Imagine being responsible for physical security of a mansion. You turn on the TV and there is flashing news regarding flooding across the region. Feeling a little nervous, you start calling sandbag and flood insurance companies. While going through vendor responses, the owner of the mansion calls you and asks what is being done to protect cars from being stolen, as their neighbor recently had his car stolen from the driveway. You prioritize this over flooding mainly because the request came from the boss! However, before you start looking at anti-theft alarms, mansion security guards report that windows in the basement are missing locks. Your nervousness has now turned into anxiety. Based on the research you were doing online, you start getting a flood of emails from various vendors, some of whom have developed ‘lock-less’ windows intrusion prevention solutions. You immediately start a Proof of Concept (PoC) for ‘lock-less’ windows intrusion prevention systems, ask the existing alarm company to put anti-theft alarms in the driveway and since there is no money left, you plan to address the flooding risk next year. You are not feeling anxious anymore, as you have put a plan in place to address all risks, at least the ones you knew about. You also realize that you have been working late everyday, so you decide to leave on time to spend time with your family. While you are out for dinner, you get a call from the owner letting you know that a tree fell on the mansion. Not only does the owner have a fracture, but there is considerable damage to the bedroom and the insurance company is denying the claim due to negligence!
"To prioritize risks, risk ‘impact’ must be determined in a business context and risk ‘likelihood’ must be determined keeping in mind existing as well as newer controls"
Similarly, as a Chief Information Security Officer (CISO), it may seem overwhelming to keep up with all the risks. There are three main contributors: (1) lack of holistic risk assessment, (2) lack of risk prioritization and most importantly (3) inconsistent communication. Below is some practical advice based on my current experience working as a healthcare CISO. To conduct a holistic risk assessment, I usually engage with a single security partner to perform an end-to-end operational risk assessment of business processes, applications, network, systems, vendors, and users. This allows us to compare cyber risks in relation to one another instead of in a linear and unconnected manner. This also prevents missing risks such as the overgrown tree in the above scenario.
To prioritize risks, risk ‘impact’ must be determined in a business context and risk ‘likelihood’ must be determined keeping in mind existing as well as newer controls. In the above scenario, the ‘likelihood’ of an overgrown tree falling on the mansion would have been high and the ‘impact’ would have been ‘high’ as well because of its location above the bedroom. Similarly, ‘impact’ of car theft can be high but ‘likelihood’ could be low because of security guards (existing controls). Since risk is a function of likelihood and impact, the risk of overgrown tree should have been prioritized over car theft. Similarly, in one of my past experiences, we were able to determine that a bigger risk reduction can be achieved by segmenting biomedical devices instead of implementing multi-factor authentication.
Finally and most importantly, in order to effectively communicate the need and value of risk reduction, I use a standard taxonomy for risks based on operational cybersecurity risk taxonomy from Software Engineering Institute and control taxonomy based on NIST cybersecurity framework. This gives us a common and consistent language, which I refer to as Cyberspeak. Whenever there is a new vulnerability such as Meltdown, a news story such as WannaCry, or a sensational threat report from a security vendor, it is immediately clear which risk category it falls under and which control categories we have and/or need to protect against them. Cyberspeak allows security governance committees to make decisions consistently and define ‘human readable’ (instead of IT readable) risk appetite in a dynamic manner. Finally, risks that require treatment, feed our cybersecurity roadmap and thanks to Cyberspeak, all conversations related to budgeting, hiring, and technology selection are understood by relevant stakeholders in the organization. These three techniques help me effectively manage cyber risks in the age of information, where digital innovation is rapidly enabling not just the businesses but also threat actors.