The business risk that is cyber
Today, I am returning to this topic and highlighting three different perspectives.
I see them as a progression, each with a marked improvement over the previous piece.
XX
The first is in TechRepublic: Can your organization obtain reasonable cybersecurity? Yes, and here’s how. The author is Michael Kassner, a freelance writer who specializes in business and technology. He has been referred to as a cybersecurity expert; as best I can tell, he has never been a practitioner.
Kassner’s thoughts are based on his review of Cybersecurity Risk: What does a ‘reasonable’ posture entail and who says so? He refers to that work when he says (in these excerpts):
…lawmakers and regulators are responding to the escalating number of cyberattacks by requiring businesses to meet certain cybersecurity standards to achieve reasonable security. However, “Without a defined, coherent standard to use as a reference, companies are left wandering in the wilderness when it comes to compliance with these often ambiguous laws and regulations.”
Since cybersecurity and its regulation are moving targets, companies tend to copy what other organizations are doing to secure digital assets, hoping it will be seen as good enough…. “With data-breach litigation increasing, this practice is nothing short of risky as businesses are allowing a judge or jury to determine the reasonableness of its cybersecurity risk posture after an incident has occurred.”
…a good place to start is determining what would be considered a lack of reasonable security. “This approach makes it easier for an organization to map data-security protection efforts (including privacy and resources) to a known framework.”
A good first step… is to use the Center for Internet Security’s Critical Security Controls as the authoritative source. “One just needs to map the definition of ‘reasonable’ to any of 20 specifications to attest to its validity and utility.”
The Center for Internet Security’s Critical Security Controls is a recommended set of actions for cyber defense that provide specific ways to stop attacks.
Using the Center for Internet Security’s Critical Security Controls also helps simplify the selection of a risk framework needed to assess the company’s IT environment, determine gaps, and propose solutions.
“Implementing the CIS CSC will show due care in any conflict venue by demonstrating the organization is practicing cyber due diligence, even without a fully minimized risk posture.”
XX
In pre-pandemic days, McKinsey shared The risk-based approach to cybersecurity. The authors all work for McKinsey in their cyber practice.
They start with this telling difference from the TechRepublic perspective.
The most sophisticated institutions are moving from a “maturity based” to a “risk based” approach for managing cyberrisk.
McKinsey is absolutely right to dismiss the idea that following so-called ‘best practices’ and adopting somebody’s set of recommended controls constitutes adequate protection. It also doesn’t protect you from litigation!
Consider the Heartland Payment Systems breach, described in several articles such as this one from ObserveIT.
As the article explains, the breach was massive and was not detected by the company. It was brought to their attention by Visa and, contrary to what the authors say, the CEO did not believe it at first. He famously said it couldn’t have happened because they had just passed their PCI audit!
McKinsey explains:
This article is advancing a “risk based” approach to cybersecurity, which means that to decrease enterprise risk, leaders must identify and focus on the elements of cyberrisk to target. More specifically, the many components of cyberrisk must be understood and prioritized for enterprise cybersecurity efforts. While this approach to cybersecurity is complex, best practices for achieving it are emerging.
To understand the approach, a few definitions are in order. First, our perspective is that cyberrisk is “only” another kind of operational risk. That is, cyberrisk refers to the potential for business losses of all kinds—financial, reputational, operational, productivity related, and regulatory related—in the digital domain. Cyberrisk can also cause losses in the physical domain, such as damage to operational equipment. But it is important to stress that cyberrisk is a form of business risk.
They continue (see the highlighted portion):
Even today, “maturity based” approaches to managing cyberrisk are still the norm. These approaches focus on achieving a particular level of maturity by building certain capabilities. To achieve the desired level, for example, an organization might build a security operations center (SOC) to improve the maturity of assessing, monitoring, and responding to potential threats to enterprise information systems and applications. Or it might implement multifactor authentication (MFA) across the estate to improve maturity of access control. A maturity-based approach can still be helpful in some situations: for example, to get a program up and running from scratch at an enterprise that is so far behind it has to “build everything.” For institutions that have progressed even a step beyond that, however, a maturity-based approach is inadequate. It can never be more than a proxy for actually measuring, managing, and reducing enterprise risk.
XX
Unfortunately, while McKinsey talks about cyber as just another operational risk and how it needs to be fully integrated into the enterprise risk management program, they don’t join the dots. They are not seeing how it is all about taking the right risks for success.
They continue to manage doom rather than the achievement of enterprise objectives.
XX
The third piece is by Carol Williams. She is a risk management consultant with 9 years’ previous experience as a risk practitioner and 5 years as a regulator.
Carol’s Is technology risk bigger than “cyber” risk? Is an excellent read. Rather than excerpt it here, I suggest you read the entire article. (You will quickly see why I like her post.)
XX
The bottom line is that managing “cyber risk” should not be done in a silo, but within the context of making informed and intelligent business decisions every day.
Sometimes, you need to take that cyber risk!
Will you avoid purchasing an Amazon Alexa or an Apple iPhone simply because of the unmanageable cyber risks, or will you weigh the pros and cons and make a sensible decision?
Will you allow competitors to leap ahead while you remove that last risk, or will you take the risk and the market?
XX
I welcome your thoughts.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
I would look at the standards the CMMC-AB has established for 250,000 Department of Defense vendors for the security operation for controlled unclassified information. These vendors are required to assess their cybersecurity programs against 130 (tier 3) to 150 (tier 5) controls. Then you need to get a 3rd party audit/certification every 3 years. There is no reasonableness. You have to pass each control or you fail and compete for contracts or serve as a subcontractor. The “reasonableness” perhaps is built in through the selection of required controls by the CMMC. This likely to extend to other agencies and evolve into generally accepted requirements.
Add “cannot compete for contracts…”
Michael, it can meet these standards and not be right for the business.
“Reasonableness” has always been added in to even the most stringent of security requirements. I’m dating myself here, but when I used to work on DOD systems, they used DISA Gold disks to review the security standards of each system. If you “passed” all of the checks, you would have a server that could not connect to the network, share files, or function as a “server.” The reasonableness check was built in to allow for exceptions that were justified by the “business.” The assessors would then review the use cases and determine if the functionality was worth the risk. Businesses today have to make the same decisions to determine if their use cases justify the security risk of being online and functioning as a server. The challenge is nobody agrees on what a minimum security baseline should be for all companies and secure configurations are not usually the default.
CMMC-AB is a great start for determining a minimum security baseline for those companies that deal with DOD unclassified data. It is not a far stretch to apply those requirements to entire industries similar to NIST CSF, but until there is a federal standard, each business will have to make their own decision on how to tackle this problem.
I am fine with a baseline, but I would not be satisfied with that. I prefer a risk assessment that focuses on how the business might be affected by a breach to determine whether additional precautions are necessary.
Norman, thanks for yiur comments on my recent cyber risk article. Seeing risks managed within a silo is so frustrating for me and pointless for organizations. They will never get ahead and most likely manage themselves right out of existence in the long run. All the best.