2021 saw a record number of reported vulnerabilities and mounting security debt. We've migrated to the cloud, implemented new technologies, and are working more remotely than ever. Not to mention the year’s vicious parting gift - the critical zero day log4j vulnerabilities.
The pace and scale of the tech we adopt mean that attack surfaces have grown rapidly. And more concerning is that it’s not only the number of vulnerabilities that has increased, but the severity too. The bottom line is that cyber risk has fast evolved into a concern that can no longer be ignored.
In cyber security, as in life, the turn of the year gives us an opportunity to consider what we've done well, what we can do better, and what simply must change.
Cyber risk is business risk
I've often talked about cyber risk as being the elephant in the room. But even when it’s discussed, it’s not done so in the right context, leaving much to be desired when it comes to getting people on the same page.
The cyber risk management process spreads across multiple teams and stakeholders - all with different priorities and levels of understanding. There are plenty of cooks in the kitchen, but half of them don't like cooking, and the other half don't know how. So the conversation is doomed to fail before it even begins.
Organizations are not ready to tackle cyber risk. And that's a huge deal. Because the thing about cyber risk is that it's actually business risk, a commercial and organizational issue - that affects everyone - disguised as a technical one.
The problem is deep-rooted and begins within the cyber security teams themselves. Daily, they use siloed technical tools that deliver mountains of duplicate, muddy vulnerability data. And as new attack surfaces emerge (SaaS, public clouds, IoT, IaC, etc.), the arsenal of scanners and other tools grows to keep up. So all too often, the critical next steps of asset management, risk prioritization and risk mitigation are shots in the dark.
The data that is processed and viewed as significant comes in terms that only the security teams can make sense of. The tools they have might help them understand their risk, but they certainly don't help them communicate it.
And this is where cyber security professionals begin to falter. Armed with good intentions and limited resources, they must take their findings and communicate them to the other teams who need to be involved in mitigating risk. But that data needs to be translated from a technical/security language, into a business risk language.
It's a near-impossible job. And it's here that we see how far behind cyber security is when compared to other areas of the organization.
Security deserves more
We look at those in other markets. They all have enormous software companies helping them operate effectively. IT teams use ServiceNow. Salespeople turn to Salesforce every day. HR professionals swear by Workday.
All these tools are focused on managing business processes associated with their day-to-day jobs. They are the operating systems of IT, sales, HR.
And cyber security? There's no equivalent. Ask a cyber security pro what they use to get their work done and the answer comes back: different tools for different attack surfaces, emails, excel sheets… The list goes on and on.
This is what we mean when we say security deserves more. Our market deserves its Salesforce. We must have a tool that turns vulnerability findings - for all attack surfaces - into actionable business risk data, and helps us with what to do and say next. Our organizations depend on it.
Cyber risk is not discussed well. From the board level all the way down to individuals in different teams, not enough are equipped or inclined to own risk.
2022 and beyond
As we close out the year, we must take a step back, take stock, and plan ahead. We must empower all those involved in cyber risk management to take risk seriously. Organizations must be proactive and lead from the front.
Attack surfaces are expanding. Threats are rising. Cyber risk is growing. And at Vulcan Cyber, we’re making sure we continue to grow, too. We work around the clock to empower our customers to fully own their risk. That’s why we’re building the first cyber risk management platform to focus on all types of vulnerabilities, across all attack surfaces. In other words, the operating system that cyber security professionals deserve and need.
I am sure that, as attitudes towards cyber risk change, behaviour will also change, leaving organizations more secure and in much better shape for the years to come.