The future leaders of cybersecurity will be fluent in languages other than technology and will stop using fear to conflate the message of vulnerability versus risk. That’s the message that kicked off this year’s (ISC)2 Security Congress conference.
Donald Freese, deputy assistant director at the FBI, and Brandon Dunlap, managing director at Brightfly, talked about the difference between vulnerability and risk as they relate to leadership. The conflation of these words is problematic because when people get caught up in fear, they start to react to threats with intensity rather than consistency.
The difference between vulnerabilities and risks
The distinction between vulnerabilities and risks is a conversation that is happening not only in Austin, Texas, this week but among many security experts. Last week, I talked with Guy Bejerano, CEO and co-founder of SafeBreach, who commented on the widespread confusion of these terms.
Review of this article
The need of distinctionVulnerabilities and risks must be distinguished. A vulnerability is essentially a technical aspect but does not give any hint about the consequences on a business or on a larger environment.
A risk is the modelling of every aspects and every impacts a vulnerability may have on its stakeholders, its company, its business.
The modelling of a riskRisks must be modelled in order to be sorted by importance. Within a risk, there must be an estimation of the cost for the company and its environment, an estimation of the cost to solve it, one or several plans to solve it and more aspects if needed.
It is very important for an organization to know risks they have to face up to. Insurances are a solution for the cost these risks can generate. Lawyers in correct specialities and contracts are a solution for legal aspects these risks can rise. And, of course, technical aspects can be managed by standard compliances, good practices, external audits.
In cybersecurity, technical aspects of a risk can be modelled by threat modelling.
In a small company, MyCrypNet can be used as a part of an answer in the threat modelling of a networks risk.