Rethinking risk -- are you taking the right path around security?
In the film Sliding Doors, a split second choice leads to two branching stories -- yet while the two stories are very different, they both lead to hospital trips and potential tragedy. The world of cyber security is similar. Whatever decisions we make, we are still under pressure and we will -- eventually, whatever we do -- end up facing significant risk.
Yet how do we show that we are doing a good job? If everything is working, there is nothing to see. Or have we collectively just been lucky to that point? Unless you have an active attack taking place, you can argue that your efforts are enough. But when you only look at a single point in time, it is a challenge to show that you are making a difference and reducing risk.
At this point, you might be thinking that the job of the CISO is not for you. But this responsibility should not fall only on your shoulders. Instead, security is a team sport both in the technology department and across the organization.
Making the right plays
From a security perspective, working with other leaders across the business can be a challenge in its own right. Each department will have its own risks and responsibilities, from finance teams that have to manage cash or potential exposure to losses, through to compliance and legal professionals that have to ensure that rules are followed. For each part of the organization, defining “risk” involves different terminology and different goals.
For CISOs, getting over these internal hurdles is the first step to improving operations. This involves getting to a single view of risk that everyone can agree on and understand. To do this, businesses have to think about how much risk any individual problem represents, and how much impact that risk would have if it came to pass. Putting hard figures on these issues is a massive undertaking. It may be one that your team already does with cyber risk quantification, or CRQ. But how many teams actually share that CRQ data with their colleagues across the business?
It’s not that this data would not be valuable across the business -- the CISOs I have spoken to, they want to share data around hard costs rather than statistics like mean time to remediate security issues. However, the process for creating and maintaining that data around risk is not currently effective enough for them to use internally, even though many CISOs have developed workflows and processes to try and make this work. For those CISOs, making this data into something that operationalize that process around risk is a necessary step that they want to take.
For example, sharing a snapshot of risk data and potential costs is useful, but it is not something that you can use for long term improvement. Instead, they are investing in how they use risk data over time. It’s only by working with other leaders in the business that CISOs can make risk more visible, and something that they can collaborate with the rest of the business to fix. It’s only by putting monetary values against potential risks -- and against the impact that they might have if we do nothing, or not enough to solve the problems -- that we can make effective change.
Over time, this ability to show direct links between risk, operational change and security provides the CISO with the ability to show what good security posture does for the business. In turn, this also supports the CFO in their decisions around cyber insurance and what risks to offload to third parties. And it lets compliance teams push ahead with their investments around regulation, as they too can show the long term value that comes. As this process becomes less about cyber security and more about business operations, it becomes easier to justify changes and potential investments that are needed.
For one CISO I spoke to, reducing potential risks was the goal for the whole organization. But it took more than just pointing to more patches being deployed to make that argument. Instead, it took a scenario where actions were fully costed -- and where the potential to play out those scenarios to see the impact -- to create that understanding. Based on the financial impact -- or not -- of that work, the rest of the team could see where the results would benefit their own processes around managing risk too.
Whatever we choose, risk is inevitable. There are too many new threats, too many bad actors, and too many potential issues. But putting a pound, dollar or Euro sign against those choices helps the rest of the business see what kinds of decisions we have to make, and how those decisions have to be part of an overall operational framework. That risk operations approach does mean more collaboration and work with other departments. But without that centralized approach to understanding risk, we cannot prove we are taking the best possible path to action.
Matt Middleton-Leal is Managing Director for EMEA North, Qualys.
Image Credit: Elwynn / Dreamstime.com