Source: securityboulevard.com – Author: Michael Vizard
Balbix today added a tool that makes it simpler for organizations to determine the degree to which their assets are outside the scope of best practices recommended by a Center for Internet Security (CIS) assessment.
The Balbix platform now provides a single dashboard through which all the vulnerabilities, misconfigurations, control failures and other security issues associated with an asset can be tracked versus, alternatively, relying on a spreadsheet that lacks context.
Balbix CEO Gaurav Banga said this is a critical capability because cybersecurity teams are now being asked to assess the level of risk to a business based on the probability a vulnerability might be exploited. Armed with those insights, it then becomes simpler to prioritize the limited resources most organizations have available to address those issues, he added.
The Balbix platform already uses multiple types of artificial intelligence (AI) technologies to analyze millions of data points in a way that surfaces a risk quantification report. The capability is now being extended to both automate the creation of a CIS Benchmark report and then integrate that report into a risk quantification process, said Banga.
In general, as more organizations start to realize there is no such thing as absolute security, the focus is on trying to minimize risk levels. Business leaders, for example, want to understand the potential financial impact the exploitation of any given vulnerability will have on their organization. Much of that interest is being driven by new rules put forward by the Security and Exchange Commission (SEC) that are set to go into effect later this year, noted Banga.
Those rules are roughly the cybersecurity equivalent of the Sarbanes-Oxley rules the SEC put in place that required public companies to be more responsible, he added. Business and IT leaders that violated those rules, in addition to being fined, might be banned from holding a position in a public company for a period of time, Banga noted.
Most public companies are going to err on the side of caution when it comes to making these disclosures for fear of becoming the target of an SEC investigation. If breach disclosures start having a significant impact on stock valuations, the pressure on cybersecurity teams to equate the blast radius of cybersecurity incidents with specific costs will only intensify. There are, of course, always going to be a lot of people in these organizations, including members of the cybersecurity team, that have a vested interest in making sure stock valuations remain as high as possible, so the need for a trusted risk quantification platform to help settle those debates is only going to increase, noted Banga.
Hopefully, those quantification efforts result in better cybersecurity as it becomes easier to identify which vulnerabilities might have the most catastrophic impact if exploited. Today, there is still an unfortunate tendency to treat all vulnerabilities equally regardless of potential severity. The issue that creates is there are simply not enough resources available to defend everything, so informed tradeoffs inevitably need to be made.
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2023/08/balbix-ties-cis-benchmarks-to-cybersecurity-risk-quantification/
Category & Tags: Analytics & Intelligence,Cybersecurity,Featured,Governance, Risk & Compliance,News,Security Awareness,Security Boulevard (Original),Spotlight,Threat Intelligence,Balbix,Best Practices,cis benchmarks,risk assessment,risk management – Analytics & Intelligence,Cybersecurity,Featured,Governance, Risk & Compliance,News,Security Awareness,Security Boulevard (Original),Spotlight,Threat Intelligence,Balbix,Best Practices,cis benchmarks,risk assessment,risk management
