During the late 15th through 19th centuries, sin eaters were a crucial part of some rural European communities. Their role was to aid the recently deceased in their journey to the afterlife, free from the weight of their sins. To accomplish this, a sin eater would absolve the deceased’s sins by absorbing and carrying the burdens of those sins through the physical consumption of bread placed on the remains. These practices are firmly rooted in folklore, a derivative of common sense (see my last column for more on common sense).
In a recent conversation with another risk professional, I was informed that their organization still required someone in the cyberrisk function to approve risk exceptions. It struck me how similar this cyberrisk practice was to the folk practice of sin eating. To be clear, organizations have been doing this for decades, but I assumed the practice had died out. In cybersecurity, we ask someone who does not own the “sin” of poor security practices to take on the burden of approving it. Why this practice persists can be explained in several ways.
The first reason is that the risk manager harbors a genuine desire to help protect the organization. However, this may manifest as the assumption that their role is to prevent the organization from taking any risk. In this way, they act as a “cyber goalie,” blocking the enterprise from shots on goal. This inevitably leads to bad blood between cybersecurity and the business groups, and furthers the persistent perception that cybersecurity is the dreaded “department of no.” We could also generously assume that the person would only use this veto power in the best interest of the enterprise. In this interpretation, they can use their approval to educate the enterprise about optimal security practices, approving requests only as a last resort when all other options have been exhausted.
Another reason sin eating persists in organizations stems from the desire to inflate one’s sense of importance. This is perhaps the least likely, but still a nonzero part of organizational theory. We in cybersecurity may see ourselves (incorrectly) as more important than our counterparts in the business units, and the acquisition and exercise of this power is one way to assert that. Political power will always play some role in an organization, and some percentage of it will be misused.
Identifying the underlying cause of risk sin eating helps to evolve the risk management process in an organization by optimizing the risk treatment process. This process is comprised of avoidance, transference, acceptance and mitigation. However, the use of this process for cybersecurity is much more limited than one might think.
Avoidance—No organization or practitioner has the absolute power to wholly avoid risk. Either the enterprise will take on a new business proposition, or it will not. Cybersecurity professionals can advise on whether things will go wrong, but their decisions cannot be rejected.
Transference—Risk cannot be transferred on a granular level, as that is typically a holistic action whereby the entire organization purchases an insurance policy. The organization's actions could make the need to file a claim more likely and may even cause coverage amounts to be exceeded. However, an insurance adequacy analysis typically happens once a year, so there is no real option for transferring a singular risk exception.
Acceptance—This is not an option for the cybersecurity team either. Indeed, someone from the enterprise must accept the risk. After all, they are the ones who are going to have to deal with the consequences of adverse outcomes.
That leaves mitigation as the only viable option for cybersecurity teams. To effectively mitigate risk, we should clearly articulate available control options (including doing nothing). These alternatives should include all relevant costs (including the amount necessary to operationalize any technology purchase with staff, training, and processes). The amount of risk reduction these options would afford the business should also be communicated by leveraging cyberrisk quantification (CRQ) to clearly indicate the potential reductions in financial loss. After CRQ comes the most challenging part: You let the enterprise decide, document the decision, and move on.
The need to cede control of cybersecurity decisions makes this last part of the process the most difficult. The essence of cyberrisk management lies in leveraging the expertise of professionals to make recommendations while empowering business decision-makers to decide the best path forward. While cybersecurity professionals may be experts in cyberrisk and mitigation, business decision makers must weigh the pros and cons of the broader business interests against many forms of risk, of which cyber is only one. They also must bear the burden if that decision ends up being the wrong one. So do not volunteer to become your organization's sin eater. Demand an abandonment of old cyberrisk folklore and improve the maturity of your risk operations.
Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE
Is the chief risk officer for Kovrr, coauthor of the award-winning book on cyberrisk, Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, IAPP Fellow of Information Privacy, (ISC)2 Global Achievement Awardee, and ISACA’s John W. Lainhart IV Common Body of Knowledge Award recipient.