Joseph Assaf Turner
Become a CISO Rockstar through Risk Management
Updated: Jun 5, 2018
The Office of Management and Budget (OMB) released its Federal Cybersecurity
Risk Determination Report and Action Plan for May 2018. The report’s findings can be described as alarming considering the statistics about the state of cyber security in 96 U.S. government agencies. However serious the report may be, it is a definite beacon of hope as it focuses on a strong remediation plan which, with proper governance, funding and agency cooperation, will boost cyber security to desirable levels.
Although the report found four areas in which the state of cyber security was lacking, another area was initially pointed out as the cause for the other four. This area was risk management (or lack thereof).
Risk management is a science all to itself. Decision makers practice risk management all the time. Risks of all fields are managed: marketing, sales, legal, HR etc. So why is cyber security risk so poorly managed if at all?
There may be a few answers to this hard question but arguably, the most prominent answer is senior management’s lack of understanding of cyber technology and risk considerations. It’s been my experience that this lack of understanding can mostly be attributed to cyber security professionals’ inability to relate technical terminology to senior management in business terms.
Another issue is that cyber security professionals tend to adopt “single point solutions” to burning problems rather then strategically plan a holistic solution to mitigate the cyber-risk facing the organization.
The reasons for this disconnect depend on who you interview. Cyber security professionals usually claim that the lack of manageable budget forces them to plan for the short term while senior management say that they can’t budget any project they can’t see a positive Return on Investment (ROI) or at least defined Key Performance Indicators (KPI) which in turn are concepts cyber security professionals don’t usually use.
Finding the Common Denominator
While both it is senior management’s ultimate responsibility to keep cyber-risk at an acceptable level, for a Chief Information Security Officer to shine – he or she must work to bridge this gap by finding the easiest way to relate cyber security considerations to senior management. This will allow senior management to understand the CISO and support cyber security projects.
Moreover, it’s been my experience that a constructively challenging management helps the CISO present cyber security projects and budget requests in a way that is much easier to budget and support.
Finding common language helps create communication channels between cyber security and senior management. These channels are extremely important not only for budget and support but also for risk management.
One of the critical first steps for creating any cyber security strategy is assessing the risk emanating from each relevant cyber event and aggregating all risk into a risk-map which helps prioritize mitigation, minimize redundancies and create an efficient workplan targeted at reducing the overall cyber-risk facing the company, rather than addressing local perceived threats.
In short – risk of a certain event equals the impact of the event occurring times the likelihood of that occurrence.
There are many ways to measure both risk and likelihood but since it’s all educated-guesswork the best way I’ve found to represent risk most effectively is measuring likelihood of occurrence by perceived percentage (%) and impact by a nominal figure ($) compounding all damage, including damage to non-tangible assets.
Risk($) = Likelihood(%) × Impact($)
An example could be that for a certain organization, the likelihood of an employee inputting incorrect data in the main database could be 5% according to knowledge of staff skills and abilities.
The impact of such an event, including customer compensation, developer hours lost, damage to reputation etc. is $100,000.
Using the above equation: Risk($5,000) = Likelihood(5%) × Impact($100,000) the risk is one of $5,000. This value can both help prioritize mitigating this risk over other risks and determine the largest investment feasible for mitigation. (no sense in investing $10,000 to mitigate a $5,000 risk)
One note to consider is that risk can’t always be treated on a uniform scale. For instance, low likelihood with catastrophic impact may result in low risk but should be mitigated all the same.
Managing the Risk
Each perceived risk should be managed in one of four possible approaches:
A low value risk can be noted, communicated to stakeholders and if according to the company’s risk strategy, the risk at its current level is low enough, it can be accepted and monitored for change.
A common way of managing risk is putting controls (technological, procedural, physical etc.) to reduce this risk to an acceptable level.
Some risks are too great, or mediation is too expensive. In cases like this the company may decide to avoid the risk entirely. An example would be IBM’s latest banning of USB keys from its systems.
Letting another company mitigate a certain risk can sometimes be the best solution. Cyber insurance is an example of transferring the risk to the insuring company for a premium.
The ROI Approach
Risk management should be cost-based for the most part. Even if estimating the cost of damage is difficult and inaccurate, this can put cyber security efforts and programs into a business perspective. Knowing the price tags attached to risks on one hand and to cyber security programs on the other is essential to creating a good long-term cyber security strategy and will make getting senior management support and funding easier.