In the last decade, cyberattacks have grown steadily worse in number and severity, with no end in sight. Despite record investment in cybersecurity, attackers have proved able to evolve their techniques faster than defenders can keep up. In many cases, organisations have spent heavily while failing to insulate themselves from the sort of disruption that threatens their ability to operate.
What has gone wrong? In hindsight, a fundamental mistake was the widespread belief that cyberattacks were an isolated technical problem that could be solved by installing more technology. Eventually, organisations realised this piecemeal approach was unsustainable and moved towards treating cybersecurity as a strategic problem requiring rational risk management.
This holds that cybersecurity should be treated as a special type of risk alongside conventional risks such as weather events, the economy or insider fraud. Organisations should invest in cybersecurity to prevent or mitigate negatives in the same way they do from other risks. For example, if an attack disrupts an ERP system, this reduces that organisation’s ability to send and receive invoices, harming its cash flow. Similarly, if an insider leaks an important database, this could create reputational, compliance and regulatory costs in addition to operational disruption. The question, then, is what interventions make it possible to manage these risks and how success should be measured.
Identifying risk
The first stage of risk management is to identify the assets whose disruption would have the greatest effect on the organisation, including physical equipment, applications, external services, and important third-party suppliers. This approach aligns with the NIST Cyber Security Framework (CSF), a 2014 document originally aimed at critical infrastructure which has since become globally influential for cyber security planners across all sectors.
The CSF comprises five stages, Identify, Protect, Detect, Respond, Recover, which makes the first of those, Identify, the foundation on which all subsequent ones depend. NIST defines the Identify stage as: “developing an organisational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.”
Risk identification is important because it provides discipline and structure. Without a structured approach to identifying risk there is a danger that board discussion will be overly influenced by short-term events or subjective judgements. That makes it hard for management to assess risk over time or as circumstances change. The language used is critical and needs to be oriented to an agreed definition of how an organisation’s identified risks and its cybersecurity strategy relate to one another.
As to the risks themselves, this will vary from organisation to organisation. Some organisations have a lot, others relatively few. What matters is that the process for identifying is rigorous.
Digital Risks
A common mistake is to assume that cybersecurity risks always relate directly to the organisation’s systems or infrastructure. In fact, as organisations have become more digital, risks have grown in number and scope, many of which occur beyond the organisation itself. A good example are reputational risks which can manifest in ways that are hard to detect. If a company suffers a ransomware attack, that might affect its reputation with its customers and the wider public. Equally, a disinformation campaign, the hijacking of a brand for a phishing campaign, or negative fake reviews on social media, can have a similar effect despite not being directly connected to infrastructure under the organisation’s control. External risks like this are not less serious simply because they are external or don’t fall under a traditional definition of cybersecurity.
A related assumption is that digital risks are the responsibility of the IT department even though many are first noticed by non-technical departments such as marketing and legal. This underlines how risk identification and management must involve people from beyond the IT sphere with a broader understanding of what constitutes risk.
Supply chain risk
Another often underestimated set of risks are those which originate in the supply chain. As with digital risks, these can be hard to identify or assess because they involve third parties not monitored by inhouse IT systems. There is no getting away from the act that supply chains are now a major vulnerability. Cyberattacks involving supply chains have become a regular theme as has the growth in digital connectivity that amplifies their effects. This is a defining aspect of cybersecurity risk identification – new risks can appear at any time.
Explaining risk to the board
Identifying and explaining how risks should be addressed falls to the CISO whose job it is to relate board objectives and risk management goals into a technical plan. This can be challenging. A lot of the language around cybersecurity is highly technical, which makes it important that the CISO finds a common language through which to communicate with board members.
Another problem is the vast scale of risks, which constantly expand in scope. Cybersecurity risk is a different type of risk than conventional business risks such as weather events. The latter are inevitable but governed by mathematical likelihood. Cybersecurity risk, by contrast, is impossible to predict with certainty. Risk management is not a guarantee, something which needs to be clearly communicated.
Measuring and fixing risk
Once cybersecurity risks have been identified and prioritised, the organisation can move on to the issue of how progress towards minimising them will be measured. This isn’t as simple as naming a technology mitigation and leaving it at that. In many cases, cybersecurity risks relate not simply to the system or data being used but the policies governing it as well as human processes. The risk might be spread over multiple systems and working under unpredictable real-world conditions. Inevitably, some risks – around legacy technology for instance – won’t be easy to mitigate completely.
It is critical to establish key performance indicators (KPIs), which are agreed by the board and show how progress relates to any investment in mitigation. From the point of view of board members who are not cybersecurity experts, KPIs are an essential tool that help build the rationale for future investment. This requires CISOs to outline a risk to the organisation’s infrastructure, the effect an incident would have on the business in detail, how it can be reduced, what this will cost, and the resulting benefit of risk reduction.
For example, risk assessment might identify a database as a cybersecurity risk, in which case KPIs would include its state of encryption, the way the data is accessed and by whom, and other systems and partners with access to it. Having identified the risk and the potential mitigations, KPIs would measure when and how these were being carried out during implementation in a way that can be measured over time.
Conclusion: does risk identification work?
One of the biggest challenges of cybersecurity over the last two decades has been persuading boards that it matters. Too often, the topic was relegated to a lower priority, misunderstood, or underestimated. Risk management has the potential to change the dial on this. By translating the issue of technology investment into a business issue whose progress boards can assess more objectively, the subject immediately gains traction. This is the pay-off for the time investment it will take – by addressing technical problems as operational risks, they are more likely to be fixed.
Getting help from MTI
Embracing risk-based security involves many types of testing and assessment, some of which require external partners with specialist skills. MTI offers a range of services based on the Identify phase of an organisation’s cyber security risk planning – take a look here.