With a little help from my friends
“Risk management” is a buzzterm of sorts. It’s also an incredibly important element of running a business. Organizations need to understand the consequences of building a new product or offering a new service, moving into an emerging market, acquiring a company, hiring additional employees in good times or laying off others in bad, changing suppliers, etc. Risk management practices date as far back as the Renaissance period, but modern-day risk management, the version we all know and love/hate today, started taking shape only about 40 years ago when risk managers—mainly focused calculating insurance at the time—started looking for alternatives to insurance policies to manage risk. Cybersecurity is newer still, and while lessons can be learned and adopted from risk managers in other disciplines, risk management for security isn’t something that can only be calculated “on paper.”
If a company wants to build a production facility in or start shipping products to a new market, certain risk factors are calculated, some of which may be classified as “unknown” at the time of the calculation—oil prices, civil unrest, natural disasters, etc. Risk managers use complex formulae to account for uncontrollable and unforeseen scenarios, but in most other business disciplines (save some controversial ones), one thing that doesn’t need to be taken into account is active, intentional attack against the company. With cyber risk, the possibility of a dedicated attack is always a consideration. In today’s threat landscape, on thing is a constant: every company will, at some point, lose or have data stolen as a result of an external threat actor, a careless or disgruntled insider, or system/technology failure. Therefore, risk for security needs to be handled somewhat differently.
What would you do if I sang out of tune?
Security risk management is a complicated practice and should, optimally, be governed by a risk expert with a deep understanding of security. For many companies, though, (especially those not in financial services) department heads are charged with risk management, which means that security experts have to learn about or improve their ability to practice reliable risk management.
Therefore, risk management in security needs to embrace a few critical actions. First, security managers responsible for calculating, communicating, and addressing risk need to begin to get on the same page with the business. If the security department is speaking in a different risk language than the business, security is going to lose, meaning, security will continue to be the FUD-factor, rarely taken seriously, and left out of serious conversations about planning and growth. The fact that security is often currently left out of these conversations and kept at arm’s length from the rest of the executive team should be instigation enough to make those changes now.
Second, and not unrelated to the first point, security risk should be practiced through tabletop exercises and drills. Doing so will allow the security team to think through various scenarios: What happens if ransomware hits and the backups (good for you! You have them so that’s step #1) will take four days to restore? What is the impact on the business? What happens when your security analyst finds customer credit card details on pastebin? Who is involved in the fallout? The cleanup? What are the regulatory, legal, and brand repercussions? Does your cyber insurance (if you have it) kick in? Are there stipulations in the policy that could mean the incident won’t be covered?
Actively working through incident scenarios will help the security team gain a greater understating of its own risk, but it also offers the side benefit of including the business in the process. This, in turn, helps the business better understand what’s involved in a security incident, which in turn helps the security program.
Do you need anybody?
Many unknowns exist in security—that is well known. While the industry is continually improving its awareness and response capabilities, prevention remains a major issue. As a result, because no company is immune from the probability of security incidents, risk management has to play a bigger role and be considered part of security, not a sidebar or something that needs to be done because the CEO requires it. Bringing people together to participate in security roleplaying will ultimately uncover hidden risks or those the security team might have given short shrift. Conversely, something the security team considers a huge risk could very well be downplayed by the business during a tabletop exercise. When these differences of opinion occur, it will be up to the various players to determine how the risk will be handled, but security can’t truly know the discrepancies if security risk management operates in a silo. A number of security “failures” have resulted from security’s reluctance to play nicely in the sandbox with other business units. Risk management is too large a business concern for it to drop into that category. And by the way—the more people educated about and involved in managing the complexities of security, the more support the security program will receive.