When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
Chief Risk Technology Officer for Qualys.
What’s in a name?
(Image Credit: TheDigitalArtist / Pixabay)
I can hear risk purists objecting, you’re able to never eliminate risk only control it!
I have two responses.
First, I was being purposefully terse as a means of easing readers into a fuller definition.
Second, I suspect objections stem from not completely aligning on terms.
Lets fix that by defining what I mean by risk and elimination.
Here is a thought experiment: If you completely remove your uncertainty, have you eliminated risk?
Imagine I am driving an SUV.
Ive just been told there is a small tunnel ahead.
I dont know what small means in this context.
I just know Im driving a high occupancy vehicle full of children and my spouse.
Im now uncertain if my vehicle will fit.
Risk measurement moderates our uncertainty.
We define risk measurement as, A quantitatively expressed reduction of uncertainty based on one or more observations.
In the case of tunnel versus SUV, my state of uncertainty was reduced 100%.
This is why we need to clarify what elimination means.
For elimination Im using its risk oriented word origin.
In Latin, elimination is ex limine.
The ex means off or out.
And limine is limit or boundary.
In short, to eliminate risk is to set a boundary or limit that should not be exceeded.
This ties nicely with the concept of a cyber insurance limit and risk tolerance.
Indeed, a limit is a mathematically unambiguous and contractually binding expression of business risk tolerance.
What’s a ROC platform?
Perhaps you are one of these CISOs.
How might you know?
This includes integrating multiple threat intelligence feeds and correlating compensating controls for risks that cannot be fixed immediately.
If you answered yes even in part then you are likely embarking on your own ROC journey.
Its a non-trivial DIY proposition.
Consider that the average enterprise level firm has 76 security tools deployed, according to Panaseer.
I distinguish risk data from threat oriented event data that materializes in your SOC.
SOC event data consists of streams of arrival time stamps with light weight meta-data.
Due to its volume and millisecond velocity its invariably light on context.
Event data is best persistent and modeled via time series data structures and related analysis.
This is similar to what is used in real-time trading andnetworkanalysis.
Its for specific IT security decision making around threats.
Risk data is the other end of the spectrum when it comes to context.
Indeed, graph comprehension is a must ascloudnative data and other ephemeral assets arent IP addressable.
The days of first and third party assets always being tied to a machine and its IP are fading.
you could still do time series analysis with ROC data.
You would do this to baseline metrics and do other forms of change analysis.
What’s different around risk?
The ROC actually sits at the nexus of value and loss exposure.
In other words, businesses want to make more revenue and more profits.
At the same time, any new venture or investment increases the potential risk back to the organization.
In this sense, successful businesses are risk exposure machines.
The ROC controls the loss exposure portion of that flow.
It does that using both sentient and or artificially intelligent means of risk analysis.
That analysis in turn automates actions (or enables workflows) for remediation, mitigation and risk transfer.
Remediation and mitigation are controlled within the attack surface domain.
Are you ready to ROC?
The ROC is not your SOC.
They work together but at different levels of your overarching risk surface.
The SOC exclusively operates on event data within the attack surface domain.
It continuously orchestrates the remediation, mitigation and or transfer of cybersecurity risk that may exceed business tolerance.
We’ve featured the best encryption software.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc.
