Risk Management – Cyber Security Leadership

Cyber risk quantification

I really enjoyed the cyber risk quantification workshop led by Richard Seiersen, co-author of How to Measure Anything in Cybersecurity Risk.

During the session, Richard broke down risk quantification, focusing on identifying the risks most likely to cause significant business losses where assets, threats and vulnerabilities intersect.

I’m also glad to receive his book for correctly estimating cost in our the discussions. It’s one of the most influential books in security: it challenges subjective risk assessments, offering practical frameworks for using data, probability and economics to drive smarter security decisions.

Navigating the ISO 27001:2022 transition

ISO/IEC 27001:2022 Summary of key changes

ISO 27001 is a widely adopted international standard that sets out systematic and adaptable approach to managing information security. It enables organisations to establish a culture of continuous improvement, staying ahead of emerging threats, and ensuring business resilience in the face of evolving cybersecurity challenges.

A new version of this standard – ISO 27001:2022 – was published on 24 October 2022. I recently led the transition to this version and wanted to share my key takeaways.

I’m often asked what security control framework is the best. Spoiler alert – I don’t think there is one! No single framework is a silver bullet – they all have pros and cons. Some frameworks are highly-prescriptive and have a narrow scope – cardholder and account data for PCI DSS, for example.

SOC 2, on the other hand is more principled-based and doesn’t mandate specific controls but rather a Trust Services Criteria.

ISO 27001 is another popular choice: it’s a risk-based framework, although also has a set of example controls in the standard that many people chose to adopt.

NIST Cybersecurity Framework and its functions (Identify, Protect, Detect, Respond and Recover) can aid communication with business stakeholders but it has its limitations too.

Your particular industry may have other specialised sets of requirements, like NERC CIP for electric power grid in North America. The list goes on.

Many organisations are subject to multiple regulation and legislation simultaneously, having to adopt multiple frameworks and compliance regimes. If not managed appropriately, this can be labour-intensive to maintain and demonstrate compliance. It helps to recognise that often, although worded differently, controls from different frameworks aim to achieve the same objective, so it pays to maintain cross-framework control mapping to streamline your compliance program.

While achieving compliance with a security framework is often a necessary step in establishing a baseline level of security, it’s often not sufficient to mitigate modern threats.

Compliance frameworks were developed with a specific objective in mind – to reduce risk. And they can get you part of the way there, just not all the way. An organisation can be compliant but still insecure. Security leaders should go beyond compliance and move towards actively identifying and managing risks, focusing on the overall security posture and risk reduction to survive and thrive in the digital world.

Supply chain security

Asset management is often regarded as the foundation of a security programme. You can’t protect something that you don’t know you have. This extends beyond internal systems to your organisation’s partners. Depending on the line of business, supply chains can get increasingly complex. They include vendors, manufacturers, retailers and distributors in multiple geographies and regulatory regimes. Securing such a network is no easy task and should start with visibility and careful risk management.

Bow tie risk diagrams are used in safety critical environments, like aviation, chemicals and oil and gas. They visualise potential causes and consequences of hazardous events and allow for preventative and recovery controls to be highlighted.

You don’t have to be a gas engineer or work for a rail operator to benefit from this tool, however. Cyber security professionals can use simplified bow tie diagrams to communicate security risks to non-technical audiences as they succinctly capture business consequences and their precursors on a single slide.

If you work for one of the safety critical industries already, using this technique to represent cyber risks has an added benefit of aligning to the risk assessment patterns your engineers likely already use, increasing the adoption and harmonising the terminology.

There are templates available online and, depending on the purpose of the exercise, they can vary in complexity. However, if you are new to the technique and want to focus on improving your business communication when talking about cyber risk, I suggest starting with a simple PowerPoint slide.

Feel free to refer to my example diagram above where I walk through a sensitive data exposure scenario. For example, it can occur through either a phishing attempt or a credential stuffing attack (supply chain and web application/infrastructure exposure being another vector) leading to a variety of business consequences ranging from a loss of funds to reputational damage. The figure also incorporates potential preventative barriers and recovery controls that are applicable before and after the incident respectively.

Business alignment framework for security

In my previous blogs on the role of the CISO, CISO’s first 100 days and developing security strategy and architecture, I described some of the points a security leader should consider initially while formulating an approach to supporting an organisation. I wanted to build on this and summarise some of the business parameters in a high-level framework that can be used as a guide to learn about the company in order to tailor a security strategy accordingly.

This framework can also be used as a due diligence cheat sheet while deciding on or prioritising potential opportunities – feel free to adapt it to your needs.

How to select cyber insurance

I wrote previously about how cyber insurance can be a useful addition to your risk management program.

Unlike more established insurance products, cyber doesn’t have the same amount of historical data, so approaches to underwriting this risk can vary. Models to quantify it usually rely on a number of high-level factors (the industry your organisation is in, geography, applicable regulation, annual revenue, number of customers and employees, etc.) and questions aimed at evaluating your security capabilities.

You are usually asked to complete a self-assessment questionnaire to help the underwriter quantify the risk and come up with an appropriate policy. Make sure the responses you provide are accurate as discrepancies in the answers can invalidate the policy. It’s also a good idea to involve your Legal team to review the wording.

While you can’t do much about the wider organisational factors, you could potentially reduce the premium, if you are able to demonstrate the level of security hygiene in your company that correlates with risk reduction.

To achieve this, consider implementing measures aimed at mitigating some of the more costly cyber risks. What can you do to prevent and recover from a ransomware attack, for example? Developing and testing business continuity and disaster recovery plans, enabling multi factor authentication, patching your systems and training your staff all make good sense from the security perspective. They can also save your business money when it comes to buying cyber insurance.

If possible, offer to take the underwriter through your security measures in more detail and play around with excess and deductibles. Additionally, higher cover limits will also mean higher premiums and these are not always necessary. Know what drives your business to get cyber cover in the first place. Perhaps, your organisation can’t afford to hire a full time incident response manager to coordinate the activities in the event of a breach or manage internal and external communication. These are often included in cyber insurance products, so taking advantage of them doesn’t necessarily mean you need to pay for a high limit. While it is tempting to seek insurance against theft of funds and compensation for business interruption, these can drive the premium up significantly.

It’s worth balancing the cost of the insurance with the opportunity cost of investing this sum in improving cyber security posture. You might not be able to hire additional security staff but you may be able to formulate a crisis communication plan, including various notification templates and better prepare with an incident simulation exercise, if you haven’t already. These are not mutually exclusive, however, and best used in conjunction.

Remember, risk ownership cannot be transferred: cyber insurance is not a substitute for security controls, so even the best cover should be treated as an emergency recovery measure.

Risk management fundamentals

Risk

The focus of many of my projects is on risks. I’ve observed through multiple assessments in various companies and industries a lack of formalised risk management process. Some of the plans may exist but they are not linked to specific risks and risk reduction levels are not being measured and reported on appropriately.

The security function can be effective in responding to incidents but the strategic risk-driven planning is often missing. The root cause of this state of affairs is often can be generalised as low maturity of the security function. If that’s the case, the team spends most of its time fighting fires and have little capacity to address the challenges that cause these fires in the first place.

To address this, I assess current state of the security function, define the target maturity level and then develop a high-level roadmap to achieve that desired state.

If the company is geographically distributed, noticeable differences usually exist between a number of business units in terms of overall policy framework. The suggestion here is to define a baseline level of security controls across the entire enterprise. The first step in defining these is to understand what we are trying to protect – the assets.

Modern corporations own a wide range of assets that enable them to operate and grow. They broadly include physical and non-physical assets, people and reputation. Engagement from appropriate parts of the business to identify these is important here as potential attacks to these assets might negatively affect the operations.

By understanding the assets we are able to better identify risks, enable effective detection and response, and prioritise controls and remediation efforts better.

It also helps to conduct a bottom-up review of assets to understand what exactly we’ve got there, focusing on the most critical ones and creating and updating asset inventories.

Understanding the asset base and setting standards and guidance for protecting them will focus the efforts and help you prevent and better respond to security issues.

Assets are tightly linked to threat actors, because it’s not enough to know what we need to protect – we also need to know what we are protecting our assets against. Threat actors vary in their motivation and ability and – depending on the company – include nation states, organised crime, insiders, hacktivist, competitors, etc.

A combination of assets and threats helps us to define risks.

Identifying risks and placing them on a heat map helps determine the inherent, residual and target risks. Inherent risks show the level of risk assuming all the controls or remediating measures were absent or failing. Think of it as if security function didn’t exist. It’s not a happy place where we see the majority of risks have high impact and likelihood being in the top right hand side corner of the chart.

Luckily, security function does exist and even if they don’t have a formalised risk management process, they are usually doing a good job in addressing some of these risks.

Current level of risk is taking into account all the controls and remediating measures in place. The initial impact and likelihood is usually reduced and sometimes to an acceptable level agreed by the business. The idea here is although further reduction of impact and likelihood is possible, it might not be cost-effective. In other words, the money might be better spent in addressing other risks.

Target risks is the future state risk level once additional controls and remediation measures are implemented by the security team.

The main takeaway here is that a formalised risk management approach (with accompanying processes and policies) is needed to ensure all risks are identified and tracked over time, and the appropriate resources and efforts are spent on the top priority risks.

The Psychology of Information Security book reviews

I wrote about my book in the previous post. Here I would like to share what others have to say about it.

“So often information security is viewed as a technical discipline – a world of firewalls, anti-virus software, access controls and encryption. An opaque and enigmatic discipline which defies understanding, with a priesthood who often protect their profession with complex concepts, language and most of all secrecy.

Leron takes a practical, pragmatic and no-holds barred approach to demystifying the topic. He reminds us that ultimately security depends on people – and that we all act in what we see as our rational self-interest – sometimes ill-informed, ill-judged, even downright perverse.

No approach to security can ever succeed without considering people – and as a profession we need to look beyond our computers to understand the business, the culture of the organisation – and most of all, how we can create a security environment which helps people feel free to actually do their job.”
David Ferbrache OBE, FBCS
Technical Director, Cyber Security
KPMG UK

“This is an easy-to-read, accessible and simple introduction to information security. The style is straightforward, and calls on a range of anecdotes to help the reader through what is often a complicated and hard to penetrate subject. Leron approaches the subject from a psychological angle and will be appealing to both those of a non-technical and a technical background.”
Dr David King
Visiting Fellow of Kellogg College
University of Oxford

Correlation vs Causation

chart

Scientists in various fields adopt statistical methods to determine relationships between events and assess the strength of such links. Security professionals performing risk assessments are also interested in determining what events are causing the most impact.

When analysing historical data, however, they should remember that correlation doesn’t always imply causation. When patterns of events look similar, it may lead you to believe that one event causes the other. But as demonstrated by the chart above, it is highly unlikely that seeing Nicolas Cage on TV causes people to jump into the pool (although it may in some cases).

This and other spurious correlations can be found on this website, with an option to create your own.

Tag Archives: Risk Management