Home > Risk > Do techies really understand cyber risk?

Do techies really understand cyber risk?

I have to ask this question after reading two recent papers. The first is from an organization that positions itself as not only an expert in cyber but one that offers related consulting services and solutions.

 

Practical Guide to Measuring Cyber Resiliency and Effectiveness was published by Lockheed Martin earlier this year.

The authors suggest a seven step process for establishing “an effective, sustainable computer network defense program”.

While the piece has some value, I have some major issues with it.

Let’s start with the fact that cyber is a business issue, not just an IT one. Yet, the only people on the recommended team are techies. In fact, they recommend a team of three “highly-skilled Technical Leads and Cyber Analysts with experience in Threat Monitoring, Incident Response, Cyber Threat Intelligence, Malware Analysis, and Computer Forensics, DevOps, Analytics, and general cybersecurity and IT skills”.

Nowhere is there any mention of the need to involve business personnel.

In my presentations and courses, I often talk about this hypothetical situation.

Imagine that we are in a conference room and hear a loud BANG from outside. We run to the window and see that a large safe has landed in the middle of the parking lot. Security guards rush to surround it. They string barbed wire around the safe, with bright lights and 24-hour monitors.

But then an executive appears and tells a guard to open the safe.

It’s empty.

The executive looks around and spots a wicker basket against the fence, close to an exit from the lot.

He strolls over and sees the crown jewels wrapped in tissue paper in the basket.

The point is that you protect what needs to be protected.

You need to know what assets are at risk before setting up a cyber program or any other form of controls and security.

Yet, the paper does not mention any form of risk assessment.

The risk from cyber is not the technology or network; it is the effect on the achievement of a business objective.

I have additional issues with the paper.

  • The analysis assumes that all attacks can be detected. This is a huge assumption and not credible in my view
  • There is no mention of risks introduced by mobile or cloud applications and services
  • There is no discussion of threats to the organization through attacks on the extended enterprise. Many organizations have outsourced services to a third party; those services may be at risk. In addition, many attacks are on our partners in the extended enterprise; once an intruder has gained access to a partner, they may be able to access our network and systems. Finally, many intruders are attacking employees’ personal devices and systems – and could gain access that way
  • The issue of educating the organization to be security-conscious (such as avoiding clicking on links or attachments that introduce malware or using better passwords) is ignored. In fact, the use of non-simple passwords is totally absent.

I am afraid I find this paper quite lacking from a business perspective.

Now, perhaps all my points are discussed by this vendor in different publications – but that is not apparent from this piece.

 

The second paper is The Cyber Threat Risk – Oversight Guidance for CEOs and Boards. It has a foreword by Sameer Bhalotra,  Former White House Senior Director for Cybersecurity, so I was expecting a better paper than the Lockheed Martin one – especially as it is targeted at CEOs and board members.

But, the same criticisms apply.

There is no business risk assessment, there is no mention of mobile or the cloud, a security-conscious culture is absent, and the extended enterprise is ignored.

It does have some better content, including:

  • a description of the problem we face
  • an emphasis on detection as well as prevention
  • a discussion of mean-time-to-detect and mean-time-to- respond

 

Most of the techies I know understand all my concerns. But I have to ask when so-called cyber experts  write and share papers like these.

I welcome your thoughts.

 

  1. Sidney Gale
    August 20, 2016 at 3:33 PM

    i agree with your concerns.
    War is too important to be left to generals, for they are the last to die.
    Medicine is too important to be left to doctors, for they do not suffer the consequences.
    Cyber security is too important to be left to techies, because they too often have little concept of what lies beyond cyberspace in that freaky domain we call ‘the real world’.

    I have been in accounting and auditing for 47 years now, practically since the beginning of the information age in business Security has always been the stepchild of the IT budget. And that can be traced to two causes:
    – the techies, like generals, want to spend on the ‘next big thing’.
    – Executive management and boards are clueless as to risk, and don’t oversee the priorities of IT spending from an informed business perspective.

    This has always been, and may always be, but it is the heart of the problem.

    It is solvable, if we choose to.

  2. Channin Gladden
    August 20, 2016 at 6:49 PM

    I agree with your points. I would like to see more organizations move Cyber-security out of IT and into almost any another area of the organization. I would add that if it stays in IT, we need more cyber practitioners–people who see security as a means rather than an end.

  3. August 21, 2016 at 11:12 AM

    Norman. couldn’t agree more! Looking at the jargon-laden sign-on web pages (I didn’t bother – life is too short and I’ve doors to paint) didn’t inspire me. I find it horrifying that consultants don’t use plain English – they are almost acting like the emperor with no clothes.
    The impression that such papers give is that cyber risk is something special. It’s no more special than a fire destroying the company’s only factory. Further, IT risks aren’t necessarily identified as part of an IT risk assessment. For example, the risk analysis of a retail store should highlight the risks arising from hacking into the company’s network via the store’s server. (Why is the server in the staff restroom with the administration password written on the side of it?).
    IT risks will never be properly addressed while they are put on a pedestal and not considered alongside other risks. That doesn’t mean techies aren’t necessary – they are, but only in the same way that they are necessary to highlight risks in a chemical plant, hospital or transport company.

  4. Sidney Gale
    August 21, 2016 at 11:51 AM

    There is another precedent for the current fascination / obsession with cyber-security. In the early days of corporate level computing, lawyers and IT professionals were wringing their hands over the need for new laws for the new world of computer crime.

    But much of computer crime was garden variety crime by new means. New laws were not needed so much as new and creative ways to apply existing laws, as is so frequently done in other areas of law that seek to deal with new social and business arrangements…by looking back to the past for parallels and precedent before breaking new legal ground.

    I suspect we could solve a lot of our challenges sooner if we started with the basics of a seemingly new problem and adapted tools we have. That might deny some techno-hucksters a window of opportunity, but it would make life more manageable for the rest of us.

    Or to quote Billy Joel: “It’s still rock-n-roll to me.”

  5. August 22, 2016 at 3:13 AM

    Thanks for this thought provoking note on two well-chosen base articles.

    Whether techies really understand cyber (or more generally information related) risks at large maybe does not matter that much. As (master) toolsmiths, or even as technical architects and integrators, and even when they theorize use cases and management policies, techies do not own the enterprise business, operating, or management models.

    Agree both articles suggest a broader perspective than just technical, but miss the complexities of the larger enterprise. Yet, the second one has two strong merits:

    1. The first merit is to (tentatively) address the CEO level and boards. Information related risk management is transverse.

    2. The second one is to pose the problem in terms of organizational maturity.

    A correction to these treatments of the cyber might be to build on 2., and to define a broader organizational maturity model for Information management, fit to CEO/Board level.

  6. August 22, 2016 at 5:40 AM

    I very much agree with your concerns in terms of such a limited scope to Cyber Security & Resiliency.

    We have recently published a blog on broader and more forward thinking strategies.
    https://blog.aurorapartners.co.uk/2016/04/26/cybersecurity-broader-strategies-to-complement-technical-defences/

    The challenge however is not confined to Cyber-Security. There are often many agencies within larger organisations that have responsibility for anticipating, preparing for, responding and adapting to everything from minor everyday events to major situations. Examples of these protective agencies include Physical Security, Information Security, Business Continuity Management, Crisis Management, Risk Management, Asset Management, Facilities Management, Quality Management, Reputation Management, Human Resources etc..

    These protective agencies often lack strategic influence, operating independently of one another, conflicting over areas of responsibility and resources. This introduces weakness affecting the organisation’s overall ability to anticipate risks, identify opportunities and develop the necessary agility to respond in a timely manner.

    There is a need to promote improved collaboration between divisions/business units and supply chain, to represent the consolidated view of protective agencies at board level and unite those concerned with maintaining the depth and breadth of resilience across the enterprise.

    Key benefits
    Top management receive a consolidated view of intelligence (internal and external) used to set direction and inform decision making
    Organisational resilience is strengthened through greater integration of specific disciplines and improved understanding of critical interdependencies
    Improved efficiency through closer collaboration between protective agencies
    Increase power and legitimacy for agencies at board level, to influence strategy and development of a resilient culture
    End to end view across internal, supply chain and external environments
    Emphasises a common goal for organisational resilience
    Greater agility in detecting, anticipating and responding to incidents or crises
    Increased capacity to adapt to change
    Facilitates progression towards a single architecture for the management of enterprise organisational resilience

    Jim Hill

  7. August 24, 2016 at 10:57 PM

    big4’s have considered all these areas mentioned by Norman marks . At EY all of these domains mentioned by norman are part of cyber risk assessment framework (CPM)
    http://www.ey.com/GL/en/Services/Advisory/EY-cybersecurity-cyber-program-management

  8. August 26, 2016 at 1:58 AM

    Your comments hit the mark. But I don’t think that you should blame the techies. It is a problem that stems from higher up. Techies do what they are told to do – protect the corporate network. As often as not, they are not tasked with BYOD or private cloud because – well that’s not corporate IT. So they focus on where they have responsibilities and resources to make a difference.

    Of course that is utterly inadequate in most cases. For a start not all the risks are external. Many (most?) are internal and a result of lax security cultures, poor leadership, a lack of training, a failure to keep people aware of their responsibilities, even a failure to tell people what their responsibilities are. (Start with policy, train people, keep them aware, work towards a culture where dangerous behaviour is unacceptable – oh, and accept that there is generally a trade off between security and efficiency, so make sure that any security protocols are as usable as possible.)

    Second, as you point out, you can’t protect everything – so you need to focus on the most important; information classification is necessary (there is a new BSI standard due shortly on this) if you are going to be efficient, and along with that rules about access and handling.

    And then there is the nature of technology. Corporate IT networks are like Swiss cheeses – full of holes. Protecting the perimeter is important; but not sufficient. You also need to protect key information wherever it is. And accept that things are going to go wrong; so resilience (and response) is just as important as security.

    Personally I think HR has a massive role to play in cyber security, not just because they hold very sensitive information about employees but also because they will be better placed to deliver effective training, maintain constant awareness, and work towards cultural change.Overall though any effective cyber security has to be led from the very top of an organisation – and the first challenge is getting leaders to realise that cyber is not just a risk to money (because then it can be treated as a cost of doing business) but a considerable strategic risk that can damage reputation and competitive positioning.

  9. Bill Storage
    August 30, 2016 at 3:25 PM

    “Techies” is likely too broad a term to be useful here; developers, IT/infrastructure people and IT security are very different, and much friction exists between them. But I think you have a valid point that in most organizations two misunderstandings go mostly unnoticed. First, cyber-security professionals have little relevant training in risk management. Despite often using the term “risk,” cyber-resiliency is mostly about threat identification and is mostly reactionary. It is tactical thinking pretending to be strategic.

    Second, corp. mgmt. often assumes that an IT department has significant risk-mindedness. But, as with other disciplines, risk management is too often equated with regulatory compliance, disaster recovery, privacy and audit trails – all important, but not summing to risk management.

    You wrote that in the Lockheed Martin piece there is no mention of risks introduced by mobile or cloud services. They actually are addressing these in their coverage of endpoint threats, but with no detail.

    Having done aerospace risk analysis for several decades, I am irked to see an aerospace firm resorting to heat maps. While often accepted in ERM circles, the logical, psychological, and analytical flaws of that tool are well known in serious risk work, which would never tolerate it. LM’s 7-step process also seems to suggest that cyber security risk can be managed without being analyzed, a mindset that has done a lot of damage in ERM, project risk mgmt. and other risk areas.

  10. Misana Mutani
    September 4, 2016 at 5:41 AM

    I found this in one of my RM forums, and thought it will be useful to share

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: