Why Security Practitioners Often Misjudge Risk to Cyber Assets

By

Digital transformation has created remarkable and irreversible growth in the cyber asset landscape. Each business shift towards digital workflows has yielded a steady stream of apps, cloud resources, user accounts, and data that must be protected according to the organization's risk appetite. The growth in cyber assets is not a new trend. What's new is the speed at which businesses are creating new cyber assets.

A cyber asset is a broad term for any digital resource that requires security protection. Research shows the average organization has well over 500 cyber assets for every one human employee, including:

  • Devices
  • Applications
  • Networks
  • Data
  • User Accounts

Cyber assets are increasingly interconnected to technology, people, and process, for the purpose of being easier and more seamless to use.

Understanding the Size and Scale of the Cyber Asset Landscape

Many organizations accelerated their technology innovation roadmap by several years at the beginning of the COVID-19 pandemic. Businesses launched new technologies for telehealth or self-service virtually overnight to protect human safety, when 18-24 month innovation cycles had been previously typical. Experts anticipate that businesses will continue to compete on the agility and pace of their digital transformation, even as public health conditions normalize.

"Recreating what was normal before the pandemic should not be the organizational goal," cautions a new report from HBR Analytics. "If it is, the organization could fall behind competitors." Competing on speed has accelerated business adoption of nimble, new cloud infrastructures that can scale out rapidly to meet new use cases, new users, and new regions in almost real-time.

Agile digital transformation has changed how businesses architect proprietary technology and security team responsibilities. Faster-moving systems are characterized by a higher number of cyber assets, including assets created entirely by automation, yielding a higher number of cyber assets that exist well outside the knowledge of security teams.

Every Cyber Asset Creates Some Cost

All cyber assets introduce some liability to an organization, whether or not the security team is aware of the existence of the asset. But these liabilities are incredibly difficult to capture using traditional balance sheets or equations for annualized loss expectancy (ALE) or annualized rate of occurrence (ARO).

Consider, for example, a subscription to a business productivity app that costs $120 annually for each user. Perhaps each user subscription yields $240 per year of critical business value, which can be estimated with techniques for asset performance management (APM). Imagine further that the estimated likelihood and impact of a security incident that compromises each user app license is estimated at $60, meaning the business appreciates 25% greater returns in value than the hard and soft costs of subscription fees or security risk.

A traditional balance sheet approach fails to reflect the true liabilities of the application when cyber asset relationships are taken into account. If a threat actor were to gain access to the employee's account through a phishing campaign, the security incident would almost definitely expand beyond a simple account compromise. Most likely, the threat actor would attempt to gain access to the user's other accounts, escalate additional permissions, and reach the organization's most critical and sensitive data assets.

Many cyber assets, such as email accounts or laptops, can appear to have limited security risk when viewed in isolation. When these assets are viewed in terms of direct and indirect relationships their true liabilities are typically much greater and more concerning. A user's videoconferencing login may be just two or three degrees of separation from sensitive assets such as customer health records.

Understanding Cyber Asset Liabilities in an Interconnected Ecosystem

Understanding the direct and indirect relationships between cyber assets is an important first step. Security teams must also work to understand the qualities of these relationships and how they create layers of dependency and control. Understanding complex, layered relationships is not simple, but it's also vitally important for security teams. Underestimating relationships can lead to excessive risk-taking behaviors, which was perhaps most vibrantly illustrated in the perfect storm of dependencies behind the 2007-2008 financial crisis.

No cyber asset exists in true isolation. Instead, every cloud resource, application, and user account is part of a complex web in modern organizations infrastructure that create liabilities and expand the attack surface. The sheer number of cyber assets and their complex relationships can begin to explain why security is so challenging for modern organizations. Business leaders must work with security to better understand the complex ecosystems of cyber assets and how asset relationships impact security risk.

Jasmine Henry
Jasmine Henry

Jasmine Henry is a security practitioner who's used JupiterOne to create a compliant security function at a cloud-native startup. She has 10 years of experience leading security programs, an MS in Informatics and Analytics, and a commitment to mentoring rising security practitioners from underrepresented backgrounds. Jasmine is a Career Village co-organizer for The Diana Initiative security conference. She lives in the Capitol Hill neighborhood of Seattle, WA.

To hear more from Jasmine, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.

Keep Reading

What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)
February 6, 2023
Blog
What’s new in JupiterOne: Reducing time to value with the new Query Builder (Part 2)

The new JupiterOne Query Builder streamlines your querying experience by eliminating errors, simplifying query builds, and reducing time to value.

The top 10 questions that every engineering leader should be able to answer
February 2, 2023
Blog
The top 10 questions that every engineering leader should be able to answer

We polled some of our engineering leaders to see what it takes to succeed. In part two, we see if their answers align with the CISOs we talked to.

Identify compromised versions of Github using JupiterOne
January 31, 2023
Blog
Identify compromised versions of GitHub apps using JupiterOne

As a preventative measure, Github will be deprecating the Mac and Windows signing certificates used to sign Desktop app versions 3.0.2-3.1.2 and Atom versions 1.63.0-

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.