Get My Score

Cybersecurity Posture Scoring vs Risk Scoring

Cybersecurity Scoring Blog Series

This is the second in three-part blog series designed to help your organization understand and leverage your own cybersecurity scoring posture.  Over the course of the series, we will present the concept of cybersecurity posture along with a framework and an approach to calculate your overall posture score.  

  1. Introduction to CyberPosture Scoring
  2. Cybersecurity Posture Scoring vs Risk Scoring
  3. Using a Security Framework to Measure Your CyberPosture Score

Comparing Cyber Security Posture Scoring to Cyber Security Risk Scoring

 When building a cybersecurity program to defend your digital assets, the plan should be developed by assessing three critical aspects:

  • Step One: What assets are you trying to protect?

Identifying the systems, applications, data, business processes and end-users that need to be protected

  • Step Two: What are the risks?

Determining through cyber risk scoring which assets are left open to cyber-attacks, and the impact of each system going offline and/or leaking data

  • Step Three: How well are you protected?

Documenting the controls in place to protect the assets and the strength of those controls by using CyberPosture scoring

Many security-mature businesses adequately address Step One, identifying the assets to be protected. And a variety of methods and tools have been around a long time for Step Two, determining the risks. But in our discussions with clients, we find that many have not taken that important Step Three, finding out just how well they are protecting the things that matter to the business by using posture scoring. 

An Overview of Risk Scoring

An important part of going through all three steps is gaining an understanding of how CyberPosture scoring compares to cyber risk scoring. When conducting cyber risk scoring, you analyze what could go wrong. You first take an inventory of your systems, applications, data, business process, and end users (Step One) and the role they play in allowing you to run the business. Then you assess their weaknesses and vulnerabilities:

  • What systems can be hacked and taken offline?
  • What data can be stolen, leaked or changed?
  • Can private information or intellectual property be lost or stolen?

Risk scoring combines the extent of the weakness and the value of the asset. The assessment requires an understanding of the CIA triad (confidentiality, integrity, and availability), which measures the business impact of an asset that’s taken down or experiences a data breach. Those that play a critical role in running the business and lack sufficient cybersecurity mechanisms will score as a high risk. Those that aren’t mission-critical, and those with few weaknesses and/or with limited exposure, will score as a low risk.

Using a scoring system for each asset—which may be as simple as Red-Yellow-Green, or as granular as a scale of 1-100 - allows IT to prioritize which risks to address first. By having a risk scoring method and system, IT can also more easily communicate the overall level of risk for assets to the business leaders. This is particularly important when additional resources need to be purchased to address those risks!

Risk Scoring Leads to Posture Scoring

The risk scoring process then drives the compensating security controls that will be deployed to address the vulnerabilities and weaknesses, to reduce their exposure, and to ultimately mitigate the risks. These may be a combination of hardware and software systems as well as corporate policies that govern end-user activities when utilizing company devices. It could even include end-user awareness training to minimize the impact humans can have on the systems, data, and surrounding processes.

After the compensating policies and controls are in place, the cybersecurity posture scoring then comes into play to determine how strong those controls are in mitigating the risks. It’s essentially a reassessment of the IT environment to see how strong it is in defending against potential threats. As with risk scoring, posture scoring can be based on a three-color scheme or a wide-ranging numbered scale.

The leading cybersecurity posture platforms generate results that are comprehensible to personnel with minimal cybersecurity training. The results represent the strengths of the compensating controls in order to adequately drive prioritized action plans for upgrading or replacing inadequate controls.

The scoring results are based on industry-standard cybersecurity frameworks. In addition, they incorporate all the risk signals that an organization is aware of and then compare those risks to the controls in place to mitigate the risks.

Cybersecurity posture scoring can also be integrated with other security management applications. This makes it possible to incorporate risk signals added in the future to ensure your security controls keep pace with new threats.

An On-Going Scoring Process

As your cybersecurity posture score increases, your cybersecurity risk score will decrease. Ideally, you want to find a balance of controls that justifies the investment in hardware and software and returns the required digital-asset protection value. The two-pronged risk/posture scoring process also needs to be conducted on a recurring basis as new business processes are introduced creating more exposure and new cyber threats emerge, creating new risks that current controls cannot mitigate.

In the final blog, we present the basic elements of a posture scoring framework, how cyber security posture scoring works, and how to get started with scoring your cybersecurity posture - including what you need to do to prepare before you can start scoring. 

Download our whitepaper on the topic: Your CyberPosture Score.




© 2019 Cavirin Systems, Inc. All rights reserved.