Unveil Unseen Threats With an Enterprise Cyber Risk Assessment

The interconnectedness of vulnerabilities, risks, and threats in cybersecurity cannot be understated to ensure a holistic and effective risk assessment within an enterprise.

Understanding and prioritizing the combination of these elements is crucial for effective risk management and mitigation.

In this archived panel discussion, Ron Guerrier, CTO of Save the Children; Riya Sanjay, senior professional services manager of LogicGate; and Nicholas Kathmann, CISO of LogicGate, share ways to develop a custom-fitted cyber risk assessment strategy for your enterprise. The broadcast was moderated by Brandon Taylor of InformationWeek.

This segment was part of our live webinar titled, “Your Enterprise Cyber Risk Assessment.” The event was presented by InformationWeek on July 17, 2024.

A transcript of the video follows below. Minor edits have been made for clarity.

Brandon Taylor: Ron, how do you define risk, threat and vulnerability on a system?

Ron Guerrier: A lot of times they are interwoven, and people tend to see them as the same, but they are all slightly different. The risk profile is the likelihood of something really happening. It's a profile of risks.

There's high-risk, low-risk, and medium-risk. Vulnerability, the way my staff and I typically define it, is something where there is a kink in the armor or a break in the chain. There is a challenge or a problem with the way something was constructed.

Related:Inside the 2023 Sumo Logic Security Intrusion and Response

It was probably constructed the way it was intended, but over time, the vulnerability shows itself and exposes itself as a high-risk. And the criticality of all that depends on how high or low it is.

So, for me, it totally depends on the product, or the service that I, as a CIO or CTO, am supporting. Case in point, when I was in pharmaceuticals at Express Scripts as a $108 billion company, we sent out pharmacy drugs through Walgreens, CVS, you name it.

We had to make sure that the PII and all the HIPAA rules were protected first. So, that was what we insulated the most. That's where we ringfence the most.

However, when I moved to HP, for example, it was the schematics of how our systems operate. The IP that we have is behind the technology, which is within a laptop, for example.

And here today, what I'm protecting the most are the digital identities of the children we serve and help, but also the donors that are very generous to help those children.

So, that is what I want to ringfence the most. So, vulnerability and risk are my calculus and what I'm focused on the most in those three areas.

Related:CrowdStrike Aftermath: Lessons Learned for Future Recovery

But it's very important that you really understand what you're protecting the most, and then have the right dimension of the level of criticality around that.

There's more to that one, but I'll pause because I can take that answer into another 30 minutes. I think that kind of captures the essence of the answer.

BT: Riyah, do you have anything to add here?

Riyah Sanjay: Yeah, definitely, Brandon. I love what you said, Ron, about the way you think about vulnerabilities, risks, and threats.

With cybersecurity being a newer concept, everyone is really starting to take it seriously and recognize it's not a matter of if it's a matter of when. You know, we've heard that phrase.

If I'm describing cybersecurity as someone who is looking to just get more comfortable or familiar with it, or build their own risk culture within an organization, I think of this basic example.

Someone may be breaking into your home, and the risk is the chance of something bad happening like that break-in. The threat is that burglar that shows up and tries to break in. And then the vulnerability is that it happens because a window has been left open in your home.

So, I like to quantify it also in those sorts of terms to help people who may not be as familiar or comfortable quite yet when trying to understand more about risk management and what it means. What do you think, Nick?

Related:Tips for Guiding Traditional Industries Through the Digital Age

Nicholas Kathmann: I really liked the kink in the armor analogy there. I think one thing that I see a lot is that when most people think about vulnerabilities, they only think about patches and patch management.

I think vulnerabilities are a much broader classification of things than just a patch. It can be a misconfiguration, an architectural issue, an operational issue, such as a process not being followed.

So, there's all kinds of different things that will qualify under a vulnerability, but a vulnerability is what could happen. So, to me, it's like what could happen? Where are the holes or the kinks in my armor?

A threat is like who or what is going to cause that? A threat could be a person, an insider threat, or something like that. It could also be a natural disaster that comes along.

So, the threat of a weather event flooding your data center or taking something down is another type of threat that wouldn't just be associated with an individual.

And then a risk is kind of the combination of those two. Later, we'll talk a little bit more about impact times likelihood equals risk, and then treatment plans around that stuff.

If a bad person or threat can exploit a vulnerability, what then happens? What is the outcome of that? Usually, we try to tie risks to what the business impact is if that vulnerability was to be exposed.

For example, an individual vulnerability against a digital system is not that big of a deal. A vulnerability against your large SAP infrastructure that takes things down has a much bigger business impact, for instance.

Watch the archived “Your Enterprise Cyber Risk Assessment” live webinar on-demand today.