This blog was originally published by the Risk Management Monitor on July 7, 2015.
There is growing concern that corporate boards and senior executives are not prepared to govern their organization’s exposure to cyber risk. While true to some degree, executive management can learn to identify and focus on the strategic and systemic sources of cyberrisk, without becoming distracted by complex technology-related symptoms, by understanding the organization’s ability to make well-informed decisions about cyber risk and reliably execute those decisions.
Making well-informed cyberrisk decisions
To gain greater confidence regarding cyber risk decision-making, executives should ensure that their organizations are functioning well in two areas: visibility into the cyber risk llandscape, and risk analysis accuracy.
1. “How good is our cyber risk visibility?”
You can’t manage what you haven’t identified. Many companies focus so strongly on supporting rapidly evolving business objectives that they lose sight of closely managing the technology changes that result from those objectives. Consequently, it is common to find that organizations have an incomplete and out-of-date understanding of:
- Their company’s network connectivity to other companies and the Internet
- Which systems, applications, and technologies support critical business functions
- Where sensitive data resides, both inside and outside their company’s network
Without this foundational information, an organization can’t realistically claim to understand how much cyber risk it has or where its cyber risk priorities need to be.
2. “How accurately are we analyzing cyber risk?”
It is common to find that over 70% of the “high-risk” issues brought before management do not, in fact, represent high risk. In some organizations more than 90% of “high risk” issues are mislabeled. When it comes to analyzing cybe rrisk, several foundational challenges exist in many organizations:
How anxious would you be to ride on a space shuttle mission if you knew that the engineers and scientists who planned the mission and designed the spacecraft couldn’t agree on definitions for mass, weight, and velocity?
Odds are good that if you ask six people within your risk management organization to define “risk” or provide examples of “risks” you’ll get several different, perhaps very different, answers. Given this, it isn’t hard to imagine that risk analysis quality will be inconsistent.
In the cyber risk industry today, there is heavy reliance on the informal mental models of personnel. As a result, very often the focus of a “risk rating” is strongly biased on a control deficiency rather than a more explicit consideration of the loss scenario(s) the control may be relevant to. Without applying a probabilistic lens to risk analysis it is much more difficult to differentiate and prioritize effectively among the myriad loss events that could, possibly, happen.
Another challenge is that most technologies that identify weaknesses in security generate significantly inflated risk ratings. The outcome is wasted resources, unwarranted angst, and an inability to identify and resolve the issues that truly deserve immediate attention.
Although risk management programs within some industries have begun to examine and manage the risk associated with poor models, this focus is often limited to models that do quantitative financial analysis. This leaves unexamined:
- The mental models of risk professionals and whether their off-the-cuff risk estimates are accurate
- Home-grown qualitative and ordinal models
- Models embedded within cyber risk tools
Yet these models, with their implicit assumptions and weaknesses, are responsible for driving critical decisions about how organizations manage their cyber risk landscapes.
Although risk management expectations and objectives are set through decision-making, execution is the deciding factor on whether the organization is able to consistently realize the intended outcomes.
3. “How well do personnel understand what’s expected of them?”
In one organization, the information security policies were written at a grade 21 level. Most organizations today have some form of information security policy and related standards, and many even require personnel to read and acknowledge those policies annually. Very often however, the policies have been written by consultants or subject matter experts using verbiage that is complex and/or ambiguous. As a result, personnel may dutifully read and acknowledge the policies but they may not have a clear understanding of what actually is expected of them.
4. “How capable are personnel of meeting expectations?”
Things change. When budget belts get tightened organizations often cut training budgets. Given the rapid pace of change in the cyber risk landscape, this can create serious skills gaps for cyberrisk professionals and technologists.
Another challenge in this regard has to do with outdated technology. Many organizations hang on to technologies well beyond the point where they can be maintained in a secure state. As a result, “policy exceptions” for these technologies become routinely accepted, which limits the ability of the organization to achieve or maintain its own security objectives.
5. “How well are personnel prioritizing cyber risk?”
Which is more important; revenue, budgets, deadlines, or cyber risk?
Root cause analyses performed on cyber risk deficiencies have found that personnel routinely choose not to comply with cyber risk policies because they believe revenue, budgets, and/or deadlines are more important. This is influenced in part (perhaps a significant part) by the challenges noted above regarding risk-rating inaccuracies. It isn’t unusual to find that overestimated risk ratings create a “boy who cried wolf” syndrome within organizations. The result is that organizations don’t consistently or meaningfully incentivize executives to achieve cyber risk management objectives because there is tacit recognition that much of what is claimed to be high-risk is not. Another factor is that revenue, cost, and deadlines are measureable in the near-term, whereas many high-impact risk scenarios are less likely to materialize before they become “someone else’s problem.”
The bottom line is that prudent risk-taking is only likely to occur if executives are provided accurate risk information and if they are appropriately incentivized based on the level of risk they subject the organization to.
At the end of the day…
Effectively governing cyber risk is within the grasp of senior executives who deal with complex and dynamic challenges every day. By examining their organization’s ability to make well-informed decisions and to execute reliably, senior executives can more effectively identify and address the strategic and systemic sources of risk within their organizations.