Lack of Cyber Metrics Hamper U.S. Ability to Respond to Cyberattacks

Brian Thomas | March 20, 2020 | tag: Cybersecurity

As the nation struggles to come to terms with the coronavirus and questions linger around our readiness for such a pandemic, government leaders are already grappling with the next potential catastrophe — a major cyberattack against the U.S.

A new report issued by the federal Cyberspace Solarium Commission, a congressional body chaired by Sen. Angus King and Rep. Mike Gallagher, opens with a dire warning: that the country is “dangerously insecure in cyber” and “…is at risk, not only from a catastrophic cyberattack but from millions of daily intrusions disrupting everything from financial transactions to the inner workings of our elections,” reports Dark Reading.

In response to this threat, the Commission published more than 75 recommendations to lawmakers on ways in which public and private entities can strengthen their security posture to reduce the probability and impact of cyberattacks.

Lack of clarity hampers cybersecurity risk reduction

Yet even as cyber incidents are increasing in frequency and severity, the report acknowledges a major roadblock to achieving this goal: that both the U.S. government and broader marketplace “lack sufficient clarity about the nature and scope of these attacks to develop nuanced and effective policy responses.”

Much of the problem lies in the fact that official data sets are incomplete and provide only a superficial or cursory understanding of evolving trends in cybersecurity. The Department of Justice gathers data on cyber-crime, but the data is woefully out-of-date. Meanwhile, the FBI Cyber Crime division collects statistics on the monetary cost of cybercrime, but only on cases that it deals with. And while many industry titans in the cybersecurity sector assemble vast amounts of data about the true state of cybersecurity in the U.S., they are not obligated to disclose it.

This makes it hard for government and private companies to model and understand cyber risk and tell if they’re making progress defending their systems. 

How a proposed Bureau of Cyber Statistics could help

In response to these data gaps, the report calls on Congress to establish a Bureau of Cyber Statistics within the Department of Commerce. The Bureau would collect, process, analyze, and disseminate essential data on cybersecurity, cyber incidents, and the cyber ecosystem. In partnership with NIST, the Bureau would use this data to help inform Americans of risk, drive greater risk reduction, and assist the government in crafting more effective cyber policy and programs.

But the responsibility for measuring cyber risk shouldn’t lie with the government alone. Whether or not these recommendations become law, the Cybersecurity Solarium Commission has identified serious shortcomings in the nation’s cybersecurity posture. Considering this, every organization has an obligation — to their customers, partners, investors, and employees – to apply meaningful metrics to cybersecurity performance.

After all, information is power. Without a commonly defined quantification of risk, organizations struggle to know where and how to prioritize their security investments.

One way to address this challenge is to utilize security ratings.

Security ratings: A powerful metric for revealing hidden cyber risk

Security ratings are a data-driven, objective, and dynamic measurement of an organization’s cybersecurity performance that provide much-needed visibility into cyber risk and help identify gaps in security programs.

Unlike traditional cyber assessments that provide a point-in-time risk metric, security ratings work by continuously monitoring digital assets for risk, such as unpatched systems, insecure access points, misconfigured software, and malware. They provide quantitative metrics to the assessment process. 

Armed with daily ratings, organizations can proactively identify, quantify, and manage cyber security risk throughout their ecosystem. For example, BitSight Security Ratings range from 250 to 900, with a higher rating equating to better overall security posture. In fact, companies with a rating of 500 or lower are nearly five times more likely to have a breach than those with a rating of 700 or higher.

BitSight Security Ratings can even be used to measure cyber risk across third, fourth, and nth parties in an organization's supply chain. This helps prevent exposure to risk from vendors and partners.

With this data-driven measurement of security performance, companies can quickly and efficiently allocate their teams’ limited security resources and investments to the most critical areas of cyber risk. They can also facilitate data-driven, risk-based conversations about cybersecurity among key stakeholders, including the board, C-suite, investors, and partners, and more.   

Meaningful metrics and data are critical to cyber risk reduction

IT security leaders are always trying to find better ways of identifying and understanding cyber risk. As the findings of the Cybersecurity Solarium Commission show, having accurate metrics brings much-needed clarity to the process — inside and outside the corridors of government.

Security ratings compliment the government’s efforts to create a Bureau dedicated to making risk easier to identify, understand, and reduce. They are the type of non-traditional, outside-the-box, data-driven security solution that the Cyberspace Solarium Commission is recommending.

cybersecurity kpi

Suggested Posts

4 Tips for Reducing Your Company’s Cyber Exposure

If your organization is like many others, its cyber exposure continues to grow over time. During the pandemic, as attackers sought to exploit unprecedented changes in work environments, 35% of cyberattacks used previously unseen malware...

READ MORE »

5 Essential Elements of a Municipal Cyber Security Plan

Cyberattacks on state and local governments are on the rise. In 2020, more than 100 government agencies, including municipalities, were targeted with ransomware – an increasingly popular attack vector

These incidents are costly and...

READ MORE »

Do You Have What it Takes to Achieve Digital Resilience?

The term “digital resilience” has gained momentum over the past few years as cybersecurity threats have grown, but what does it really mean? And how can a company become digitally resilient?

READ MORE »

Subscribe to get security news and updates in your inbox.