auto mechanic

Assessing Cybersecurity Risk Requires More Than Discovering Vulnerabilities

Buyer beware - software programs or tools that claim the ability to conduct a risk assessment by scanning your network with little to no human interaction should raise concern! These tools will generally do a nice job discovering vulnerabilities that exist in your technology environment, but vulnerabilities are not risks by default.

Risk requires the presence of a vulnerability PLUS the action of threat actor

To illustrate this concept using an example from the tangible world lets visualize a car. The car is parked, and the doors are unlocked. A premature conclusion would be to state that the doors being unlocked translates to risk. If you apply critical thought however, you will discover that the unlocked doors are simply a vulnerability that could be exploited. You would need more information to determine actual risk. Is there anything valuable in the car? What is the crime rate associated with the place the car is parked? What would the impact be if someone gained access to the car? Who would attempt to gain access to the car? Are there other compensating controls in place, like a security camera? The same logic applies to the digital world.

The presence of vulnerabilities like unpatched computers or misconfigured devices will contribute to the likelihood of a risk event occurring but it is shortsighted to say that vulnerabilities equal risk. That statement simply is not true.

A risk assessment requires critical thought to occur beyond the discovery of vulnerabilities by software tools. It requires critical thinking and the use of logic and reason. All of which made capable by the involvement of qualified human beings during the risk assessment process.

Relying on the arbitrary risk statements and scores created by software tools that simply discover vulnerabilities in your network can lead to a false understanding of your actual risk profile. That can then easily lead to the wasteful allocations of resources – intended to reduce risk – but end up remediating a vulnerability instead.

Follow the NIST SP 800-30 Guideline

To avoid this common pitfall, be sure to follow the NIST SP 800-30 Guideline for Conducting a Risk Assessment. Do not rely on the output of software tool to determine your risk, define your information security initiatives, and affect how you spend time, money and human capital improving your overall cybersecurity posture.

cybersecurity cycle

Contact us today to learn more about how our qualified Information Security Consultants can help your organization conduct a meaningful risk assessment!

Article courtesy of our strategic partner, Cyberstone