To keep pace with the onslaught of new threats, security experts must be nimble and ready to alter their strategies, don multiple hats, or devise an ad-hoc means to counter any impending attack. As part of their continuous improvement efforts, they have to focus on numerous areas for maximum control and often make significant investments in cybersecurity solutions and tools. However, security projects fail when there is limited visibility and a breakdown across critical areas within the organization – in communication, integration, planning, processes, or behavior.
Larry Pfeifer, a cybersecurity veteran with 26-years of industry experience, realized the need to disrupt the status quo and create a collaborative method that focused on securing infrastructure holistically. He valued the concept of crowdsourcing, sharing intelligence, and learning from real-world experience. With these core concepts in mind, Pfeifer founded Consortium Networks. “At Consortium, we connect technology peers and leverage their first-hand experiences to add clarity and ease the frustration of choosing the right products and solutions," Pfeifer noted.
The company's bedrock solution, Consortium X, is a no-cost, information-exchange platform for security professionals. Participants share intelligence on emerging risks, best practices, and security products they have deployed in their environment, and their overall effectiveness. Consortium X helps IT leaders lower decision risk and quickly and effectively address key cybersecurity issues. Today, the platform is a hub for more than 300 CISOs and IT professionals.
One of the key challenges Consortium X members voiced was lack of visibility into their overall cybersecurity maturity level, risk profile, and the gaps in their security posture. Tim Murphy, Consortium’s President, and CEO commented, “CISOs are held responsible for helping the C-suite and Board of Directors make informed decisions regarding cybersecurity risk, but it was challenging to expose the overall risk and potential impact to the company in a way that everyone could understand…and measure.”
With human decisions driving risk decisions, versus quantitative metrics and analytics, organizations can easily make errors in prioritizing risks and allocating budget. Murphy continued, “Simply put, organizations should be spending most of their resources mitigating risks with the highest potential financial impact.”
With this challenge in mind, the Consortium team designed Metrics that Matter (MTM). Following National Institute of Standards and Technology (NIST) standards as a baseline but mapping to additional industry-standard frameworks, MTM conducts a careful study of an organization’s IT infrastructure and assets, maps the data points to the MITRE ATT&CK knowledge base of security threats to help organizations first understand their level of risk. Then, MTM maps that risk to a specific dollar amount to align risk to quantitative measurement. As a result, the tool provides a clear way to understand gaps in an organization’s security posture, risk score, and potential financial impact.
Automated, Dashboard Driven Visualizations
MTM follows a simple automated procedure. By understanding an organization’s entire IT infrastructure, the solution will measure the ‘likelihood’ of threats, its financial and regulatory impact, and its probable effects on an enterprise’s reputation. So, it’s not always a breach versus the dollar. "MTM can deep dive into a plethora of different avenues to understand risk factors and present those in a streamlined manner," adds Pfeifer. Following this, it will create a comprehensive risk impact number and categorize the risk factors under three different sections: red (high), yellow (medium), and green (low). Each of these will be associated with a probable estimation of aggregated annual loss.
The information is visualized through multiple dashboards that detail spending profiles, control metrics, threat metrics, supply chain risk, peer performance, and more. In addition, there are high-level, board-ready dashboards that aggregate annual potential losses, security program maturity, and high probability risks.
“Quantifying risk is critical to making informed decisions. MTM enables companies to access a full threat matrix—including the map of the entire IT environment, products associated with it, the prevailing security gaps, and the dollar impact all in a way that can be easily exhibited to the board,” Pfeifer noted.
Most notably, MTM is completely free to Consortium X members. “Our founder, Larry Pfeifer, has a truly altruistic vision around cybersecurity. He is passionate about providing tools and peer forums that propagate conversations around risk and threats. The more informed we are as an industry -- as a society – the more likely we are to stop threats before they spread, and the better off we all are,” concluded Murphy.