A 2019 article from McKinsey titled “The Risk-based Approach to Cybersecurity” talked about the need for organizations to move from a “maturity-based” to a “risk-based” approach to cybersecurity. First let us get clarity on some definitions from that article here. Cyber risk is just another kind of operational risk and cyber risk is not the same as cyber threat. The latter are particular dangers that create the potential for cyber risks. 

In the article McKinsey mentions that “maturity-based cybersecurity approach: A dog that’s had its day”. Let us better understand what a “maturity-based” approach means. It basically means that the organization focuses on achieving a particular level of maturity by building certain capabilities. Examples will include things like building a security operations center (SOC), implementing multi-factor authentication (MFA), etc. Given that the objective is to reduce cyber risk, efforts with best return on investment in risk reduction should draw the most resources. 

McKinsey depicts the cybersecurity journey of an organization in 4 stages by maturity as below:

Fast forward a couple of years on from 2019 and we believe: Risk-based cyber security is a dog that’s had its day.

It is time for organizations to graduate to Proactive Cybersecurity. Unfortunately most organizations today tend to do exactly the opposite with a lot of focus on reactive cybersecurity. Most organizations deploy solutions like SIEM, SOAR, EDR, etc. and these solutions help these organizations detect, respond and recover. For organizations to be more proactive, they need to focus on identify and protect. Note that these terms “Identify, Protect, Detect, Respond, Recover” come from NIST Cybersecurity Framework, which we have covered in an earlier blog articleIdentify includes two things identify the sources of enterprise value and identify any vulnerabilities in these. Note that the sources of enterprise value needs to include third parties (vendors, suppliers, partners, etc.) as well. These identified assets need to be protected appropriately (by patching vulnerabilities, implementing controls like MFA, etc.).

If your organization uses a vulnerability scanner or vulnerability management tool (likes of Qualys, Tenable, Rapid7), then you may feel that you are covered. However, that is not entirely true, since you most likely end up using scheduled scans for performing these assessments. Why scheduled vulnerability scans cannot be considered proactive? Couple of reasons as below:

  1. The cadence or frequency of running the scheduled scans matter. For example you run scans every fortnight and say a new vulnerability surfaced a day after your scan. In such a situation you won’t know about the impact of the new vulnerability on your systems for roughly another couple of weeks till the next scheduled scan kicks in.
  2. For large organizations these vulnerability scans can take good time to complete and by the time the scan report is ready, it is already obsolete. Why? As new vulnerabilities emerged while the scan was going on and those have not been assessed for.

The whole traditional vulnerability scanning model has other significant disadvantages as well:

For a good proactive cybersecurity approach organizations need a tool that offers following key capabilities:

ThreatWatch can help you proactively secure your organizations (multiple attack surfaces – corporate, remote, cloud, container and code) without using agents nor scans.

For more information on how ThreatWatch can help you proactively secure your organization write to us at info@threatwatch.io

Leave a Reply

Your email address will not be published. Required fields are marked *