Change Your Cyberscurity Risk Calculation Mindset: Horizon3.AI Executive

"We have limited resources," said Anthony Pillitiere, CTO and co-founder of Horizon3.ai.

Samara Lynn
clock • 2 min read
Change Your Cyberscurity Risk Calculation Mindset: Horizon3.AI Executive

"Why am I wasting my time?" Anthony Pillitiere, CTO and co-founder, Horizon3.ai, said he once asked himself while working in IT operations while analyzing cybersecurity risk. 

"We have limited resources," Pillitiere told the audience during his presentation at the Midsize Enterprise Summit IT Security 2024, hosted by MES Computing parent The Channel Company.

Pillitiere offered ways organizations can tweak their cybersecurity strategy to become more secure and efficient in calculating risk.

Many organizations, he said, have a flawed risk calculation methodology which is "likelihood times impact." He said that thinking is incorrect. 

"The data that we are using to perform that calculation is off," he said. "We look at the CVSS [common vulnerability scoring system] score and that tells us likelihood, but does it really tell us likelihood in the context of our environment?" 

Pillitiere expounded on that thought with an example.

"If I [as a threat actor] land on a printer and I can't get to anything [in the network] there's no value to me as an attacker," he explained. "Is that really valuable for you to fix?" 

Attackers, he said, also have "margins" and want to attack as efficiently as possible. 

"So that was printer A. If I go to printer B and it's connected to a domain controller and it has cached credentials on it and I can dump those credentials, now I can use those credentials somewhere else. Printer B – that changes the likelihood and impact [of a compromise] … What is possible after I get exploitation, what is the impact? What am I actually calculating when I'm calculating this?" he added. 

Organizations tend to calculate risk in less granular ways, Pillitiere said, and not within the context of their environments. 

"How do we be more efficient by calculating risk level?" He urged organizations to adopt an offense-to-inform defense strategy and an offense-to-inform defense philosophy.

That means not having a false sense of security. The worst thing than risk, is risk you were confident was known and you took steps to mitigate. You don't really know your risks unless you are actively taking an offense strategy, he explained.

"If you think about how many different permutations of [security] tools that you have … the average number I believe is like 25 … you don't have enough people to manage and understand the intricacies of all of your security tools. How do you understand if they are doing what they're supposed to be doing if you're not sending an attacker at them to trigger those alerts?" 

Pillitiere said there is no longer any perimeter. Bad actors are coming from the outside and landing on the inside. Prioritizing what is critical to secure is paramount, as is being more efficient in fixing things that are actually going "to move the needle." 

"Otherwise, you're wasting time [on] risk calculation," he said. 

 

You may also like
Access Point: Weekly News Roundup For IT Executives For April 19, 2024

Column

Access Point is a weekly roundup of major tech news for IT executives on the go. This edition covers April 15-19.

clock 04-19-2024 • 2 min read
DataStax Exec Talks About Recent Acquisition That Gives Businesses Powerful AI Capabilities

Artificial Intelligence

DataStax's chief product officer also details how midmarket companies are using the platform

clock 04-19-2024 • 6 min read

MES Midmarket 100 Awards

MES Midmarket 100

The MES Midmarket 100 Awards recognizes vendors that have proven themselves to be forward-thinking technology providers with product and services offerings.

More on Security

Protect AI Releases 'Bug Bounty' Report On This Month's Vulnerabilities

Protect AI Releases 'Bug Bounty' Report On This Month's Vulnerabilities

The vulnerabilities involve tools used to build AI apps

Samara Lynn
clock 04-18-2024 • 6 min read
Trouble Managing Digital Certificate Sprawl? There's A Mid-Market Solution For That

Trouble Managing Digital Certificate Sprawl? There's A Mid-Market Solution For That

More users, more devices, more certificates to manage.

Samara Lynn
clock 04-17-2024 • 2 min read
Experts Warn 2024 Elections Will Be Biggest Cyberattack Targets

Experts Warn 2024 Elections Will Be Biggest Cyberattack Targets

“In the biggest global election year in history, democracy is the primary target of nation-state threat actors," the co-founder of cybersecurity firm Armis says.

Samara Lynn
clock 04-16-2024 • 3 min read