In a previous blog, I defined what is meant by a security or cybersecurity posture. Now I’d like to suggest why you need to measure it.
Cyber attacks and data breaches are daily occurrences and the consequences for a company that falls victim can be significant and include:
- Brand damage and reputation loss
- Customer desertion
- Cost of remediation
- Fines and other penalties from regulators
Traditionally, the focus has been on chasing threats and vulnerabilities as they occur, using methodologies such as penetration testing and vulnerability assessments. For those focused on identification of real-time threats, this is a necessary approach, but it tells you little about the overall risk to which your organisation is exposed. Stakeholders in your business will increasingly want to know how at risk you are:
- Customers will request information about your cybersecurity posture when you tender for work.
- Shareholders will want to know how safe their investment in your stock is.
- Vendors and partners will want to know the risk you pose to their cybersecurity posture, due to the business you conduct together.
- Insurers want to know how risky it is to insure the business and how to set premiums for cyber breach insurance.
The value of measuring cybersecurity posture extends beyond understanding just your own posture —just as others need to understand your cybersecurity posture, so too do you need to understand theirs. Here are just three examples of where it is necessary to understand the cybersecurity posture of your business partners:
- Vendor risk management – understanding your suppliers’ (and their suppliers’) cyber risk. As my colleague Doug Clare wrote in his blog, connectivity creates aggregate risk. You inherit risk from your suppliers, particularly those that have access to your systems or data, or from which you ingest data. Furthermore, the ability to measure the cybersecurity posture of your supply chain allows an organization to very cost-effectively scale their vendor risk management coverage, freeing up their limited resources to focus on their most risky vendors. We’ll discuss this specific aspect more in an upcoming blog post.
- Mergers and acquisitions. We have already seen cases of large organizations becoming victims of a breach through a business they have acquired, for example, PayPal became a victim after they acquired TIO Networks. An understanding of cybersecurity posture should be part of the due diligence for any merger or acquisition.
- Credit risk. When businesses extend credit to another organization, a credit risk assessment is standard practice. If one of your customers suffers a data breach it could immediately and seriously affect their ability to pay. An understanding of cybersecurity risk should form part of a credit risk assessment.