Tag Archive for: Digital Resilience

The Only Cybersecurity Metric That Matters for Digital Resilience

While the focus on cybersecurity has never been higher, the cybersecurity community – a combined team of solution providers, CISOs, boards and others– haven’t been able to stop most attacks from being successful.

Why?

We have focused too much of our efforts on network perimeters, working to detect and prevent cyber attacks. We haven’t done enough to build resilience INSIDE the network, the part of the equation we can control and quantify with a security metric.

Organizations need to build resilience into their infrastructures and adopt an end-end digital resilience strategy to survive and thrive.

How big is the problem? There are 1400+ vendors focused on cybersecurity. Nearly $100B was spent on information security just in 2016. Yet billions of records have been compromised.

The reason is we have not addressed fundamental issues inside the network. Companies need to build resilience into their infrastructure and adopt a corporate-wide digital resilience strategy with a corporate-wide security metric.

A few years back, RedSeal gathered 800 surveys during the RSA Conference. We learned that:

  • Practitioners are drowning in data
  • They can’t measure the performance or impact of their security efforts
  • Current solutions can’t turn data into action
  • They need useful cybersecurity metrics

The problem with measuring security is that security is the absence of something. You can’t report how often you were NOT on the cover of Washington Post. Many people start by counting what they are doing. But this measures busy-ness, not business. How can you show actual improvements in cybersecurity?

The Shifting Terrain and Digital Resilience

According to the 2016 TechCrunch CIO Report, 82% of global IT leaders report significant labor shortages in cybersecurity. This, combined with issues such as software defined everything, digital transformation, hybrid datacenters, IoT, and shadow IT, means a big shift in thinking is required. We don’t have enough people to throw at the problem.

Digital resilience is a comprehensive strategy across all IT functions and business processes to minimize the impact of cyber attacks and network interruptions. It’s a different way of thinking.  Being resilient means simultaneously striving to minimize each attack and being able to recover quickly from a strike. Resilient organizations have fewer, smaller incidents, understand and respond to them faster, and can rapidly return to normal operations afterwards.

It’s not enough to see the devices in your “as-built” infrastructure – you have to really understand how they are configured and automatically get a list of vulnerabilities.

And that list of vulnerabilities is a problem; there are too many to act on. Even knowing asset value and vulnerability severity aren’t enough to fully understand the risk. You need to understand if they can be accessed. A high value asset with a vulnerability that is segmented behind a firewall is not as big a risk as one that is slightly lower in value, but has an open path to the internet.

RedSeal’s Digital Resilience Score

Resilient organizations must focus on three main areas—being hard to hit, being ready for an attack when it comes, and being able to recover quickly.

RedSeal helps these organizations identify defensive gaps, run continuous penetration tests to measure readiness, and map their entire network infrastructure.

From these capabilities, RedSeal calculates one unified number, so managers, boards of directors and executive management have the understandable and actionable cybersecurity metric they need to drive towards digital resilience.

RedSeal’s Digital Resilience Score focuses on three essential questions:

  • Do you have defects that are easy to hit? RedSeal evaluates how weaknesses from incorrectly configured devices and third-party software could impact you.
  • Can an attacker reach your valuable assets? RedSeal evaluates how well your network is structured, identifying attack pathways and chains of vulnerability that reduce your ability to withstand and recover from attack.
  • Is your network understanding complete? By identifying previously unknown parts of your network, RedSeal evaluates how well you know what your digital infrastructure looks like. With a complete picture, you can be sure you’re managing all assets on your network. During an attack, you’ll be able to understand where an attacker can reach. And, you’ll be able to recover much more quickly.

Instead of getting stuck in an ineffective focus on measuring activity, resilient organizations use RedSeal’s Digital Resilience Score (DRS). This cybersecurity metric works like a creditworthiness score, deducting pointing for defensive gaps, weaknesses revealed by attack simulations, and blind spots in your network awareness. A higher score means there is a higher likelihood that your business can withstand an incident and keep running.

It’s the cybersecurity metric that matters for digital resilience.

How to solve the human challenges of cybersecurity

TechRepublic | June 27, 2018

With Ray Rothrock, RedSeal CEO

To respond to cyberattacks, companies must invest in training and education, says RedSeal CEO Ray Rothrock in a talk with TechRepublic Senior Writer Dan Patterson.

Why agencies are shifting from cyberdefense to digital resilience

FedScoop | June 26, 2018

RedSeal CEO Ray Rothrock said that achieving digital resilience begins when you know about your networks — “where they connect, how they connect, to whom they give access, and what they expose.”

According to Rothrock, there are specific steps agencies should take to improve resilience:

Podcast: How to get ready for a cyber threat

Onward Nation Podcast | May 2018

With Ray Rothrock, Chief Executive Officer

Business owners share the most influential lessons learned throughout their careers, including insights into their daily habits, their most vital priorities that have contributed to their business and personal success, and the most challenging time or situation that could have devastated or even ruined their businesses or careers.

In this episode, RedSeal CEO and “Digital Resilience:  Is Your Company Ready for the Next Cyber Threat?” author Ray Rothrock discusses:

  • Why you can’t predict where the next cyber threat will come from
  • How to get ready for a cyber threat
  • The importance of being prepared to respond to cyber threats with the right people, systems, strategy and processes
  • How RedSeal helps businesses prepare for any potential cyber attack

Building Digital Resilience: Planning For and Recovering From the Next Cyber Attack

KQED WorldAffairs | May 21, 2018

With Ray Rothrock, Chief Executive Officer

Cybercrime and cyberwarfare are both on the rise. From businesses large and small to national governments, the question is not if they will experience a cyberattack, but when, how much damage will be done and how long the recovery process will be. In this week’s episode, we discuss the cybersecurity landscape and how businesses and governments can most effectively work together to mitigate risks.

Joining World Affairs CEO Jane Wales are digital security experts Ray Rothrock, CEO of RedSeal and author of “Digital Resilience,” and Richard Clarke, former U.S. National Coordinator for Security, Infrastructure Protection, and Counterterrorism and most recently, author of “Warnings: Finding Cassandras to Stop Catastrophes.”

Is Your Company Ready for the Next Cyber Threat?

Skip Pritchard | May 17, 2018

With Ray Rothrock, Chief Executive Officer

Security incidents are up 66% year-over-year since 2009. Despite this alarming statistic, 80% of CEOs report that they are confident in their company’s cybersecurity. Cybercrime is on the rise. Are you prepared? 

Cybersecurity expert Ray A. Rothrock shares the tactics used by hackers and then arms management with the tools to prevent these hacks in his new book Digital Resilience: Is Your Company Ready for the Next Cyber Threat?

Digital Resilience: Is Your Company Ready for the Next Cyber Threat?

Entrepreneur Effect | May 14, 2018

With Ray Rothrock, Chief Executive Officer

Cybercrime is an epidemic, and every business is at risk. For management, the question is not if you will be compromised, but when. 80% of CEOs are very confident in their company’s cybersecurity strategies, despite the fact that security incidents have surged 66% year-over-year since 2009 (PricewaterhouseCoopers). In fact, few are prepared, explains cybersecurity expert Ray A. Rothrock, who demystifies cyber risk and clearly outlines strategies for both surviving attacks and thriving even while under assault.

Cyber Security and Defending Your Data – How to Promote Your Digital Resilience

Global Marketing Alliance | May 1, 2018 

By Ray Rothrock, Chief Executive Officer

It might be a grim necessity and a tiresome back-office expense, but tackling cyber security by creating digital resilience should be viewed not as a cost, but as an investment, says Ray Rothrock. Don’t build a wall as defence against cyber attackers, he says – that can prevent growth. Build an army to display how well your brand is continuing to invest in security and can thus be trusted. Here’s how:

Perfect Cybersecurity Makes No Business Sense

Forbes | September 21, 2017

By Dr. Mike Lloyd, RedSeal CTO

We’re going through a shift in thinking in cybersecurity. In the old days, we thought one solid line of defense was enough — keep the bad guys out and life would be good. Then we found out that bad guys are wily and would find different ways in. The result was security sprawl: so many technologies, so many ways to defend, but no way to do it all, no way to hire enough experts in all these different techniques.

RedSeal CEO Joins Cheddar TV’s “Closing Bell” to Talk Resilience, WannaCry

Cheddar | May 18, 2017

 

RedSeal CEO Ray Rothrock joined Cheddar TV’s “Closing Bell” show, where he spoke about resilience, WannaCry and more. Ray’s segment starts at the 1:04:05 mark of the video.

“Prevention has been the strategy of the last 25, 30 years in cybersecurity…You’ve got to have prevention but you need more than that now. Attacks are inside the network – not at the firewall anymore – they are inside. And being inside means you need to know what’s going on inside. You’ve got to know what the network looks like.”