Why we need to change how we understand cyber risk [Q&A]

Cybersecurity is a high priority for organizations, yet often they're unsure if they're focusing their effort in the right places, and spending too much or too little on protecting themselves.

Robin Oldham, CEO of Cydea, believes current methods of understanding cyber risk are outdated and misrepresent risk and lead to misunderstandings that only promote fear, uncertainty and doubt. We spoke to him to find out what can be done to change this mindset and approach.

BN: Where are security teams struggling in general with risk management?

RO: Security teams are struggling to conduct accurate risk assessments and communicate the results with business and technology colleagues. They find simple questions like 'what is our risk?' difficult to answer meaningfully.

That's because many teams approach risk management in a complex, bottom-up technical manner. This requires collection, analysis and interpretation of a lot of data; physical sites, technology systems, business processes, people, data, and so on. 

These bottom-up methods are hugely labor intensive and out of date before they realize any value. The goal should be to accurately communicate the potential range of outcomes, not attempt to precisely predict the exact outcome.

To this end, we advocate for a top-down view when communicating with executives and the board. This prioritizes using readily available business metrics to model risk scenarios with greater accuracy, rather than greater precision.

There's also a problem with the (lack of proper) tools they use. The vast majority are using Excel. It's not fit for purpose. So many teams end up spending days or weeks managing unwieldy spreadsheets rather than managing risk!

BN: What's wrong with the current methods organizations use to view their business risk?

RO: Current methods often revolve around qualitative methods and a 'five by five' risk matrix.  Not only do they use qualitative terms -- think 'likely' and so on -- that research has shown can be interpreted as anywhere from 30 percent to 80 percent by different people, they also can't be relied upon to accurately communicate if a 'red' risk is worse than an 'amber' one.

We can mathematically prove that many 'business impact tables' result in cells that overlap and corners where the top end of an 'amber' risk may be four times worse than the bottom end of a 'red' risk. And while they are often displayed as regimented, equally sized squares, the reality is that this hides a much more distorted picture. 

In a 4K, ultra high definition world, these risk matrices are the equivalent of watching on a black and white television.

BN: How much of this is down to mindset and legacy thinking? Or are there too many stakeholders involved?

RO: There is no doubt that such approaches are well entrenched. However there's a growing movement to do better. Security teams are waking up (and, frankly, management teams are demanding better) to the limitations of traditional approaches.

I don't think that the problem is having too many stakeholders involved. Rather it's that not enough of the right people are involved!

It's oft-said that 'security needs to engage with the business' and this is especially true when assessing risk. Those involved in generating the organization’s value have the best understanding of potential consequences, and ideas about how to manage them. Business colleagues are a valuable source of insight and ideas.

Moving from bottom-up, tech-driven, to top-down, business-first methods really helps to better engage stakeholders and meet them in their world, rather than expecting them to understand the cyber-world.

BN: How can businesses improve their understanding of business risk -- what new approach is needed?

RO: Cyber risk quantification is an approach that helps address the limitations of traditional techniques. It helps businesses avoid ambiguous terms that can mislead or undermine decision making processes.

You can't add up colors -- 'red + amber + green' equals a brown muddy mess. Adopting a quantified approach provides a way to combine risks and calculate the overall picture. 

By engaging colleagues and thinking in terms of business activities, security teams can get a much better understanding of the business risk, and achieve much faster results.

Security teams need to also make better use of the data that they do have. We think that risk and incidents are two sides of the same coin. A security incident is a risk manifest. So reviewing incidents and near misses gives you a really valuable source of data to validate and refine your assumptions and estimates in your risk assessment. We call this 'closing the loop' and it’s a form of continual improvement.

BN: How can CISOs communicate business risk more effectively to the wider board?

RO: As you may have gathered, we're fans of the 'risk-based approach' that so many others advocate for.

The trick here is to make sure it's top-down, and related back to business metrics, rather than technology and systems.

Security teams can also validate their assumptions by using risks from the risk assessment as scenarios for incident response exercises.

This makes it real for the leadership team -- talking in terms of the disruption to business processes; the potential response costs associated with losing customer data; and so on -- rather than security-lingo. It's easier for them to understand. It's easier to support decision making, justify investment cases, and inform business strategy.

We recently launched Cydea Risk Platform to help with this process.

It's also important to consider the non-profit sector. While fewer than one in three businesses have conducted a cyber risk assessment, for charities it's much worse. That's why we’re so proud to be offering free access to 100 good causes, to help them better understand their cyber risk and get back to the brilliant work they do in our communities.

Image credit: Weerapat Wattanapichayakul/dreamstime.com