A “how to” risk presentation at a recent security conference I attended highlighted to me why getting leadership to understand cyber risk continues to be such an issue for security leaders and CISOs. While the presentation itself was excellent, the common approach presented of using an industry security framework as the basis for evaluation of a company’s risks perfectly illustrates why cyber/IT professionals so often fail to get the support they need.
Whether you are using the 108 controls of the NIST CSF or the potentially hundreds of controls from ISO 27002 as the foundation for the assessment, the results consistently fail to address the board’s fundamental question of “why does this matter?” The fact that passwords are changed every 120 days vs every 90 or 60 days, or equally that there is a gap in one of the potentially hundreds of other controls is likely to yield a “so what?” response from leadership as they are unable to rationally evaluate the potential harm that this poses to the business.
Adding to the confusion is the common tendency to pile on the results of pen tests, vulnerability scans and audit reports to the risk register, with the result that risk review meetings end up attempting to prioritize hundreds is not thousands of “risks”, that all are clamoring for attention and resources. It’s time to stop the madness!
CyberRisk = CyberCrime
I believe the better way to engagement leadership is to frame the discussion first in terms of the threats to the business. Threats are those events which pose serious potential harm to the business. For example, the company’s intellectual property (IP) could be stolen by a nation state (espionage), key factories could be destroy by a hurricane (acts of god), the company could face large GDPR fines for failing to protect personal information (malfeasance). Once the relevant threats are agreed upon, then the discussion can proceed to the control gaps (what I call strategic risks) that would most likely lead to the threats occurring, and from there what should be done about them.
The specific instances where these strategic risks exist within the enterprise are what I refer to as tactical risks. For example, an obsolete unpatchable server in production that exposes the business to theft (of IP or sensitive information such as PHI or PFI), extortion (through ransomeware), or malfeasance (through failure to comply with contractual obligations such as PCI or laws such as GDPR). The more threats that a tactical risk enables, the high priority should be given to correcting it.
This then will be the foundation for the model information security program presented by Heuristic Security – What are the likely high level threats to the business, what strategic risks are most likely to enable these threats to occur, what programs (and in what order) should be initiated to move the organization to the address these risks, and lastly what functions should the security organization be responsible for and how should it be structured and managed.