Time To Speak The Language Of Risk

Uploaded on 2017-04-26 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Cybersecurity is transitioning from being strictly a technical problem to becoming a risk-based issue. 

The transition is becoming top of mind among cybersecurity professionals, executives, board members, shareholders, analysts and other thought leaders.

According to a survey conducted by Osterman Research, cyber risks were ranked as a top priority for the majority of board members surveyed, alongside other risks such as financial, regulatory, and legal. More than half of board members say IT and security executives will lose their jobs because of failing to provide them with useful, actionable information.

Boards speak the language of risk and are holding security leaders accountable for doing the same, yet many security leaders are struggling to do so.

The Osterman report also reveals more than half (54%) of board members agree or strongly agree that the data presented is too technical.

While in writing, the concept seems straightforward, in actual execution, it can be difficult. The role of the cybersecurity professional was created based on technology-based needs. 

How many DDoS events were blocked? How many vulnerabilities do we need to patch today? Cybersecurity professionals lived and breathed technology; they worked in a silo and were known across the business as the “IT team in the corner office.”

Considering cybersecurity professionals came from this deeply rooted, technology-focused place, shifting to speaking risk is almost like learning a foreign language. So how can they make the transition as smooth and seamless a possible?

Cybersecurity professionals must first learn how to think risk, which begins with defining it. Risk is the potential of loss caused by some event - it is a consequence of the alignment of threats and vulnerabilities against an asset of value.

A threat without a vulnerability or a vulnerability without a threat does not present a risk. For example, an unlocked window is a security vulnerability; but if that window is on the 50th floor of a high rise, it is unlikely that a burglar would scale the building to break in (the threat), and therefore it does not present much of a risk.  

However, if you put the Hope Diamond in that room, the risk is elevated because the diamond’s high value may entice a thief to attempt a threat, albeit a low probability one, but a threat nonetheless.

When assessing their cyber risk, cybersecurity professionals must first focus on identifying the most valued information assets, those that could cause the most damage if compromised, and then apply the risk equation. 

They should look at the threats to their most valued assets, identify associated vulnerabilities, determine the probability of those two meeting, the impact the compromise would have, and apply their cyber-security resources accordingly. 

They should ask themselves:

  • Am I thinking about probabilities and impacts in a structured way to prioritise my activities and resources or am I treating everything equally?
  • Am I thinking about threats, vulnerabilities and impacts in isolation or am I thinking about where they intersect to present a real risk to the business?     
  • Am I reporting business risks to the board together with recommendations that will increase or decrease that risk over time, or am I only presenting recommendations without the context of how they impact the business?

If they think like a true risk professional, speaking the language of risk comes easily. 

When reporting to the board, security professionals should:

  • Paint a picture that highlights the past, present and future state of the company’s cyber-risk, including lessons learned, goals and progress against those goals.
  • Focus on asset value and impact to the business if those assets were compromised.
  • Present the top risks impacting the business, with the top being the intersection between the most likely and the most impactful cyber risks to the company.
  • Show the trend of how these risks have increased/decreased through their organization's actions or lack thereof, ultimately based on the board’s guidance.
  • Show how they expect their proposed actions or lack thereof, will impact these trends.
  • Use specific data points about threats and vulnerabilities that are important supporting information to show the actions that affect the various cyber risks, but make sure these data points are supporting not leading.
  • Use a consistent format from month to month, with metrics that can be continually compared and trended over time for progress.

Security leaders that run around with their hair on fire in constant reactive mode are being left behind. Their goal should be to understand the company’s cyber risks and manage those risks in line with the board's direction and appetites.

To be successful at that, they need to be able to monitor, measure and report those risks, both in support of their operational plans as well as in support of communicating to their board so that they can provide informed guidance and resourcing.

Infosecurity-Magazine

You Might Also Read:

Strategies For A Cyber Security Culture (£):

Your Directors Don’t Understand Cyber Threats Endangering Business (£):

Board-level Cyber Literacy Is Low, Discomfort High:

 

« North Korea More Likely To Launch A Cyber Attack Than A Military Strike
AI Might Be The Ultimate Answer To Cyber Threats »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Frazer-Nash Consultancy

Frazer-Nash Consultancy

Frazer-Nash is a leading engineering, systems and technology company. Areas of expertise include information security and cyber security.

DataVantage

DataVantage

DataVantage data masking and data management software helps you prevent data breaches, pass compliance audits and meet regulatory requirements such as HIPAA and PCI DSS.

SonicWall

SonicWall

SonicWall provide products for network security, access security, email security & encryption.

DXC Technology

DXC Technology

DXC Technology helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability.

HYPR

HYPR

HYPR Decentralized Authentication minimizes the risk of enterprise data breaches while providing an enhanced user experience for your customers and employees.

Digital Security

Digital Security

Digital Security is an Ecuadorian company specialized in providing comprehensive information security solutions.

Clym

Clym

Clym is the data privacy platform that helps organisations meet their data protection obligations. Cookies, Consent, Requests, Policies and more are all managed in a secure and adaptive application.

JupiterOne

JupiterOne

JupiterOne is the security product that is changing how organizations manage and secure their software defined assets.

Graylog

Graylog

Graylog provides answers to your team’s security, application, and IT infrastructure questions by enabling you to combine, enrich, correlate, query, and visualize all your log data in one place.

North West Cyber Resilience Centre (NWCRC)

North West Cyber Resilience Centre (NWCRC)

The North West Cyber Resilience Centre is a trusted, not-for-profit venture between Greater Manchester Police and Manchester Digital.

Seedcamp

Seedcamp

Seedcamp identify and invest early in world-class founders attacking large and global markets through disruptive technology in areas including AI, cybersecurity, and Fintech.

Collabera Digital

Collabera Digital

Collabera Digital engineer the next generation of solutions that power tech-forward organizations and create an impact on people and communities.

Exiger

Exiger

Exiger is revolutionizing the way corporations, government agencies and banks navigate risk and compliance in their third-parties, supply chains and customers.

OutKept

OutKept

OutKept offers the highest quality phishing simulation campaigns, supported by a community of ethical phishers, to build awareness, and maintain alertness.

Cribl

Cribl

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy.

Pontiro

Pontiro

At Pontiro, we are enabling a new era of data-sharing. Bridging the gap between protected data and valuable insights through the use of cutting edge Homomorphic Encryption.