Is Cybersecurity an Art or Risk Management?
By Andrew Roberts, Chief Cybersecurity Strategist, cStor
Cybersecurity is hard, and it is more difficult than it needs to be. Many of the original views on cybersecurity have set us up for failure; yet those views persist today. Part of that is our own fault. We need to own the problem and fix it. We have created a situation where it is impossible to win no matter how many new tools and dollars we throw at the problem. Even though we have learned that cybersecurity is a business problem that must be addressed, the language spoken by most cybersecurity professionals is completely foreign to the rest of the business. It creates pain and frustration that we feel every day.
It’s time to take a different perspective on cybersecurity.
Consider how the US Department of Homeland Security defines cybersecurity:
“Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.”1
If we look at other places that define cybersecurity, we see a common theme. Cybersecurity is all about protecting our systems and data to prevent bad things from happening so we can ensure confidentiality, integrity and availability.
With so many CISOs and other cybersecurity professionals telling their executives and Board of Directors, “it’s not IF, but WHEN,” it’s clear that we, as a profession, don’t really believe that we can protect our stuff. If the very definition of our profession is an unattainable objective, how can we expect to be successful?
It is time we acknowledged cybersecurity for what it truly is: Risk Management.
Risk management is the process of identifying, assessing and understanding the level of risk present in an activity and then taking actions to eliminate, mitigate or transfer that risk until the level of risk is reduced to an acceptable level.
It is time to change our definition of cybersecurity – and the very nature of our jobs and responsibilities. Here’s what it should be:
Cybersecurity is the process of identifying and assessing the risks to our information assets and then recommending and implementing actions and controls that reduce cyber risk to a level that is well understood by all and are acceptable to our organization.
So how do we get there? If we want to align our cybersecurity efforts to this new definition, there are three key areas where we must focus those efforts. While we will discuss the key areas below in the order in which they appear in the new definition, understand that each is critically and equally important.
Identifying and Assessing Risk
What could possibly go wrong? If this is not your most-often uttered question, it should be. To identify risks, we need to be mindful of all the things that could happen because we cannot assess unknown risks. Fortunately, we don’t need to come up with our risk list from scratch; there are plenty of resources available. Start with a cybersecurity framework like the NIST CSF or CIS-20. A framework should be the foundation of your cybersecurity program. Beyond that, cybersecurity frameworks were designed to identify control points necessary to address common and likely risks. Look at the elements and controls of the framework and ask yourself, “What risk is this addressing?” This exercise will help you identify the risks that are relevant to your organization.
Once you have identified a risk, you can then assess that risk. How likely is that event to occur? If it did happen, what are the possible business impacts on your organization’s operations? How painful would that be to the organization? These insights will be essential as you move into the next phase.
Recommending and Implementing Controls
Knowing about the risks in your environment will start you down the path of recommending controls to address those risks. As you consider options, keep the focus on the risk. The recommended solution should address the risk you face (and hopefully more than one risk).
The solution should also be proportional to the amount of risk present. We don’t need a million-dollar control to address a $50,000 risk. When evaluating the cost of a solution, consider the full cost: not just the price tag of that widget, but the cost (or, better yet, cost savings) to your organization. If you implement a control that adds even a one-minute delay for each employee in a 5,000-employee company, the cost would mount quickly to over 83 man-hours each day, the equivalent of over 10 FTEs over the course of a year. It’s no wonder businesses push back on security controls.
Many cybersecurity solutions, when implemented correctly, reduce the overall cost. Consider this real-world example: An organization implemented a new an endpoint protection product that works better than the old solution and is transparent to the employees (no added time) but saves an average 8 man-hours each day by dramatically reducing the number of times workstations are re-imaged due to computer viruses. That same solution also uses fewer system resources on the endpoint than the old solution and increases the lifespan of the workstation fleet by about 20%. Those cost savings make the new solution cheaper overall, even though the sticker price was a little higher than the old solution.
When evaluating solutions to recommend, rely on a solid cybersecurity partner. Companies that sell cybersecurity solutions invest countless resources to understand the security marketplace. They can help you navigate through the options and thoroughly understand the benefits, full costs and cost savings provided by the possible solutions. By working with that partner, you will be able to bring your business leaders recommendations that reduce both risk and cost to your organization.
In order to make sure risk levels are “well understood and are acceptable to our organization,” we need to become much better at communicating risk and doing so in a business context. Arguably, this will be the biggest and most difficult change for cybersecurity professionals. We will need to get rid of our cyber-shorthand and technical jargon and translate that vocabulary into business-focused and risk-centric terms. For example:
A “credential harvesting spear-fishing attack” would become “stealing passwords to gain access to our most valuable data assets, possibly resulting in regulatory penalties, sanctions, or loss of proprietary information.”
A “successful DDoS attack” would become “our eCommerce site has been compromised, is not available for our customers, and transactions cannot be completed.”
A “ransomware attack” would become “a complete shutdown of company operations, including revenue-generating activities, until systems are recovered either from backups or by paying an extortionist.”
It’s a subtle shift, but an important one. It may be a tough sell to get budget for a web application firewall (WAF) or mitigation service to protect against a DDoS attack. It would be a different conversation about making an investment to ensure continued availability of the eCommerce site. The important thing is that the business understands there is a risk and that options are available. Give key decision-makers enough information to allow them to make an informed decision about investing or not. That is a critical part of your job.
Cybersecurity professionals have spent the past few decades trying to educate business leaders about cyberattacks so we could further our mission of protecting systems from attack. While we have made some progress, there is still a long way to go. Changing our focus to a risk management perspective will take us to the next level.
Businesses understand risk and speak the language of risk. At their core, all businesses exist to take risks and turn them into profit. Consider your CFO; that very high-ranking position exists almost exclusively to identify and address the financial risks faced by the organization. CFOs have the ear of the CEO and the Board of Directors and always have a seat at the table.
If CISO’s want similar treatment, then we need to perform a similar function – identify and address the cyber risks faced by the organization.
Is cybersecurity an art or risk management? The answer is clear: it needs to be both. Let’s work together to make cybersecurity an integral part of the art of risk management.