Cover Image for Zero Trust: Quantifying Risk is Key

Zero Trust: Quantifying Risk is Key

09.21.22 | By Ascent

Many companies pursue security measures within Zero Trust because it’s a logical framework for the future of IT. The name Zero Trust can give the impression that organizations eventually will achieve absolute protection against threats. In reality, Zero Trust is not about reaching an end state.

Most organizations will have systems and solutions serving as intermediate steps as they continue to make progress on their cybersecurity milestones. These milestones are key performance indicators of tangible success specific to a business or industry. Many teams face the Zero Trust challenge of setting realistic cybersecurity goals. As a result, many teams aim for goals that are too general which causes them to overlook more realistic threats likely to target their business or industry.

In order to create an effective Zero Trust strategy, milestones should measure progress against probable threats to the business. Setting data-backed milestones upfront along with internal alignment creates a tailored path toward Zero Trust-informed architecture.

Threat vs. risk: Reviving the science

Businesses are affected by a wide range of threats, but when it comes to the valuable resources of an IT team’s time and talent, leadership often wants to ensure their team focuses on the right initiatives. Protecting against general threats without backing up decisions with data can reduce the effectiveness of an IT team’s security project time investment.

Cybersecurity technologists define threat and risk in a specific manner. Both concepts are validated by formulas calculating their degree of severity. Taking a scientific approach to threat analysis empowers organizations to prioritize the most relevant threats to their business and directs their Zero Trust efforts.

Formulas for threat and risk in cybersecurity

Ascent defines the threat equation as:

Capability x Intent = Threat

or C x I = T

Ascent defines the risk equation as:

Threat x Vulnerability x Consequence = Risk

or T x V x C = R

“The problem is the majority of companies don’t determine what their threats actually are, so they have to cast a large blanket of protection, some of which they don’t need.” – Jason Floyd, Chief Innovation Officer at Ascent

Without the ability to harness the abstract concepts of risk and threat to cyber threat intelligence (CTI), IT teams could miss the most probable threat to their business. Reviving the science of threat analysis equips IT teams with the data-backed information to refine their Zero Trust posture.

Risk as a discipline

Over the last 15 years, the definition of risk shifted from a science and art to a broad understanding of a threat actor’s damage potential. At Ascent Solutions, we encourage a deeper understanding of risk. Rooting risk in threat intelligence allows organizations to define pertinent milestones to their Zero Trust journey, leverage their resources effectively by focusing on relevant threats, and protect their organization against cybersecurity threats.

Addressing an organization’s risk register early on through risk analysis, alert triaging, or threat intel only enhances security posture. This is the approach we help our customers take at Ascent Solutions. We detect risks and predict threats by performing threat assessment rooted in data, developing a tailored roadmap guiding teams toward applicable security advancements.

How to start protecting against probable threats

Doing the research to conduct a proper risk analysis is a complex undertaking, which is why many organizations choose to partner with cybersecurity specialists for their deep technical expertise. Managed Services Providers help companies reduce blockers and take meaningful steps forward in their security journey. To begin exploring probable risks, your organization can:

  1. Facilitate critical discussions with key decision-makers.

Gather your team for a deep discussion on risks to your business and industry. Ask questions such as, Does the headlining threat actor my board would like to protect against normally target my industry? or What types of breaches do similar companies usually experience?

  1. Partner with a Managed Security Services Provider to accelerate progress.

Deep security knowledge gives cybersecurity professionals the expertise to document and analyze threat actors. We work with internal teams or Managed Security Service Providers (MSSPs) to use data to tell us what probable versus theoretical threats may target a company. The intel we collect helps customers make educated decisions for cybersecurity, whether that’s wide-ranging, such as MITRE ATT&CK, or specific to a network, such as SOC alerts.

  1. Present decision-makers with data to drive security investment.

Once teams are equipped with information on relevant threats to their business, and they are aligned internally on key milestones indicating success along the Zero Trust journey, then they are prepared with the concrete information needed to communicate the strategy with decision-makers. Grounding Zero Trust progress in milestones the team agrees on upfront helps everyone adhere to the plan.

These three steps require critical thinking and collaboration internally to build a more secure environment. Companies pursuing Zero Trust often stall because the upfront planning does not align with their business needs. In other words, they’re missing protection against probable threats in favor of protection against potential ones. Conducting a proper threat assessment and mapping threats back to Zero Trust architecture decisions helps teams realize meaningful progress over time — and partnering with a Managed Services Provider can accelerate that progress.

Define your Zero Trust strategy with data

Partnering with Ascent Solutions to define a Zero Trust roadmap means our research is rooted in the value of hard-science risk analysis, alert triaging, and threat intel. We use these tactics to help security leaders define the most effective next steps to take within their Zero Trust journeys.

Learn other common blockers IT leaders face on their Zero Trust journey by reading our white paper, Navigating 6 Real-World Blockers to Accelerate Your Zero Trust Journey or email with specific questions.

Share this Post
Whether you’re starting your cybersecurity journey or you’re improving your security posture, our team is passionate about protecting your people and business.
Right-sized Security: Choosing Managed Services for Your Business

April 17, 2024 – Managed security is cost effective, but sometimes the range of services offered feels overwhelming. Read on for a right-sized approach.

Enable Secure, Compliant, and Responsible AI Adoption

March 16, 2024 – Microsoft Copilot for Security is at the forefront of a Gen AI-driven revolution in cybersecurity. Here’s what to consider before adopting:

3 Questions to Ask Before Consolidating Your Security Stack

March 26, 2024 – Security teams can improve the economics of their security strategy in two ways: tool costs and employee time. Platform consolidation addresses both.