At the 2016 Cyber Risk Technology Forum, I listened to a panel of experienced cyber security executives who were asked the question, “What is the change you want to see in cyber security in the next few years?” I fully expected the answers to be futuristic reflections on a utopian view of the industry. Instead, the panelists’ insightful answers exposed common shortcomings in the industry while advocating for actionable improvements. As the cyber security industry continues to evolve, the CISOs and information risk executives who can bring about the changes on this wish list will emerge as the leaders in their space.
Here are three takeaways:
1. Organizations should fully embrace cyber security and align it with their business processes
Today, organizations know that they need to be conscious of cyber security, but because it is not being measured, understood, or communicated in a business context, it is often delegated to “techies” and can be isolated from decision making in day-to-day business functions. For a business to truly incorporate cyber security as part of its operations, cyber security needs to be seen and treated like any other business risk. When asked why organizations aren’t doing this today, Terry Roberts, Founder & President of WhiteHawk, Inc., responded that a risk-based approach like this requires quantification of cyber risk, which until now has not been possible. With this new capability of cyber risk quantification becoming both practical and efficient, Terry expects to see businesses becoming more cyber conscious, enabling them to thrive in a dynamic and ever changing threat landscape.
2. Companies should focus on moving beyond compliance, which is hampering critical thinking about the evolving risks in the cyber world
While a compliance based approach to cyber security is a good first step for a fledgling industry, Nick Sanna, CEO of RiskLens, says that it is stifling progress. Compliance activities such as checking boxes to confirm that controls have been tested and answering yes or no questions about if certain policies are in place, do not encourage the critical thinking necessary to address and prioritize the actual risks affecting the organization. Yes, compliance has been championed to ensure that a minimum level of security requirements are in place, but it is now clear that being 100% compliant does not equate to being 100% secure. Ultimately, a compliance focus is leaving organizations lop-sided with a heavy focus on their defensive capabilities, but is not encouraging an explicit and offensive strategy toward managing cyber risk. Instead of just applying controls evenly across all assets, a more offensive approach is to critically assess which risk mitigations can reduce the most risk and prioritize the mitigations that matter.
To successfully make this next step in changing the culture of the industry, a useful, practical, and defensible model of cyber risk is required. Without clearly understanding the problem, it is difficult to solve the issue. The FAIR model, which has been chosen as an industry standard by the Open Group, is a great method for pragmatically defining risk in order to better manage and quantitatively measure it.
3. Managing cyber risk has to become an activity involving new stakeholders such as business execs and lawyers
Since the effects of cyber attacks and breaches are impacting business operations, and in many cases include lawsuits and fines, it is no longer just information security that is concerned about managing cyber risk. Chip Block, VP of Market Management at Evolver, affirmed that lawyers are among some of the new actors that the boards and the executives call in the case of a breach. It is important for them to have sufficient literacy on the organization's cyber risks and to understand the business implications of cyber breaches. He again emphasized the importance of cyber risk quantification and using the same financial language as the way to accomplish these tasks.