Digital transformation has created remarkable and irreversible growth in the cyber asset landscape. Each business shift towards digital workflows has yielded a steady stream of apps, cloud resources, user accounts, and data that must be protected according to the organization's risk appetite. The growth in cyber assets is not a new trend. What's new is the speed at which businesses are creating new cyber assets.
A cyber asset is a broad term for any digital resource that requires security protection. Research shows the average organization has well over 500 cyber assets for every one human employee, including:
- Devices
- Applications
- Networks
- Data
- User Accounts
Cyber assets are increasingly interconnected to technology, people, and process, for the purpose of being easier and more seamless to use.
Understanding the Size and Scale of the Cyber Asset Landscape
Many organizations accelerated their technology innovation roadmap by several years at the beginning of the COVID-19 pandemic. Businesses launched new technologies for telehealth or self-service virtually overnight to protect human safety, when 18-24 month innovation cycles had been previously typical. Experts anticipate that businesses will continue to compete on the agility and pace of their digital transformation, even as public health conditions normalize.
"Recreating what was normal before the pandemic should not be the organizational goal," cautions a new report from HBR Analytics. "If it is, the organization could fall behind competitors." Competing on speed has accelerated business adoption of nimble, new cloud infrastructures that can scale out rapidly to meet new use cases, new users, and new regions in almost real-time.
Agile digital transformation has changed how businesses architect proprietary technology and security team responsibilities. Faster-moving systems are characterized by a higher number of cyber assets, including assets created entirely by automation, yielding a higher number of cyber assets that exist well outside the knowledge of security teams.
Every Cyber Asset Creates Some Cost
All cyber assets introduce some liability to an organization, whether or not the security team is aware of the existence of the asset. But these liabilities are incredibly difficult to capture using traditional balance sheets or equations for annualized loss expectancy (ALE) or annualized rate of occurrence (ARO).
Consider, for example, a subscription to a business productivity app that costs $120 annually for each user. Perhaps each user subscription yields $240 per year of critical business value, which can be estimated with techniques for asset performance management (APM). Imagine further that the estimated likelihood and impact of a security incident that compromises each user app license is estimated at $60, meaning the business appreciates 25% greater returns in value than the hard and soft costs of subscription fees or security risk.
A traditional balance sheet approach fails to reflect the true liabilities of the application when cyber asset relationships are taken into account. If a threat actor were to gain access to the employee's account through a phishing campaign, the security incident would almost definitely expand beyond a simple account compromise. Most likely, the threat actor would attempt to gain access to the user's other accounts, escalate additional permissions, and reach the organization's most critical and sensitive data assets.
Many cyber assets, such as email accounts or laptops, can appear to have limited security risk when viewed in isolation. When these assets are viewed in terms of direct and indirect relationships their true liabilities are typically much greater and more concerning. A user's videoconferencing login may be just two or three degrees of separation from sensitive assets such as customer health records.
Understanding Cyber Asset Liabilities in an Interconnected Ecosystem
Understanding the direct and indirect relationships between cyber assets is an important first step. Security teams must also work to understand the qualities of these relationships and how they create layers of dependency and control. Understanding complex, layered relationships is not simple, but it's also vitally important for security teams. Underestimating relationships can lead to excessive risk-taking behaviors, which was perhaps most vibrantly illustrated in the perfect storm of dependencies behind the 2007-2008 financial crisis.
No cyber asset exists in true isolation. Instead, every cloud resource, application, and user account is part of a complex web in modern organizations infrastructure that create liabilities and expand the attack surface. The sheer number of cyber assets and their complex relationships can begin to explain why security is so challenging for modern organizations. Business leaders must work with security to better understand the complex ecosystems of cyber assets and how asset relationships impact security risk.