Recently we teamed up with research-firm Aberdeen Group to host a webinar discussing the obstacles email security currently faces as well as solutions that include a blend of advanced technology and human intelligence. In part two of a guest post series, Derek Brink, CISSP, vice president and research fellow at Aberdeen Group, argues why effective email security truly matters in today’s cybersecurity landscape.
Part one of Brink’s guest post series can be found here.
--
Yes, email security really matters.
At least, that would be my own assessment of the answer to this question. It’s really a question about the risk related to email security — and that means that the answer has to be framed in terms of both how likely it is for an undesirable outcome related to email security to happen in a given period of time, and how much business impact it could have if it does in fact occur. That’s just the proper definition of risk.
If we’re not talking about email security in terms of both how likely and how much business impact, we’re not really talking about risk. Too much of the time, IT and Security professionals tend to focus intensely on the technology-oriented details of “who, what, and how” regarding the latest threats, vulnerabilities, and exploits. The senior leadership team, however, is primarily interested in the business-oriented details of “how likely,” and “why it matters.”
The actual question is: Is the current risk related to email security unacceptably high? If yes, then the reason email security matters is that it can help to reduce the risk to an acceptable level.
This is the point where most IT and Security professionals — along with most solution providers, and even most analysts — tend to start sharing statistics. For example:
Statistics like these are interesting, but they aren’t very effective at all in communicating risk properly — that is, in terms of both “how likely” and “how much impact.”
If phishing email attacks are highly likely but rarely successful, the current level of risk may be acceptable. If successful phishing attacks are fairly common but the business impact of a data breach is relatively small, better email security may not really matter.
In my day job at Aberdeen, I continue to make use of the growing body of empirical data regarding the likelihood and business impact of phishing email attacks to make a quantitative estimate of the risk, as risk is properly defined — i.e., not as a misleading, falsely precise, single-point estimate, but as a range of possible outcomes and their associated likelihoods.
In a quantitative analysis of this nature, several factors (e.g., click rates, likelihood of a data breach, total cost of a data breach) vary based on industry. Across the private sector as a whole (all industries), for an organization with 1,000 users and an information asset of 10M records, a straightforward Monte Carlo analysis shows that under the current approach to email security:
The latter figure is the “long tail” aspect of the risk of phishing email attacks that is so important for IT and Security professionals to communicate effectively to the senior leadership team, to help them make a well-informed business decision regarding what to do about it.
To the extent that the senior leadership team finds this level of risk to be unacceptably high, this kind of quantitative analysis also explains — in straightforward business terms — why more effective email security really matters.
It also helps to explain why the deployment of an advanced email security solution, from a specialist service provider such as IRONSCALES, is worth the incremental investment.
Derek E. Brink, CISSP, is a vice president and research fellow at Aberdeen Group based in Boston, where he covers all aspects of cyber security and IT GRC. He is also adjunct faculty at Harvard University and Brandeis University, where he teaches graduate-level courses on cyber security risk.