More organizations are starting to view cybersecurity as a strategic risk. They have to—it’s becoming unavoidable. Technology and the business are so intertwined. Regulators are issuing more compliance measures that include information security directives. And all the while, adversaries are relentless in their campaigns to compromise defenses to steal information, money, or otherwise create disruption.
No matter why an organization commits to improving cybersecurity, it’s a good thing, because it helps to make the Internet safer for everyone. However, we see many businesses getting in the way of their own success because of how they manage risk. Here are some common pitfalls:
- Failure to define “risk” properly. In information security, the concepts of threats, risks, and consequences are often mixed together as if they’re interchangeable (they’re not). The ISO/IEC 27001 international standard for information security management defines risk as the “effect of uncertainty on objectives.” This definition, similar to what is used outside of IT, implies both variance and opportunity—two key risk characteristics often ignored in information security.
- Poor risk assessment methods. Too often, risk assessment methods used to gauge cybersecurity risk are overly simplistic and lack empirical data as a source of analysis. Formulas, like subjective heat maps, are popular because they’re easy to use. The perceived difficulty in getting real data for strategic risk assessment encourages many organizations to continue using methods that lack rigor—and add more uncertainty than they remove.
- Lack of system-level thinking. Another common mistake: assessing and treating risks as “local” when they are actually indicative of complex, interrelated systems. Localized risk management may provide a sense of comfort or meet a compliance requirement. However, it also can lead to overlooking risk factors that are correlated but not visible at that specific level of analysis.
As more organizations get serious about viewing cybersecurity as a strategic risk, they are looking to companies like Cisco for guidance and support. They are asking us to provide more than just technology solutions, but also advanced services developed around strategy and risk management. These services can help organizations better understand their unique risk posture, environment, and acceptance criteria, and enable them to implement controls—including technology products—to minimize uncertainty and maximize value, as opposed to just preventing loss.
Cisco IT GRC services, as an example, take a systemic and rigorous approach to strategic risk management. Using international standards for enterprise risk management, Cisco IT GRC services help security organizations raise their risk visibility and strategy from local, technology-focused analysis to a vision for managing uncertainty within their security programs. This enables organizations to make better and more empirically grounded decisions, escape the “risk as loss” trap that ignores opportunity costs associated with security, and align IT security risk management with the organization’s broader risk management efforts.
According to the newly released Cisco 2014 Midyear Security Report, if organizations want to succeed in the emerging Internet of Things world, where everything is increasingly interconnected and we are all highly dependent on the network, viewing cybersecurity as both a strategic risk and a formal process will be a business necessity. There’s a lot of work to be done, to be sure. But we’re starting to see progress on both fronts from many of the organizations we help to support. Cybersecurity is not only on their risk radar now, but also monitored with more vigilance.
The risk assessment methods are okay. It’s the risk models and empirical data as mentioned that are lacking. That is because information security, threats, potential perpetrators, and vulnerabilities are unbounded, open-ended, and changing. There is simply too much we don’t know, and factors materially change faster than the the time it takes to do the analysis. That is why I advocate a diligence method based on experience, observation, current practices, and decisions by management fiat using: Benchmarking, standards, compliance, contracts, audits, good practices, available products, cost, and experimentation.
“hat is because information security, threats, potential perpetrators, and vulnerabilities are unbounded, open-ended, and changing.”
Verizon 2014 Kill-Chain/Attack model analysis says “hi.” Low variance in actual attack patterns, a relatively simple number of attack patterns. Attackers may be “unbounded” or “open-ended” but they don’t change that much.