Information security today is not about whether you are secure or not secure. “Secure or not secure?” is a binary, yes-or-no question. And it would be a brave person to say yes to that one. An alternative question is “Are you happy with your level of risk?” It is all about how much risk you can tolerate in exchange for business advantage. It’s still a very hard question to answer, not least because it implies that you understand the level of risk you are currently accepting.
Over the years, security threats have become extremely sophisticated; that is, extremely good not only at breaking through or around existing defenses but also very good at evading detection. As I talk with other businesses, I notice they fall into two categories: those who have been successfully attacked, and those who are not yet aware that they have been attacked. None of us are 100 percent secure anymore, and we haven’t been for some time, but now more bad actors want to make money out of that security weakness. More people want our valuable information. That changes the security challenge from one of trying to provide absolute security, to one of reducing risk to acceptable levels based on business need. It might be possible to have a 100 percent secure information system, but it would only be accessible by one person and it would be unusable.
At Cisco, we do our best to minimize our risk by a coordinated approach which involves policy and enforcement, minimizing our attack surface, and integrating our firewalls, IPS, flow analytics and threat intelligence tools to be able to detect exceptionally subtle attack behaviour. In addition to protecting against attack, we acknowledge some incidents will succeed. We spend a good deal of effort trying to identify successful attacks as soon as possible, and containing and mitigating them as quickly as possible.
Which brings me to the right kind of question a CEO might ask the chief security officer (CSO). Don’t ask “are we secure?” Because an honest response would have to be “No, no one is 100 percent secure”. A better question to ask might be, “Are you happy with our level of risk?” Now, the answer from the CSO will probably still be “no” but this will drive the right kind of security conversation. The CSO can explain the levels of risk to the business and the CEO can decide on mitigation. The business might accept some of the risks, but the business must be aware of these risks. Obviously, all businesses are different – with different levels of regulation, different cultures, and different types of critical information. Most importantly, businesses will have different appetites for risk.
The most secure businesses are the ones that have no interconnection with any external party; but that doesn’t fit any business model I know of. All businesses have to communicate and interconnect, and that introduces an element of risk. You can reduce that level of risk by a variety of methods of protection, all of which require people and budget. So the question to be answered is, how much risk does their business model enable them to tolerate?
The questions to ask are these:
- What is the value of this change to the business?
- How does this improve the business? For example, competitive advantage, innovation?
- What are the risks that could result from this change to the business? What would be the cost of a worst-scenario problem in each area? What is the impact? (i.e., Impact-based risk assessment”)
- What is the position with respect to legislation, regulation, brand reputation
- If we choose not to reduce a risk, what can we do to manage it?
- Finally, remember the business is accepting this risk and not the IT security manager.
When I talk with customers about the changes that Cisco has made to our business to enable new markets, increase productivity, or reduce costs, you will never hear me saying that these are the right changes for any other customer. I know that every customer is in a different regulatory environment to us, and most importantly, they may have a different risk appetite to us. I can explain why we at Cisco are managing the risks in the way that we are. I can explain how we control them, and we can explain the business advantage. However, customers in finance, healthcare, manufacturing, or retail all have different concerns. Therefore, there is no right or wrong. Every business drives a different risk appetite. Every business will answer questions about risk differently. It is a conversation for business leaders and they must recognize they are accepting risks on behalf of the business, shareholders, customers, employees and regulators.
For more information on managing cyber risk, visit trust.cisco.com.