To Reduce Business Risk, Improve Your Security Resilience

May 19, 2022
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

In this age of persistent disruption, organizations everywhere are constantly reassessing the business risks they face. Everyone, it seems, is searching for enough resilience to withstand and recover from the assaults caused by market shocks, unreliable supply chains, geopolitical unrest, natural disasters, rising interest rates, and labor shortages. And it’s no wonder since all of these threats can pose clear and present dangers to the business. 

Businesses have already shown they understand the benefits of resilience. They regularly make investments to improve resilience across the organization–from staffing and operations to finance and supply chains. They understand each area represents a specific set of business risks. Staffing shortages can erode customer satisfaction and threaten delivery times. Operational rigidity can lead to sluggish competitive responses and missed opportunities. Clunky processes and workflows can be too slow and inflexible to meet emerging challenges. And supply chain disruptions can directly threaten revenue, the very lifeblood of a business. 

The biggest risk of all? 

Despite the many potential risks, business leaders generally agree on what they see as the most important: cyber attacks. According to the 2022 Allianz Risk Barometer, which surveyed business leaders and risk consultants in 89 countries and territories, cyber incidents led the list, with 44% of respondents citing it as a top concern, followed closely by business interruption at 42%. These two risks are now so frequently related that they often could be listed as one.

The fallout from successful cyber attacks can range from distracting to devastating. Some companies may catch attempts early and simply have to divert resources to shore up their defenses and contain the breach–a scramble that pulls people and budget from other projects, but ultimately the business sustains minor damage. Others aren’t so lucky. Research by the Cyentia Institute reveals that financial losses following a cyber event typically run about $200,000, though 10% of victims suffer losses of more than $20 million. The cost of extreme events targeting Fortune 250 corporations (the most significant losses falling in the 95th percentile) approaches $100 million or more. Then there are epic exploits whose ripple effects can disrupt entire industries and regions. 

Security resilience supports business resilience. 

As vulnerabilities mount and attackers grow more sophisticated, security resilience is the most effective way to protect business operations. Security resilience safeguards your business from threats and equips it to bounce back quickly when exploits occur. It’s the most effective antidote to the constantly evolving threats–security and otherwise–facing businesses today. 

In a resilient security environment, companies can close the gaps to ensure everything in their infrastructure is protected, see more of the data and context to anticipate what’s next, prioritize the alerts and vulnerabilities that matter most, and automate tasks that are currently consuming far too much time.  

For most organizations, achieving this requires some changes. For instance, siloed systems (a common feature of most enterprises) have no place in a resilient security environment. Rather, a single, open platform helps make data accessible to all monitoring and analysis tools. And next-level capabilities like threat assessment, which machine learning-driven analysis of comprehensive exploit and vulnerability intel, can turn data into actionable insight. Risk-based prioritization is also essential, as it allows teams to put time and resources toward only those events and threats that pose a risk to the business. Learn more here 

No place for the status quo 

Every investment comes at a cost not always appearing on a balance sheet. Business leaders often reflexively maintain the status quo, seeing the potential disruption of operations as a cost too great to bear. Cyber threats evolve, which makes them capable of outmaneuvering security operations. Staying still is the opposite of resilience. 

Yet resilience comes with a kind of balancing act. Every investment (in time, resources, and capital) represents some level of risk, and those in charge must balance that risk with the potential benefit of investing in resilience. 

Security and IT leaders often come to loggerheads over the need to patch vulnerabilities. It’s not uncommon for security staff to identify a high-risk vuln that lives on mission-critical servers or customer-facing applications and request that IT patch it ASAP. IT and DevOps are responsible for maintaining system uptime and application availability. So their remediation teams are hesitant to do anything that might cause an outage.  

To address this, teams must weigh the technical risk of patching against the business risk of leaving potentially damaging vulnerabilities unpatched. This evaluation process usually involves assessing contextual data surrounding the vulnerability: 

  • Has the vulnerability been exploited? If so, has it been exploited in an organization like ours (similar size, same industry, etc.)? 
  • Does the vulnerability exist in systems that serve customers or house critical data?  
  • Do we have access to the threat intel needed to understand and analyze exploit activity and the likelihood the vuln will be exploited on our systems? 
  • Can the vulnerability be exploited remotely and with little to no authorization? 
  • What’s the potential damage a successful exploit could do to our infrastructure and business? 
  • As the vulnerability’s risk level evolves, do we have the resources or tools needed to update our remediation strategy? 
  • If the patch breaks some level of functionality, how quickly can we roll back to the previous state or update the system so it is both protected and functional? 

By answering these questions, remediation teams can then move forward with full awareness of the risk posed to the IT infrastructure and the business.  

Teams can also reduce technical risk by deploying the patch first in a development environment (rather than on production systems and applications) and testing functionality to determine if the patch has impacted the software or system. This can be a crucial step, especially for organizations whose teams are behind on standard software patch and update schedules and must make sure updates are all current before the vulnerability is patched. 

Achieving security resilience while moving forward  

Security resilience is a cornerstone of business resilience. With the right security processes and technologies, businesses can create a resilient security environment without breaking the business. Without them, it’s hard to imagine any business can claim it is resilient enough to meet today’s emerging challenges. 



Read the Latest Content

Threat Intelligence

18+ Threat Intel Feeds Power Modern Vulnerability Management

You need lots of threat intelligence feeds to cover all of the threat and vulnerability data categories in the world. Learn about the threat intel feeds...
Data Science

Ask Us About Our Data Science

In vulnerability management, data deluge is a recurring problem. Learn what data science is and how it can help your company.
Risk-Based Vulnerability Management

What is Modern Vulnerability Management?

Modern vulnerability management is an orderly, systematic, and data-driven approach to enterprise vulnerability management.

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.