The Difference Between a Threat and a Vulnerability
You will see these terms discussed many times throughout this article. It is important to clarify what each of them mean, and how they differ. A cyber threat relates to the source of a particular attack. By analyzing and understanding threats, security policies and procedures can be created to protect against certain types of cyber attacks. Vulnerabilities refer to a security flaw that could lead to a successful attack. Testing for vulnerabilities allows for constant monitoring of weaknesses and gaps in a system and also helps identify what types of network vulnerabilities to test for in the future.
Since the earliest days of the cybersecurity industry, security professionals have focused on identifying network vulnerabilities and then implementing solutions to either eliminate or reduce the vulnerability. This is a widely used practice and is generally effective in mitigating cybersecurity risks, however it results in millions of dollars spent needlessly each year to address vulnerabilities that pose little, to no risks.
Help protect your organization from cyber threats. Download the Cybersecurity Resource Kit today to get a comprehensive cybersecurity guide every executive should own!
NIST Security Framework Flaw
The National Institute of Standards and Technology (NIST) developed a security framework that was implemented throughout the Federal Government over the past 10 years. This cybersecurity framework is control driven to address network and security vulnerabilities. Only after staff determine that a control can’t be implemented, either due to excessive cost or other reasons, do they perform a risk assessment to determine if the risk is acceptable to the agency or not. It is only at this last stage that threats are even considered, so how many unnecessary controls were implemented, and at what cost?
Cybersecurity Risk Assessments Are Vital to Information Security
Security professionals understand that the existence of a risk requires a threat/vulnerability pair, meaning there has to be both a threat and a vulnerability for a risk to exist. Nobody would propose spending millions of dollars to protect Las Vegas from the non-existent threat of a hurricane, yet millions are spent each year implementing controls against non-existent cybersecurity threats, simply because a vast majority of the industry focuses on vulnerabilities rather than threats.
Since the cybersecurity industry is the beneficiary of these millions of dollars, it is difficult to expect change to come from within the industry. It unfortunately falls on the shoulders of the customers to insist on a threat rather than vulnerability-driven approach to securing their business.
Performing a security risk assessment at the very beginning of the process, to first identify threats, and then determine risk, is a simple answer. Not only are you focusing on the threats that do exist, and securing accordingly, you are also identifying risk and costs associated with each risk. This analysis will determine the extent to which funds should be spent to implement controls to secure against specific types of cyber threats.
Not only will businesses not waste funds on implementing controls against non-existent threats, a thorough security risk assessment may determine that acceptance of a specific risk is more cost effective than implementing security controls. It is at this point that the appropriate controls should be put in place and thoroughly tested.
Focus on Cost-Effective Cybersecurity Solutions
Then begins the ongoing process of continually monitoring and determining threats, updating the risk assessments, and implementing controls as necessary to address the newly identified threats. This work never ends, it is a constant battle fighting against threats to businesses and business systems.
A building with no doors or windows can be very secure, and also useless. In the same sense, a computer system with no access points can also be very secure and quite useless. Security requires balance. The cybersecurity threats are massive and we simply cannot afford to waste the time and money focusing on unnecessary work.
Interested in protecting your organization from potential cyber threats? The following companies provide in-depth cybersecurity risk assessments and cost-effective solutions to prevent future attacks:Posted on