This post further dissects Jane Frankland’s – “7 Insights about managing cyber risk that you can’t afford to miss”.
As always, Jane Frankland presents a great analysis and offers laser focused insights on managing cyber risk in her recent post. After I was done reading, it made sense to rehash my thoughts on cyber risk management based on these insights.
Insight 1 – Compliance as an enabler
As Jane points in this insight – Compliance and security certainly have distinct end goals with some overlap. A slight variation of a similar thought was expressed by Phil Venables in his blog – “Compliance vs. Security“. This post underscores the same fact that – “Good compliance is a useful baseline, but not sufficient to mitigate all risk. Compliance approach can actually foster good security – it is just not enough in all cases.” I’ve echoed a similar sentiment in my publication – compliance should be a byproduct of a robust cybersecurity program.
In summary:
- Compliance and security have two distinct goals but overlapping responsibilities
- A strategy to achieve security by compliance is probably not possible and may not reduce enterprise risk below the risk appetite level. It will surely get you closer espcecially for organizatons under numerous regulations.
- Compliance can be an enabler for risk reduction but probably not sufficient enough. Certainly for smaller organizations with shoe string budgets, compliance could be a stepping stone in their journey to risk reduction.
- Ideal scenario would be to acheive compliance as a result of a comprehensive cybersecurity program. This way overall enterprise risk is reduced to acceptable levels while also adhering to all the regulatory mandates. As Phil alludes that this is the only ideal route, as its impossible to strike a balance between devising a regulation that closely maps to the policies enforced within an organization. Regulations or underlying mandates become obsolote over time and there’s that enforcement ambuigity while enforcing policies.
Insight 2 – Taxonomy
Risk can render into a very abstract element if not defined approprioately on what it means to your organization. A risk taxonomy will assist in providing a better clarity, ask the right questions, arrive at better decisions and most importantly speak the same risk language consistently across the organization. CIA analyst Rob Johnston articulated in that “a carefully prepared taxonomy can become a structure for heightening awareness of analytic biases, sorting available data, identifying information gaps, and stimulating new approaches to the understanding of unfolding events, ultimately increasing the sophistication of analytic judgments.” The OpenGroup has published a risk taxonomy that is based on FAIR which is a good refererence to get you going.
Insight 3 – Calibration
Douglas Hubbard in his seminal book emphasizes that a critical aspect of cyber risk quantification is when we have to rely on cybersecurity experts’ estimation of probability of events, breaches and potential cost. Several methods to uplift this human element of risk anlalysis are suggested. These include training the experts to reduce the anchoring effect, recency bias, provide subjective probabilities that are closer to obeserved reality. Jane’s book IN Security is a great read and covers some of these issues from a unique vantage point.
Calibration of Cybersecurity professionals is a key element of any risk analysis and adequate emphasis is not provided to this area. Hubbard’s reseach indicates that trained and calibrated professionals are in a better state to assess odds of real-life uncertainities than those that aren’t and this is required for accurate cyber risk analysis.
Insight 4 – Methods and Frameworks
Each organization’s culture, threat landscape, and risk appetite is unique and it makes sense to leverage a risk management framework that’s bespoke. As Jane pointed – one size does not fit all, and sometimes a combination of frameworks would uplift the context of risk management to whole another level. For example, FAIR and NIST-CSF complement each other that enables organizations prioritize and manage risk effectively and efficiently.
Insight 5 – Business Risk
Jane’s insight #5 recommends to establish a risk review board that can reduce blind spots and enables to consider and address all risks. The board and the composition of the board play an important role in managing risk. It only gets better if the CISO is part of that dialogue.
Phil Venables suggests to treat cyber/info-security as a first class business risk and acheive it by embedding it into all facets of the business – decision making, technology orchestration and organization reseliency. A faster, timely and accurate breach disclosure is very important as evident from the Uber breach. Gartner defined an Integrate Risk Management (IRM) approach that links enterprise risk management (ERM), operational risk management (ORM) and IT risk management (ITRM). Recently ISACA has published the 2nd edition of the Risk IT Framework that outlines the relationship between enterprise risk and cyber risk. NIST in its NISTIR 8286 recommends integrating Cybersecurity and Enterprise Risk Management (ERM). All these provide ways to make the cybersecurity risk management part of the corporate DNA. Quantitative risk assessment method – FAIR, has been listed as the informative reference catalog in NIST-CSF.
Insight 6 – Culture
Any organizational transformation may succeed due to a number of reasons, but mostly likely cause for it’s failure would be the organization’s people, culture and beliefs. In other words, culture can be a significant business risk. Culture comprises of mutual trust, sharing values and vision with action. For this to materialize, visionary leadership, commitment and people play a vital role. Sometimes its better to start on a clean slate especially if an organization is embarking on a journey to build a culture of risk quantification. This entails getting away from age old risk analysis methods that are a chronic reason for the placebo effect that provide an illusion that these methods are working and a culture that supports it.
All the insights above would be the enablers to groom a risk savvy culture – devise and adopt a risk taxonomy (see 2 above or Jane’s Insight #2), train and calibrate cyber professionals (Insight #3), adopt a framework (such as FAIR) that actually works (Insight #4) to enable the business to make better business decisions and not just Cyber/IT decisions (Insight #5).
Culture warrants a deeper discussion and probably a separate blog post. For now, let’s segue into the final balancing act of risk vs strategy.
Insight 7 – The Balancing Act
For any Cybersecurity program, a well defined strategy that enables business goals and policy that is well orchestrated and enforced are keys to success. A “strategy that enables business goals” is the piece where the effective risk management becomes pivotal. Hence a calculated balancing act between risk and strategy is needed for the organization’s growth and success.
I plan to delve deeper into each of the above insights in future posts.
