Moving Risk Management From Fear and Avoidance to Performance and Value

For cybersecurity professionals, the nature of risk management is evolving from an outside-in fear-and-avoidance approach to a strong inside-out approach that enables the business and delivers easily quantifiable value. Cybersecurity protects information assets from insidious attacks, such as ransomware, that threaten to shut down operations, which can cause enterprises to lose millions of dollars a day. Despite the constant threat of attacks, the concept of IT risk management remains foreign to many security operations teams.

This may seem paradoxical—security organizations avoiding the adoption of strategic risk management at a time when risk has never been graver—but it is easy to understand, given human nature and the environment in which most security organizations operate.

Humans naturally avoid heeding risk. An example is the use of automobile seat belts. When US consumer advocate Ralph Nader published Unsafe at Any Speed¹ in 1965, it was clear to anyone paying attention that automobiles were dangerous, and seat belts could save lives. In the ensuing years, regulations were passed across many countries mandating that all cars be equipped with seat belts. Nevertheless, most drivers did not use them, although drivers knew that seat belts could save lives. In the following years, automobile manufacturers attempted to make seat belts more usable, even with automated functionality, but most drivers continued to not use them. Finally, in the late 1970s and 1980s, after thousands of preventable deaths, seat belt laws were passed in many countries and, finally, seat belt usage rates increased. Today, for example, Australia,² Germany,³ Japan,⁴ the United States⁵ and the United Kingdom⁶ all have seat belt usage rates of 90 percent or more.

The risk of death did not compel drivers to use seat belts; the risk of fines resulting from seat belt laws had a measurable impact on drivers to use seat belts. Regardless, some drivers may continue to not use seat belts today. Automobiles now have real-time detection and alerts, via visual and audio cues, to encourage drivers to use seat belts. An unlikely, major risk did not change human behavior; a much more likely, smaller risk did change human behavior. The end state includes real-time detection and alerting to promote action.

The same dynamic is at work in cybersecurity. The damage to business from data breaches is well documented; however, given the millions of enterprises in the world, the likelihood of a truly catastrophic breach has seemed remote to most people during the modern security breach era. Much in the same way that seat belt laws changed the behavior of drivers, data privacy regulations changed the behavior of enterprises. Breach disclosure requirements and the threat of audits added a much more likely, smaller risk that compelled enterprises to invest in modern security infrastructure and processes, often for the first time. It is the responsibility of risk management organizations to put in place real-time alerting and response capabilities.

The environment in which most security organizations operate includes the cybersecurity skills shortage and more technology and tools than the security organization can manage effectively. This environment has relegated many security organizations to a keep-the-lights-on mentality, which focuses on the daily IT operational tasks. The ability to take a step back, evaluate enterprise risk and then implement security strategy accordingly is overridden by the endless cacophony of alerts, updates and mandates that keep thin security staffs mired in a constant state of firefighting.

This environment has caused cybersecurity strategy to be driven largely by fear of outside forces—regulations and new threats requiring new tools. Fear of fines or the next media-hyped attack vector is not a risk-management strategy. For example, in the hospitality industry, the fear of Payment Card Industry Data Security Standard (PCI DSS) violations motivates many security organizations to take steps to comply and mitigate credit card data risk. However, attackers shifted from targeting credit card data to targeting loyalty programs and other data sources that are not subject to PCI.⁷ The fixation on a single threat target (PCI) allowed a potentially greater threat target to be exposed (customers’ personally identifiable information).

The hospitality industry example extends across multiple industries, due in many cases to the emergence of digital transformation, which is causing simultaneous increases in enterprise attack surfaces and the creation of valuable new data stores that are hacker targets. Check-the-box security focuses on meeting a single regulation or threat and does little to reduce overall cybersecurity risk.

The convergence of comprehensive privacy regulations, such as the EU General Data Protection Regulation (GDPR)⁸ and California’s Consumer Privacy Act;⁹ evolving adversary strategy; and digital transformation-driven growth in attack surfaces have created a perfect storm of risk for enterprises everywhere. IT risk or cyberrisk can no longer be a secondary consideration—it needs to become the focal point of enterprise security strategy. The motivations behind risk management must evolve away from fear of fines and public embarrassment to driving business value by effectively mitigating risk wherever it may live.

Elements of Modern Risk Management

ISACA’s The Risk IT Framework is a well-defined and mature methodology for adopting a risk-management approach to cybersecurity. Figure 1 shows that IT risk management is built on the following six core principles:

• Always connect IT risk to business objectives.
• Align management of IT risk with the overall enterprise risk management function (if one exists).
• Balance the cost and benefits of managing IT risk.
• Promote fair and open communication of IT risk.
• Establish the IT risk management tone-at-the-top enterprise level, and define and enforce personal accountability for operating within acceptable and well-defined tolerance levels.
• Make IT risk management a continuous process that is part of daily activities.

This final principle is often the most overlooked in cyberrisk initiatives. For example, some security organizations conduct penetration testing only periodically. However, today’s attackers do not take a break when enterprises are not conducting penetration tests. Attackers are constantly probing defenses and looking for opportunities for compromise. Therefore, enterprise security organizations need to implement continuous risk monitoring with programs such as continuous penetration testing if they hope to keep pace with adversary strategy.

The first step to implement risk IT is to conduct a comprehensive risk assessment against appropriate industry standards and best practices to understand where gaps exist. After the gap assessment is completed, the result is a list of items to be addressed, and here is where problems arise. Many security organizations simply address the list of items to ensure that they are compliant with the appropriate regulations. However, security organizations need to move beyond simple checklist compliance and adopt a culture of risk transformation so that every item on that checklist is surrounded by control, planning and continuous risk monitoring. This requirement for risk transformation is becoming increasingly important due to the adoption of new IT resources and paradigms, such as digital transformation, SensorNet, cloud and DevOps, which are dramatically expanding enterprise attack surfaces.

Fundamentally, risk transformation changes security strategy from an outside-in perspective, where external threats and regulations drive strategy, to an inside-out perspective, where organization-specific business risk dictates security strategy and spending. The days of buying yet another tool to combat yet another threat are over—there are not enough people to run the infrastructure glut that results from that strategy. Further, media-reported grave threats may pose minimal risk to an enterprise, so money and manpower would be wasted on combating them.

Risk Management in Practice

When security organizations move from outside-in check-the-box security to inside-out riskcentric security, surprising discoveries are often made. For example, a manufacturing enterprise had largely autonomous facilities that are distributed worldwide. The organization had implemented an enterprise resource planning (ERP) system to knit all of the facilities together and to serve as the nerve center behind its just-in-time (JIT) manufacturing operations. The enterprise conducted a security assessment and categorized risk by potential revenue damage. The enterprise quantified high risk as US $25 million or more in losses, low risk as US $5 million or less in losses, and medium risk as somewhere between the two.

With the ERP deployment, the global wide area network (WAN) became the most important asset in the enterprise because the WAN was the backbone over which the ERP system connected the plants with suppliers for JIT operations, equipment for maintenance and performance data, and headquarters for financial and production reporting, etc. Because the plants run on 24x7 schedules, any WAN outages would cost the company US $3 million per day, but the enterprise did not realize that the WAN was the most important single point of failure in the enterprise.

During the IT risk management yearly exercise, it was discovered in one plant that the WAN terminated in an unsecured wiring closet with no power backup. It was the classic nightmare of a wiring closet, with tangled wires and no lock on the door. This discovery represented a multimillion-dollar risk as a single point of failure to the business. A two-day power outage would have caused US $6 million in losses, which is in the medium-risk category. This discovery raised the question, “How many more of these wiring closets do we have?” The enterprise realized that it needed to invest in its WAN to ensure that it was fully redundant and secured across all locations.

This example shows that when moving to a holistic cyberrisk model, IT systems and security are viewed through the prism of business operations and objectives. Instead of fixating on the latest cyberthreats and new tools for stopping them, enterprises can understand the situations that represent true risk (e.g., the WAN going down) and create a far more resilient enterprise.

Conclusion

Cybersecurity operates in a risk silo in many enterprises. Enterprise risk management organizations continue to fixate on traditional risk (e.g., lawsuits, supply-chain disruption and product recalls) and leave security to the chief information security officer (CISO) to figure out. This silo needs to be removed because cyberthreats and new, strict regulations can lead to significant business disruption and revenue loss.

Even if enterprises are slow to envelop cybersecurity in enterprise risk management structures, CISOs can move forward with a riskcentric security strategy that not only reduces the likelihood of serious cybersecurity incidents, but also makes it much easier to communicate the value of their operations to executives. For example, being able to report that the enterprise was protected from a potential US $3-million-per-day system outage today carries much more weight with the chief financial officer (CFO) than reporting that the security organization investigated 700 potential network intrusions today.

Transforming security to a riskcentric model enables CISOs to move away from the outside-in fear-and-avoidance approach to cyberrisk management to a strong inside-out approach that enables the organization and delivers easily quantifiable value. ISACA’s Risk IT Framework provides the road map for getting there.

Endnotes

¹ Nader, R.; Unsafe at Any Speed, Grossman Publishers, USA, 1965
² Palamara, P.; J. Oxley; J. Langford; C. Thompson; “Review of the Psychosocial and Behavioural Correlates of Adult Seat Belt Use,” 3 March 2012, http://c-marc.curtin.edu.au/local/docs/resources/Correlates%20of%20adult%20seat%20belt%20use.pdf
³ Federal Statistical Office, “National Seat Belt Law,” USA, 2013, www.euro.who.int/__data/assets/pdf_file/0013/301801/Germany-GSRRS-2015-en.pdf?ua=1
⁴ Automobile Federation and National Police Agency, “Seatbelt Usage Data,” USA, 13 July 2016, www.jaf.or.jp/eco-safety/safety/data/pdf/sb2015.pdf
⁵ US Department of Transportation, “Traffic Safety Facts—Seat Belt Use in 2016,” 31 January 2017, http://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/812351
⁶ Royal Society for the Prevention of Accidents, “Seatbelt History,” UK, http://www.rospa.com/rospaweb/docs/advice-services/road-safety/vehicles/seatbelt-history.pdf
⁷ Langfield, A.; “Hackers’ Latest Target: Loyalty Programs,” CNBC, 4 November 2014, http://www.cnbc.com/2014/11/04/hackers-latest-target-loyalty-programs.html
⁸ ISACA, “General Data Protection Regulation (GDPR) Readiness, Assessment and Compliance,” h04.v6pu.com/info/gdpr/index.html
⁹ California Legislative Information, “Assembly Bill No. 375,” USA, 29 June 2018, http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375