The answer is simple: because it's highly profitable. Credit card numbers are still the best we've got for transacting digitally and health records are 10 times more valuable on the black market. And despite efforts from the infosec community at large, cybercrime continues to increase in frequency and severity. The more important and difficult question is not why, but how—that is, how can companies not just survive, but thrive in a landscape of digital threats?
Unfortunately, this particular question is complicated as the answer may vary per organization and industry. Universally, however, it starts with embracing the concept of digital resilience. In a nutshell, digital resilience—as succinctly put by Gartner's Peter Firstbrook, is about "absorbing the punches and bouncing back from the big things while accepting certain risks for the achievement of success.” Given the impossibility of completely ridding an organization's entire web presence of cyber risk, or of external partners from third-party vendor risk, the best chance a firm has for survival in the brave new digital economy is assessing vendor risk ahead of time and taking measured risks in order to realize opportunities and competitive advantages.
Digital Resilience Prerequisites
So what does it take for a firm to achieve digital resilience? Looking to other mature industries that deal in high risk can help shed some light on the matter. The rise of the automobile has no doubt propelled society forward, but at the cost of many lives; despite this, motorway accidents and fatalities are at most an afterthought of the daily commute. Consumers and businesses can enjoy the benefits of modern transportation through instruments that effectively manage risk—these are, of course, the various types of insurance coverage available (and are in most cases required by law). These products enable customers offset the high cost of automotive risk in exchange for premium payments.
The occasional cost of living resiliently. Source: Thue / Wikimedia Commons.
This risk-based thinking is also a prerequisite for digital resilience, and indeed—the nascent but rising cyber insurance industry is a reflection of the ever-worsening cyber threat landscape. Unfortunately, up until now the metrics for quantifying and comprehending cyber risk were at best arbitrary and at worst, completely inaccurate.
Measuring Cyber Risk With UpGuard's CSTAR
We started out by asserting that the most important and difficult question for an organization is how to thrive in a landscape of digital threats. Since an approach's efficacy varies per organization and industry, prescriptive measures are marginally effective. In the same vein, every organization's IT infrastructure is different and belongs to a particular risk profile unto itself. Again, looking to the auto insurance industry for cues, a mix of data points regarding the driver and automobile in question (e.g., driving record, driver age, cost of vehicle, vehicle type/class, et al.) determine the cost of coverage. A company's cyber risk profile should therefore be unique to the organization, with cyber risk assessments taking into account data points regarding the internal state of its systems, in conjunction with externally-sourced data.
This is the essence of UpGuard's Cyber Security Threat Assessment Report (CSTAR): a composite score representing the collective vulnerability of every server, network device, and cloud service to the risk of breaches. CSTAR gives insurers the ability to provide optimally-priced insurance policies customized per organization based on an actual infrastructure's configuration state and testing habits. But there's a lot more to UpGuard than just assigning a numeric value to cyber risk. Our platform helps your organization become more digitially resilient through continuous integrity monitoring and validation, helping to prevent data breaches.