Let's Shift From Cyber-Security to Cyber-Risk.

[Posted on Behalf of Steve King, Director, Cybersecurity Advisory Services Information Security Media Group (ISMG)]

A recent McKinsey survey tells us that damaging cyberattacks and an onslaught of suspicious digital communications have made cybersecurity a top concern of the overwhelming majority of responding board members and business leaders.

Their answers suggest and may be evidence that cyber-risk is finally now as important a priority as financial, legal, terrorist and natural disaster risks.

Facing a rising threat level combined with the magnitude of the potential impact and abutted by personal and professional liability issues not covered by conventional D+O insurance, executives are insisting on full transparency around cyber-risk and ways to manage it actively to protect their organizations.

These same survey responses indicate that businesses are investing in additional technological cyber-defense, new internal roles and external advisers, and more sophisticated control systems. But the same survey responses do not indicate any advances toward an effective, integrated approach to cyber-risk management and reporting.

As these executives’ attest, situational risk assessment tools that can monitor in real-time are urgently needed to support fast, fact-based cyber-risk management.

But there aren’t any.

The current state of cybersecurity technology does not address the gap that exists between the custodians of cybersecurity and the C-suite, executives and board members who shoulder a fiduciary responsibility for and now a personal liability to properly manage the risk of cyber-attacks on their business.

Boards and C-suite executives are swamped with reports, including dozens of key performance indicators (KPIs) and key risk indicators (KRIs). But these reports are often poorly structured and contain inconsistent and usually too-high levels of detail. IT and security executives (CISOs) often use manually compiled spreadsheets to report cyber-risk status to their boards and most board members find the reporting off-target and irrelevant to their ability to make traditional risk-based decisions.

In addition, most of today’s reporting fails to convey the implications of risk levels from a business perspective. Board members rate these reports as poorly written and overloaded with acronyms and technical shorthand. The result is an inability to get a sense of the overall risk status of the organization. Most recipients (54% in that McKinsey survey) believe that the risk reports are far too technical.

To compound the problem, varying groups and LOBs within the same organization regularly use different, potentially conflicting information to describe or evaluate the same aspects of cyber risk. In commentary footnotes to the McKinsey survey, one executive noted that he received a report listing an asset as sufficiently protected, but the next day a different department reported the same asset as under threat. His follow-on questions were obviously “which should I believe?” and “what should I do?”

And to complicate the problem of conflicting reporting, the underlying data is captured through historical reporting mechanisms and is out of date and irrelevant to addressing a quickly evolving cyber-threat landscape.

The only way to stop this train is to change the way we “manage” cybersecurity.

Instead of erecting a broad technological shield and continually tweaking it with new “solutions” targeting the latest threat vector, we need to focus on the most likely and most threatening cyber-risk threats and apply tightened controls only on the most critical assets.

The result will be increased precision in both detection and remediation and a reduction in the resources required to chase alerts. In addition, existing resources won’t suffer alert fatigue and instead of trying to head-off every attack vector, we can focus on only those that put high-value assets at risk.

This starts with an accurate overview of the risk landscape and identifying all of the critical assets, the known risks, and all of the potential new risks. This requires C-suite and LOB involvement and participation, because asset identification requires quantified valuation which will in turn give rise to a determination of risk appetite.

If the C-suite and LOB owners refuse to participate, four outcomes are guaranteed:

1.      The business will be breached,

2.      It’s officers and directors will be found both personally and professionally liable for failure to exercise their fiduciary responsibility and will face fines and jail time,

3.      Even if found innocent, officers and directors will spend an enormous amount of money on their defense and their reputations will be significantly damaged in the process,

4.      The CISO will be fired.

For those organizations fortunate enough to be managed by responsible executives, after critical assets have been identified and risk appetite has been determined, the nest step is to evaluate each risk with regard to probability of occurrence and potential impact, including first, secondary and residual exposures for regulatory, reputational, operational, and financial impact.

Based on this initial assessment, risk owners can prioritize areas for mitigation, starting with the most likely scenarios that will have the biggest negative impact, and following that, determine whether the residual risk for each top risk now falls within the parameters of the organization’s risk appetite.

The challenge is that for enlightened organizations who attempt this level of participatory and engaged cyber-risk management, once the assets have been identified and their values quantified and the risks have been evaluated and categorized according to risk appetite, that risk snapshot in time dissolves by the very next day.

New cyber-threats emerge constantly and the defenses that were satisfactory yesterday are no longer able to detect or combat today’s attack vectors. Similarly, the asset values themselves are in constant flux and the information systems upon and through which they run and are processed are in a state of constant change as well.

What is needed is a risk technology platform that can gather risk element data from existing IT Security devices, device log stores, and various other sources to calculate and model quantitative IT risk ,,, in real-time.

Then, when certain thresholds are met, it could fire alerts to both the first responders in tech speak and to LOB owners and C-suite parties in business speak. Because it would prioritize responses to the most critical assets under attack, remediation teams would no longer have to stretch their scarce and expensive resources to try and cover every alert fired by their current SIEM systems and could instead concentrate their remediations only on what matters.

Business owners of the assets under attack would have instant awareness of the threat and a dynamic risk assessment based on real-time probability factored by potential impact.

This capability would eliminate the need for periodic (usually quarterly) manual risk assessment programs which no one wants to do. The ability to model and calculate cyber-risk on the fly, based on actual threats to assets in real-time and to then present the results described in useful and relevant terms consistent with the needs of the risk consumer would revolutionize the way we manage cybersecurity today.

Instead of a static risk assessment that is out of date the day it’s published, LOB owners, C-suite officers and board members would have current analytics tied to risk assessments for each threatened asset and a dynamic assessment of probability and potential impact in monetary terms continuously available and thus would be in indisputable compliance with their fiduciary responsibility to provide informed guidance.

I do a lot of work in sales and marketing performance and one of the unmanageable conflicts inherent in all sales organizations is the lack of symmetry between the revenue and profitability goals of the organization and the compensation plans for the sales reps.

All behavior is incentivized through reward or punishment. If you want your sales team to stop focusing on transactional sales, then you must change your compensation plan to reward a long-term outcome. If, as you say, you want your sales reps to engage with your prospects on the basis of trust, then you must allow sufficient time for that trust to build. Which means you must also eliminate quarterly quota targets. If you want your reps to stop lying to you about pipeline, stop with the pipeline reports.

Equifax was compromised through a vulnerability that was discovered and fixed months before it was exploited at the company. The solution was a simple security patch. But the Equifax business leaders decided the patch was too risky to apply, because even simple patches require people, resources and time to integrate, test and deploy.

And, there is always the risk a patch could take a critical business system offline which of course could mean a loss in revenue and an increase in operating costs. In other words, the real risk as they perceived it was that something might get in the way of their revenue and profit objectives.

Here is where behavioral incentives drive risk at the C-level and why if we continue to ignore cyber-risk in favor of achieving revenue goals, we will continue to embellish and beautify the invitation to cyber-attackers to destroy our businesses. As we noted earlier about cyber-attackers tying their targets to the frequency of cybersecurity notations in 10-K filings, in the future, cyber-attackers might just as well tie their attacks to revenue and profitability trends. If smooth, those may be an indicator that the company is doing nothing about cybersecurity.

Equifax for example, had robust revenue growth while maintaining healthy operating margins for the reporting period between 1Q16 and 1Q17. When a company’s operating margins remain the same for a whole year, it may be the new indicator of a failure to increase investment in cybersecurity and thus, signal an inherent weakness in cyber-defense. Who needs a risk score or a stolen risk assessment?

I am certain that Equifax management chose to pass the risk to the business units. In this overly simplified excuse for corporate management, executives usually allow each business unit to determine what risk is acceptable, which always translates to the risk of not meeting targets versus the risk of applying the right level of security. The agony of missing a bonus is far greater than the relative punishment for unknowingly accommodating the latest security breach.

“I don’t know nothing about no cybersecurity, but I made MY numbers.”

With an approach based on the factors described here, executives can give clear guidance on cyber risk to all levels of the organization and each LOB owner will have all of the data s/he needs to own the risk. But if C-level executives continue to distribute corporate risk to each business unit, and board members continue to condone the practice and abdicate their lawful duty of care, no one will ever be responsible for corporate cyber-risk.

That might be the way we like it now, but it definitely won’t be the way we like it from an Otisville jail cell.

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform