state.

 

We must start creating clear incentives to measure risk and share information about attacks.

 

It is impossible to know if we are moving forward if we cannot measure outcomes. Without information, we cannot reward good behavior. Developing ways to measure and report risk via trusted, objective security key performance indicators will lead to better approaches to cybersecurity and ultimately lower risk systemically.

 

Government-provided incentives, such as procurement preferences, can drive real improvements, but public- and private-sector organizations need objective measurements to ensure progress and not just activity for the sake of activity. 

 

Of course, objective measurement and effective cybersecurity decision-making requires access to data about risk. Liability concerns about sharing data can hamper this effort. Cybersecurity is one field where catastrophic failure and damage are hidden and protected by non-disclosure agreements, drastically reducing our ability to learn from our mistakes and compile sufficient actuarial data to understand the true nature of the risks we all face.

 

Source: GCN


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


PremKumarit

© Copyright nasscom. All Rights Reserved.