Monaco Risk develops decision-support software and provides services to help security, risk and compliance teams allocate cybersecurity control budgets to optimize cyber posture, justify budgets, and meet compliance requirements, which often seem like conflicting goals.
Monaco Risk’s Cyber Control Simulator (CCS) software models an organization’s current and projected mix of controls in the context of the risks of most concern to the organization's leadership team. CCS injects a degree of objectivity, repeatability, and documentation into this decision-making process.
We use decision-centric risk analysis to connect business objectives and concerns directly to the technical and organizational elements that constitute an organization's cyber posture – that is, the controls.
The Monaco team brings decades of experience in cybersecurity and IT, quantitative risk analysis and management, and statistical modeling to the growing challenge of cyber risk.
Cyber Risk Management Requires Control Analytics
Cybersecurity risk management is primarily about mitigation. Cyber risks generally cannot be avoided.
While some cyber risk can be transferred via insurance, due to skyrocketing losses from ransomware payouts, underwriters now require evidence of mitigation.
Controls, defined broadly as policies, procedures, safeguards, countermeasures, training, and culture, are the tools of risk mitigation.
Given the complexity and range of available controls, optimizing the selection process depends on:
scoping by the top risks of concern to leadership,
using attack-path control analytics which combines information about individual control effectiveness and attack paths to calculate each control’s contribution to overall cyber posture, and
modeling how controls’ contributions to cyber posture affect business risk reduction.
Showing the probable severities of the top risks expressed in dollars and the degree to which alternative controls reduce these severities enables leadership to participate in the decision-making process for allocating cyber budgets.
Thus, effective cybersecurity strategy, tactics, and ultimately organizational resilience, turn on control investment decision-making.
Four Principles of the Monaco Risk Approach
Attack Techniques & Attack Paths.
Cyber loss events do not happen due to a single successful attack technique or a single weak, misconfigured, or missing control. Attackers must execute a series of techniques to achieve their goals. Furthermore, there are hundreds to thousands of attack paths into and through an organization Therefore defenders have multiple opportunities to detect and block an attack.
Control Effectiveness & Contribution to Risk Reduction.
Evaluating individual control effectiveness in isolation is necessary but not sufficient. A control's effectiveness when tested by itself may be high, but its contribution to risk reduction may still be low when deployed due to, for example, there are other strong controls already deployed on the same path.
You have discretion when selecting controls to meet compliance requirements. Therefore, you can select lower cost controls needed for compliance but whose contributions to risk reduction are low. This conserves budget for controls whose contributions to risk reduction are high.
Technical metrics & risk in dollars.
Business leaders are not interested in technical metrics such as how many vulnerabilities were patched last month. To make cyber risk meaningful to business leaders, to help them understand the value of increasing the cybersecurity budget, the impact of cyber incidents must be expressed in dollars, just like the other risks business leaders manage.