Cyber Risk Management Case Study

Home / case-studies / Cyber Risk Management Case Study

Case Study - Cyber Risk Management

One of the World’s Largest Multi-National Companies Meets the Challenges of Cyber Risk Management through an Integrated Approach

Overview
The client is a multinational corporation headquartered in the United States with support and development centers located worldwide. They have 26,000 employees and revenues of close to $4B USD. The company specializes in software and services for communications, media and financial services providers and digital enterprises. Its offerings include business support systems (BSS), operational support systems (OSS), open network solutions, Internet of Things, big data analytics and entertainment and media solutions. Considering the recent firings and financial impacts to Equifax, Target, Home Depot and other industry leaders the customer wanted to understand the effectiveness of its’ cyber security strategy. To provide this information they needed an approach that quantified the cyber risk of their business assets, aligned them to cyber insurance needs, compliance initiatives and required cyber budget. Instead of manually gathering system and vulnerability data from various sources, InnoSec’s STORM Cyber Risk Management product offered them an automated solution to demonstrate the level of effectiveness, strategic requirements and compliance of their system using dashboards, reports and workflows, while integrating system and vulnerability data from various sources, and consolidating all of it in a centralized database. This has helped the client get an accurate, timely, and an objective realtime view of their cyber security resiliency and program.
INTRODUCTION

The client’s cyber-security team, headquartered in Israel, has the important role of investigating and resolving all cybersecurity issues across the organization’s global operations which include 137 offices. The team helps ensure that the company is in compliance with regulation including GDPR, prioritizes incidents and remediates vulnerabilities and works with auditors and boards to maximize cyber resiliency.

Cyber risk management is an approach that measures cyber risk costs and exposures at the business asset level. These business (virtual) assets are systems, processes, data and the technologies that host them. Cyber risk management quantifies objective metrics related to each aspect of the organizations cyber security program and aligns risk tolerance, cyber insurance needs and the business asset risk to ensure boards and executives can meet their fiduciary duties to protect the business assets by having enough cyber insurance and budget and prioritizing remediation work based on the business risk. Without such metrics, companies are woefully unprepared to meet the challenges of the dynamic nature of cyber-attacks and stay ahead of attackers. Before InnoSec’s STORM, the customer and many others attempted to do this manually using a siloed approach.

Before STORM, the CISO would walk into the board room with a list of 300 vulnerabilities with no understanding of how they impacted the business or what priority they needed to be addressed. The boards was mystified by this. They needed to know what to do and they didn’t understand the cyber jargon and more importantly which business assets were impacted and how. What was the reputational, operational, legal and financial impacts?

Cyber damage including business interruption, data exfiltration and regulatory fines must be understood in terms of the importance of each business asset. Is it a crown jewel, business critical or business crucial asset? Each has a diminishing level of importance and must be treated in the correct context. No two assets are exactly the same. Without this data it is impossible to understand what to prioritize.

InnoSec’s STORM allowed the customer’s executive management to have a clear line of sight in terms of the amount of cyber insurance needed, the priority of remediation work and the amount of budget needed.

urthermore, companies are guessing at how much insurance to buy and how much budget they need. We don’t do this in any other business domain but cyber. Cyber is a business issue and must be understood from that perspective. Cyber insurance brokers use the “neighbor” method to determine how much to advise to sell. If you have 2 companies that have similar revenues, number of employees and geography they are sold the same amounts. That is ridiculous. One company has effective cyber controls, and the other may not. The company with less effective controls needs more insurance than the one with effective controls.

The same applies to cyber budget. Using a percent of IT spend has nothing to do with the risk of the business in cyber security. It is a marginalized attempt to provide a subjective approach to an important business strategy.

The client understood that they had to level the playing field in cyber and they came to InnoSec to make that happen.

OUR APPROACH

In order to obtain these metrics, we start with an inventory of the systems, processes, technologies and the data they process. This can be obtained from a Change Management Data Base (CMDB) or manually inventoried by the business owners. This takes 1 hour to 2 days depending on the approach.

Simultaneously, we work with the business to set up the risk models. InnoSec STORM measures risk using a reputational, operational, legal and financial (ROLF) model. No two businesses measure risk the same. Some are more cloud centric or outsource centric and these types of scenarios must be emphasized. InnoSec has templates and best practices from hundreds of customers to help architect the model that is perfect for them.

Once the systems, processes and technologies are in STORM and the risk model ready, the business owners do a business impact and likelihood analysis to determine the inherent risk. Inherent risk is the risk without controls in place. It is your cybergeddon, worst case scenario risk or as if there was zero percent effectiveness of cyber controls. It is used in many of our analysis for the customer.

After this metric is calculated, the cyber team can do security assessments from any framework and integrate data from any security tool including Security Information and Event Management (SIEM) applications such as IBM QRadar or HP ArcSight and Vulnerability scanners like Qualys and Rapid7 in a near-real time manner. This data creates the residual risk scores. This is the risk with controls in place. It is your best case cyber risk scenario.

All this data is displayed as dashboards, reports and workflows and is used by each member of the business based upon their role, CISO, Board, Compliance Manager, DPO, Remediator, Auditor, Vendor or Business Owner.

Image
EQUIFAX WOULD NOT HAPPEN ON OUR WATCH

The customer understood the need to know if breaches were isolated to the system or would impact crown jewel assets or the supply chain. The customer is alerted when patches are not applied to systems where breaches are not isolated and action can be taken to immediately correct the risk.

BUSINESS BENEFITS

Among all the cyber security solutions providers evaluated by the client, InnoSec was chosen based upon the advanced capabilities, configurability and flexibility of our offering.

InnoSec’s STORM Cyber Risk Management Application has inventoried approximately 1200 systems in the client organization and measured the inherent and residual risk metrics. STORM has been deployed to the board, CISO, risk manager, remediators and business owners. Each user has a dashboard, reports and workflows that allows them to seamlessly work together collaboratively.

The CISO and business owners have views that monitor all systems with high inherent risk. Additionally, they have dashboards for crown jewel assets that demonstrate when residual risk rises above the threshold amounts. STORM provides a range of advanced reports provide complete, real-time visibility into the risk of each system. Business owners are alerted when residual risk rises above thresholds.

Image

On an operational level, the CISO also has project and task dashboards that allow seamless communications between the remediators and the mangers of the work. All project and task data is quantified in terms of capital and operational expenditures. Budgeting shows costs for GDPR, PCI, IOT, Business Unit and Vendor Security needs.

The security team uses STORM to document the findings of the cyber-security risk assessment assessments and for remediation work.

The board uses STORM to determine cyber insurance and budget requirements and ensure that they protect the business assets.

STORM makes it easier for the compliance team to track and manage compliance, working with any framework including GDPR, PCI, ISO, NIST, et. al. The assessments can demonstrate multiple levels of information in a parent/child manner. Assessment controls are inherited from lowest to highest allowing a complete assessment down to the device level. This allows for IOT, cloud and mobile risk assessments. As the compliance assessment is completed, components escalate severity, rating, and impact. It also helps categorize the information into various types based on pre-defined criteria, and can do multiple assessments simultaneously.

Users can also add business context to the data (i.e. remediation plan, budget, and business impact). STORM also helps in qualitative and quantitative impact analysis, and supports correlation of the assessment with past data to enable quick analysis, and to support decision- making on the need for remedial action.

Incident managers use STORM to route each incident/event for review and analysis to authorized users based on pre- configured rules for review, approval, and disposition. The application’s decision-tree functionality helps identify reportable events, as well as the type of report that needs to be filed. Remediation data is captured from external sources via STORM’s interfaces to thirdparty products.

Through STORM, remediation project and task owners can add more details about the work, edit its description, and attach further evidence/ files. STORM allows for thresholds that map the findings to the severity level of the findings -- Critical, High, Medium, or Low, supported by a color-coded chart (e.g. Red = Critical, Amber = Medium, Green = Low). These severity levels indicate how soon the findings need to be resolved. For instance, a critical finding would need to be resolved in 2 days, while a low severity case can take up to 20 days. Each remediation can be documented with the capital and operational expenditures needed to lower the risk to acceptable levels providing a cyber budget.

STORM captures the remediation plan for investigating or resolving the finding. For instance, if a virus has infected a system, the remediation plan might be to test the system controls, and determine what went wrong, what was impacted, and whether or not additional controls are required. All these steps are outlined in STORM, and assigned to a task owner along with predefined timelines. Once the action items have been performed, the task owner enters the results in STORM, and routes it to a task approver for final review, approval, and closure. Risk levels are automatically lowered when this is complete.

ECONOMIC BENEFITS

Keeping track of all this information at a global level is challenging for the organization and costly. It is well documented by CSO magazine that each team member spends over 30% of their time as a “data gofer”. Obtaining data, analyzing data, massaging data, formatting data, reanalyzing data, etc. This is a tremendous waste of time and money in a world that is cyber deficient in resources. There are over 2 million jobs open in the US now and only 1 in 7 is even applied for according to Indeed, the job search company. InnoSec’s STORM acts as the single source of truth for everything cyber and provides a significant ROI to the client of over 300% by automating the risk, vulnerability, compliance audit, budget, project and task management activities.

RISK ASSESSMENT, MONITORING AND REPORTING

STORM’s Cyber Risk Management product provides a window into the effectiveness of the cyber security program demonstrating the inherent and residual risk of each system, defines the amount of cyber insurance needed based on the strategy and risk tolerance and aligns this data to cyber budgeting needs. It also tracks the progress/ status of the risk assessment against pre-defined thresholds triggering alerts when thresholds are exceeded.

STORM automatically populates the risk impact report with data. Therefore, at the click of a button, boards and executives (risk owners) get access to key reports such as crown jewel assets, cyber budgeting, findings across the organization, as well as the remediation work plan and an audit trail report. Powerful dashboards provide in-depth visibility into findings data and statistics such as risk metrics, compliance, severity of findings, outstanding open findings, types of findings, and sources of findings. Users can slice and dice this data from various perspectives to identify trends and areas of concern, and to make informed decisions.



Testimonial

Get ready for the STORM

Our experts will be delighted to analyze your current cyber protection strategy management, answer your questions and schedule a Demo.

Get In Touch!