Over the last year, executives and board members from a variety of businesses have begun to ask more pointed questions about the threat posed by cyberattacks. They’re no longer satisfied with technical audits of their security controls, and they’re inquiring about the business effect of cyberattacks. How much of a cyber-threat do we face? Are we overspending or underspending? With the planned information security budget, how much risk can we reduce? Is it necessary to purchase cyber-insurance?
Cyber value-at-risk models’ objectives
As a result of these concerns, value-at-risk (VaR) models for information security have been developed. These models, which are also known as cyber VaR, provide a basis for quantifying information risk and bring discipline to the process. VaR models have two objectives:
enable business executives to make cost-effective decisions and create a balance between protecting the organisation and running the business by assisting risk and information security specialists in articulating cyber risk in financial terms, a language that everyone understands.
Organizations that use VaR models for cybersecurity can steer the risk conversation in more consistent, business-friendly terms. It has also enabled them to shift away from making judgments based on Fear, Uncertainty, and Doubt and toward making decisions based on financial data (FUD).
Cyber VaR’s beginnings and definition
Value-at-risk modelling is a statistical tool used in the financial services sector to assess the level of financial risk inside a corporation or investment portfolio over a certain time period. Three variables are used to calculate risk value:
- the size of the possible loss
- the likelihood of losing that much money
- the time limit
Cyber VaR models, on the other hand, employ probabilities to assess the likely losses from cyber attacks over a particular timeframe.
The adoption of cyber VaR models is being promoted by many of the world’s top firms and organisations, such as the World Economic Forum and standards groups, such as The Open Group. FAIR has established itself as the most widely used VaR model for cybersecurity and operational risk, as well as the only international standard.
Cyber VaR’s perceived limits
Certain alleged constraints have impeded the implementation of cyber VaR models:
There is insufficient information provided.
The most serious argument is that there isn’t a large enough set of historical data on the frequency and magnitude of risk events to perform quantifiable risk analyses.
On the event frequency front, many companies are discovering that combining advanced estimation approaches with mathematical simulations like Monte Carlo allows them to estimate event frequency as a probability distribution. The final shape of the distribution represents the level of confidence in the data: flatter if the level of confidence is low, spikier if the level of confidence is high, and flatter if the level of confidence is low. In every case, these groups claim that the analysis’ outcome is far superior to relying on guesses or “sticking a wet finger in the air.”
On the loss magnitude front, the problem stems from firms’ (understandable) aversion to freely sharing data that could be used to develop industry-specific loss tables. Organizations that use cyber VaR models rely on industry data and the experience of vendors who sell cyber VaR solutions, such as RiskLens (disclaimer: the author is a RiskLens executive), to create loss tables that they may use in their risk evaluations.
There is a scarcity of standard risk definitions.
Another issue is that there are no common risk definitions inside corporations. Within the same organisation, how risk is defined can differ from person to person. Risk registers are fairly prevalent, and they should ideally indicate an organization’s major hazards. The main issue is that many of the items on the list aren’t top risks, and some aren’t even hazards. Instead, they should be labelled as control flaws, vulnerabilities, or danger communities.
Adopting risk models, such as FAIR, provides a thorough and uniform definition of risk in the form of a shared taxonomy or ontology, which adds a lot of value. This allows everyone in the organisation to use the same yardstick when comparing risk scenarios, allowing for more effective comparisons.
A small number of scenarios are supported.
Single assessments were conducted using sophisticated spreadsheets in the early uses of cyber VaR models. Comparing risk scenarios was a time-consuming and resource-intensive process, and pooling risk scenarios for enterprise-wide evaluations was impossible.
Next-generation cyber VaR platforms, such as RiskLens, have overcome these challenges by developing enterprise-grade apps that can assess a large number of risk scenarios simultaneously and in aggregate.
Information security experts are putting out a plan.
Many businesses and risk experts are creating forums where they can learn about conventional cyber VaR practises and discuss use cases and real-life experiences in response to recent pressure from corporate boards and executive management for improved reporting and management of cyber risk.
Cybersecurity VARs and Systems Integrators Directory
Cybersecurity Ventures is working on a project to compile a searchable database of cybersecurity VARs and SIs in the United States and around the world.
The cybersecurity vendor certifications and reseller programme involvement of the VARs and SIs will be profiled, as will the technological sector, material expertise, location, and more.
A public version identifying all VARs and SIs will be available, as well as a personal password-protected version with additional information such as essential contacts, phone numbers, and email addresses.
Cybersecurity: What VARs Need to Know
- Eaton had a talk with Hervé Tardy.
- Security Lock for Cybersecurity
Hervé Tardy, president and head of Eaton’s Distributed Power Infrastructure, spoke with VAR Insights recently on all things cybersecurity, from how resellers came to recognise it to how they help clients against cyber threats.
Q: How can VARs educate their customers on how to incorporate Cybersecurity into their overall power management strategies?
VARs should encourage their customers to consider how power management is changing as the Internet of Things (IoT) takes hold, i.e., the proliferation of linked devices both inside and outside the data centre. IT and operational processes, including backup power systems, are becoming increasingly integrated, which will help organisations across the board. IoT devices, on the other hand, often have a single IP address that allows them to communicate and exchange data with other systems, posing a frightening cybersecurity dilemma.
VARs gained the skills necessary to require an end-to-end strategy to Cybersecurity for their customers as IoT solutions continue to make their way into IT infrastructures. Consider this example: by exploiting an unnoticed weakness in a major retailer’s HVAC system, hackers were able to gain access to POS terminals and steal 70 million customer accounts.
The threat of cyberattacks will only grow as networks continue to migrate off-site and away from a uniform, centralised IT framework. Server-gateway connections grow every day, increasing the number of devices linked to networks and, in turn, increasing the number of potential targets.
Q: What role does the Internet of Things play in the advancement of power management, and how can a VAR take advantage of it?
Tardy: New capabilities are available for enterprises to strategically leverage connectivity and data sciences to favourably impact their operations as a result of IoT innovation. Within the power management area, companies can now use network management cards to connect uninterruptible power grid (UPS) devices and reach intriguing new possibilities. These technologies help improve business continuity by providing administrators with warnings of pending issues and performing an orderly shutdown of servers and storage with higher speed and cybersecurity.
Predictive analytics is another area where great progress has been made in power management. As more data is collected from thousands of backup systems, predictive analytics services are regaining confidence in making judgments on their own. Because preventive maintenance is so important in power management, VARs can collaborate with their partners to change the reactive to proactive paradigm.
Predictive analytics services, as a monitoring and management tool, can help IT managers identify crucial component failures before they happen. When a neighbourhood has to be replaced, predictive analytics, Big Data, sensors, and algorithms are used to discover concerns proactively and notify IT, employees, and field technicians. These solutions enable firms act fast and avoid costly emergency repairs and issues that might occur if something broke down by providing insights into existing power management components.
Q: What can VARs do to help their customers protect themselves from cyber-threats?
VARs should aim to be proactive in tackling IoT and security issues and employ solutions with the most thorough cybersecurity diaries since the development of smart, connected devices is connecting more parts of routine operations. This means looking for electrical products and solutions for customers that make a point of emphasising cybersecurity as a significant difference, or even go so far as to offer feature-specific cybersecurity certifications (more on this below).
VARs can also provide their partners with a number of advice to help them protect their network infrastructure. Experts advise using a firewall and encrypting data, as well as conducting routine security assessments, regularly updating antivirus software and antispyware, employing advanced email filtering, establishing robust password policies and endpoint protection, and providing employees with cybersecurity awareness training.
Q: What steps are often taken to make IoT-enabled devices secure against cyberthreats?
UL 2900-1 is a standard for software cybersecurity for network-connected devices that was developed and published by the global safety science organisation UL in response to escalating cyber threats. The UL cybersecurity certification guarantees that the product has been thoroughly examined and tested against a recognised standard.
State legislatures are also enacting legislation to demand a higher degree of cybersecurity. California, for example, has approved legislation requiring IoT device makers to ensure the privacy and security of the state’s people. In addition, the International Electrotechnical Commission (IEC) has issued cybersecurity certifications to provide businesses with additional tools for a successful cybersecurity strategy.
As industry standards and government laws grow, this type of reputable independent testing will continue to be one of the most basic ways for VARs and their clients to confirm that their equipment makers have done their due diligence to avoid hazards.
Q: How critical is it for a VAR to improve their cybersecurity skills?
Tardy: It’s critical because new risks will continue to develop as connection grows. When it comes to Cybersecurity, devices like UPSs aren’t usually top of mind. Still, manufacturers are introducing more of this type of functionality as more IT professionals use connected capabilities like remote monitoring.
Eaton responded by introducing the Gigabit Network Card, the first UL 2900-1 and IEC 62443-4-2 approved UPS communication card. Additionally, Eaton’s continued Cybersecurity focus has helped ensure that all of our products, from UPSs to power distribution units (PDUs) and power management software, already meet California’s criteria.
As VARs expand their expertise and exhibit a continuous commitment to ensuring that their products meet the highest of standards, it will serve as a signal to customers that they are aware of the threats that exist on the internet and are committed to resolving them.
Q: How critical is it for a VAR to urge their customers to improve their cybersecurity skills?
VARs are in a unique position to support and coach their customers, who must frequently adapt fast in order to keep up with an ever-changing IT world. Customers cannot afford the high costs and delays associated with crippling cyberattacks. They may prevent being left behind by being more knowledgeable about cybersecurity and implementing secure-by-design goods.
As cyber threats continue to grow, businesses will look to partner with VARs to demonstrate their commitment to cybersecurity. VARs will be in the greatest position to meet their clients’ current and future demands if they take a security-first strategy and maximise cyber security rigours from the ground up, ensuring solutions across their portfolio are optimised for cover.