Sunday, December 29, 2024

 The preceding articles on security and vulnerability management mentioned that organizations treat the defense-in-depth approach as the preferred path to stronger security. They also engage in feedback from security researchers via programs like AI Red Teaming and Bug Bounty program to make a positive impact to their customers. As they evaluate the ROI for their efforts, Bug Bounty and penetration testing have proved of exceptional value. Bug Bounty is a relatively small investment for an organization that can measure the ROI in terms of 1. The absence of incidents or breaches, 2. Risk assessment, 3. Financial savings estimated from avoiding risk or avoiding breaches and 4. Agility and speed of security teams responsiveness, 5. Discount on cyber insurance, and 6. Estimated savings of reputational or customer-related impacts as a result of a security program. Penetration testing, on the other hand, tends to identify systemic or architectural vulnerabilities such as cryptographic weakness or secure design issues which are essential for long-term security but may not be immediately apparent to attackers. It is a bit ironic that organizations discover critical bugs using pentests during the deployment phase. Pentest-as-a-service aka PTaaS is gaining grounds as organizations shift to community-driven. SaaS based models that are more flexible, grant access to a more diverse pool of vetted security researchers, and wider coverage than traditional methods. It is common to discover a dozen vulnerabilities per engagement. Together with bug bounty programs and pentests, organizations gain comprehensive security coverage and achieve greater ROI than before albeit measuring ROI remains a challenge.

In contrast, there is a new metric in the industry that is called ROM or Return on Mitigation that is fast gaining acceptance. It compares the cost of mitigating risks to the potential financial losses from cyber incidents, providing a clear metric to measure how security efforts protect businesses from costly breaches. This nuanced view offers both qualitative and quantitative benefits as it articulates factors such as restoring compromised systems, lost revenue due to downtime legal and regulatory penalties, and damage to public trust and reputation.

ROM= (Anticipated Breach Cost)/(Mitigation Cost)

While ROI is similar to calculating profit percentage in its inspiration for an overall metric for the outcome, the factors that ROM represents are not covered by ROI alone and it highlights the importance of risk management and the overall benefits of security measures.

As with all reports, a human powered security program is needed internally to evaluate the priority and the severity of the reports’ findings and use the data to better understand and protect against malicious hackers. The program draws attention from the whole of the organization and not just the security team. The unique ability of the skilled security professionals to mitigate complex security vulnerabilities and deliver context-driven value, coupled with ROM, makes a compelling business case.

Reference: previous articles

#codingexercise: CodingExercise-12-29-2024.docx

No comments:

Post a Comment