I just attended the Cyber Risk North America conference in New York. The themes covered at the conference were very thought-provoking and focused on where the profession is going next. The intimate format of the event allowed CISOs, technology and information risk officers, industry experts and specialized consultants to learn from one another and go in-depth.
Here are my key takeaways from the conference:
- Organizations need to move from a compliance-based to a risk-based approach to cybersecurity
- Compliance to a set of infosec best practices failed to protect us from an ever evolving threat landscape.
- Compliance approaches cannot answer the questions of how much risk do we have, to what degree can we or should we reduce it.
- Cybersecurity should not be thinking about protection in isolation of the business needs; this is where the cyber risk function can help achieve the right balance between protecting the organization and running the business.
- Effective cyber risk management requires a combination of risk management frameworks and analytical models
- There are a variety of risk management frameworks and analytics models that can help, some of which can be used in combination.
- Risk Management frameworks (such as NIST CSF, ISO 2700x, Octave,...) are lists of best practices that can help assess the maturity of cybersecurity activities.
- Analytic models (such as FAIR) help evaluate the significance of any control or risk management deficiencies and answer questions such as: How much risk do we have? Which activities matter the most and should be prioritized?
- Regulators appear to support the move to risk-based cybersecurity as long as formal risk management approaches are adopted
- Regulators increasingly require the use of well established and credible risk management methodologies, consistently across the organization.
- Otherwise, the regulators will err on asking for more validation and boxes to be checked.
- For example, the SEC requires a risk-based approach to managing and securing critical systems.
- Cyber risk quantification is seen as key to cost-effective risk management
- Risk quantification is critical to identifying where risk is concentrated and in prioritizing risk mitigations.
- FAIR-based quantification solutions such as RiskLens are emerging.
- A forward-thinking CISO challenged the audience not to require perfect data before quantifying risk ("an elusive goal"), as perfect can be the enemy of good: "no model is perfect, but we're at a 0-1 versus a 10. How about getting to a 6 to 7 (in terms of analytics capabilities)?"
- Information Risk Officers have the responsibility to help change the discussion at the board level
- Currently the communication is broken, as the board and the business speak a different language – the financial one – than the technical jargon that is used by information security to report on cyber risk.
- Board members don’t always ask the right questions. A CISO was recently asked: “are we safe?” He was tempted to reply back with “are you healthy?” to make the point that a risk posture will never be 100% protection and will depend on many factors including the organization's risk appetite.
- Information risk professionals need to learn how to articulate cyber risk in economic terms and drive cost-benefits analysis of cybersecurity projects. A CISO stated, that "FAIR has the chance to help organization talk about risk in a common language, dollars and cents."