02 May 8 Considerations in Cybersecurity Risk Management
Cybersecurity risk management boils down to three key factors:
- The probability of an event occurring;
- The severity of impact if that event occurs; and
- Any mitigating factors that can reduce either probability or severity.
That was our takeaway from an excellent panel discussion facilitated by our partners at Cylance, titled Cut Through the Risk Confusion: Shedding Light on Common Security Misperceptions.
Risk management is often confusing because it’s fraught with subjectivity according to the panel. Case in point? Senior business leaders – general counsel, CFO and CIO – all have different perceptions around the composition of risk and appropriate controls.
While the discussion centered on how to eliminate that subjectivity through process, the panelists provided several excellent tips along the way. We’ve articulated those that stood out for us below.
1) Even for professionals, cyber risk management is hard.
Seeing, identifying and understanding the indicators of risk doesn’t come naturally to most people. To illustrate this point, one panelist noted he missed the risk indicators after putting new hardwood stairs in his home.
Despite several complaints from guests that the new stairs were slippery, he only sought a solution after he slipped and broke an ankle which required surgery. The solution was $50 roll of anti-slip tape.
This illustrates the purpose of risk management – and the value of a relatively small preventative investment compared to the extensive cost (and pain) for remediation after an event.
2) Include diversity in risk perspective.
A diverse perspective is critical to good risk management in cybersecurity. More importantly, disagreement is not disloyalty. Examining a problem through various viewpoint prevents groupthink and the overconfidence that can lead to loopholes and mistakes.
3) Commission a counterargument.
It’s useful to charge a member, or a team, with the task of arguing the opposite view. This is something different than diversity in perspective given the commission is to intentionally look for gaps in an argument or idea.
If the consensus view believes a factor is low-risk, have someone build a case that it’s high-risk and vice versa. The panel referred to this as ensuring a “stratification of dialogue” in order to see all the options and potential impacts.
4) A structured risk management process helps “manage up.”
A structured risk format brings organizational discipline to risk management that’s also useful for managing news-driven risks. The panel called this “Wall Street Journal risk management.”
What does that mean? A board member reads a story about data loss on USB ports and sends the story to the CEO. The CEO, in turn, sends it to the CIO and suddenly the top priority for the risk team is data loss prevention at the network and host level. Consequently, USB ports are shut off, but employees still have access to commercial file sharing sites.
A structured process both allows the team to consider all options and also provides a framework for diplomatically managing senior leader inquiries based on news events. Stories are a powerful and amazing way to communicate, but stories are data points, not data.
5) Some risks only appear more interesting than others.
Any organization that runs real penetration testing is likely to come to the same conclusion: the red team is going to get inside. However, that doesn’t mean the risk a red team finds parallels real-world risk.
One panelist noted, for example, a red team that had dropped a physical device on the network. While interesting, the chances of this really happening were fairly low. This phenomenon can distort the risk perspective, create unnecessary executive concern, and wind up with a misallocation of finite resources.
6) Just “shutting it off” isn’t always the best solution.
Employees at one company were rather vocal on social media during earning announcements. This made the executive team nervous for obvious compliance reasons, according to a panelist telling the story. The leadership simply wanted to shut down access to social media sites from the corporate network.
However, doing so in the security team’s assessment, was unlikely to prevent employees from doing the same thing from the guest network, or from personal devices. Even worse, this action would limit the company’s visibility to monitor the activity; it would still happen, they just wouldn’t see it now.
A better solution, or at least one worth considering from a risk management perspective, was to engage employees and shaping behavior with training and information.
7) Translate tech speak into business talk.
The cybersecurity space has its fair share of buzzwords the business may not understand. Security teams need to be conscious of this when peers from other functions are involved in security conversations.
One of the panelists recalled a situation where the technical team had found malicious software on a backup drive. The probability of risk was low, but the impact was high, so the conversation was escalated to include other team members from around the business. In the process, it became evident the business wasn’t following the discussion, and so couldn’t contribute to the risk assessment.
The panelist said he quickly came up with an analogy to describe the data-backup problem at hand to the effect: We’re trying to move people (data) from one point to another. We used a car to pick people up, but we can’t see how many passengers are in the car or how many have arrived safely at the destination.
A good technique is to have a “pre-discussion” before talking to other business peers to ensure the key points are presented at a business, rather than technical level.
8) Examine trends and prepare.
Security professionals are in many ways tasked with forecasting future trends and putting plans in place to prepare contingency plans. For example, it’s not a stretch to predict that ransomware is going to intensify and focus on data destruction.
Understanding this trend, and the cost will help articulate to the business options in the event of an incident. The business can refuse to pay the ransom and lose a week or more of revenue while IT works to get systems operational. Or it can have the means to pay the ransom in bitcoin already established in case the business pursues that option – as some businesses are.
Cybersecurity is “amazingly complicated” and the more confident you are of an answer, the more concerned you should feel. A rigorous process of analyzing cyber risks will go a long way toward fulfilling the security goal of business assurance. A complete recording of this panel discussion is available through Cylance at the link provided above.
If you enjoyed this post, you might also like:
Cyberthreat Evolution Shifts Emphasis to Proactive Detection and Prevention