Cyber Risk Illiteracy - 1

(This article was originally posted on January 30, 2024 on my Enabling Board Cyber Oversight? blog series at Cyber Risk Illiteracy-1 )

You can't have people making decisions about the future of the world who are scientifically illiterate. That's a recipe for disaster.

—Neil deGrasse Tyson[1]

You can't have people making cyber risk management decisions about your organization's future and the world who are cyber risk illiterate. That's a recipe for disaster.

—Bob Chaput

Introduction?

Not long ago, I wrote an article entitled Voltaire and Cyber Risk Management . I discussed how my conversations with Fortune 500 CISOs, CIOs, C-suite executives, and board members remind me of the importance of words and their definitions.? I explained away and excused the ongoing misunderstanding of cyber risk management-related terms due to the relative immaturity of cyber risk management and, possibly, to some extent, the relative immaturity of the broader field of risk management.

Today, I stop making excuses. I realized I’d used a Voltaire quote for 14+ years (“If you wish to converse with me, define your terms.”[2]). The constant miscommunication in the inconsistent practice of cyber risk management continues.

We’re way overdue to fix this issue. You don’t need to hear me repeat that cybersecurity has become an existential risk to organizations across the globe. It’s all over the media.

We must stomp out cyber risk illiteracy

Typically, I ask clients to define seemingly effortless terms like governance, risk, and compliance before an initial consultation. The responses vary widely from organization to organization and person to person in the same organization!? Variation explodes when I ask for definitions of ‘tricker’ terms like threats, vulnerabilities, controls, likelihood, and impact.? I’m sure you’ve heard the line: ask five experts for the definition of X, and you’ll listen to nine different answers.? That happens all the time when it comes to cyber risk management terms.

Just Google something like “top cyber risks,” “top cyber threats,” or “top cyber vulnerabilities,” and you will immediately see what I mean—if you, indeed, know the definitions of these terms!? Here’s a great example of an article presenting the “Top 10 Cyber Security Threats of 2022”.[3]? Among other silliness, the article includes these six vulnerabilities in its list of top ten threats: Inadequate Training for Employees, Mishandling Patches, Third-Party Vulnerability, Cloud Vulnerabilities, Insufficient Command Over Cyber Risk Management, Out-of-Date Hardware!? I especially like using the word vulnerability in the description of a threat.

For the interested reader and as a reminder,

A threat is any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.[4]

A vulnerability is a flaw or weakness in system-security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.[5]

The misunderstanding and confusion continue into more important phrases such as a cybersecurity framework. Items often cited as frameworks are not existing frameworks. One resource listed these seven: NIST Cybersecurity Framework, ISO 27001 and 27002, SOC2, NERC-CIP, HIPAA, GDPR, and FISMA.[6] HIPAA, GDPR, and FISMA are regulations, not cybersecurity frameworks. The NERC-CIP requirements are not a cybersecurity framework. The Critical Infrastructure Protection (CIP) Standards are a set of mandatory requirements for owners and operators of electric utilities to protect bulk electric systems from physical and cyber threats. Another article listed 25 frameworks, including a mixed bag of controls checklists, security standards, security R&D centers, and maturity models.[7] Yikes! Seriously?

There are multiple points of view on what constitutes a maturity model. The same resource that cited the seven cybersecurity frameworks also published an article that listed two of those seven frameworks—NIST Cybersecurity Framework and ISO 27000—as maturity models.[8] While some will disagree, the so-called tiers detailed in the NIST Cybersecurity Framework are not intended for maturity modeling; according to NIST, “… Tiers do not represent maturity levels.”[9]

If your organization cannot come to a mutual understanding of basic cyber risk management terms and terminology, you will unlikely ever be effective at cyber risk management and, possibly, be the cause of a disaster.?

So, how do we stomp out cyber risk illiteracy?

To avoid miscommunication that leads to inefficient and ineffective enterprise cyber risk management (ECRM) programs, ECRM fluency must come on par with financial fluency. Not all executives and board members are Certified Public Accountants, nor must they become cybersecurity experts. However, all board members understand enough to discuss your organization’s P&L, balance sheet, and cash-flow statement.

When you first engage in conversations about your organization’s cyber risk and cybersecurity, you may feel like you are trying to speak in a foreign language. ECRM can seem quite technical and complex, but it is understandable once you have a good set of working definitions of some of the fundamentals. To have a meaningful and productive conversation about cyber risk and cybersecurity, everyone at the table needs to speak with precision and understand the differences between a risk, a vulnerability, and a threat, among other terms.

National Institute of Standards and Technology (NIST) Special Publication “Managing Information Security Risk” (NIST SP 800-39)[10] describes four basic cyber risk management steps.? The first step, “Frame risk,” is about establishing the context for risk-based decisions and your overall approach to risk management. I encourage you to develop an ECRM Framework and Strategy document that includes as one of its very first sections a glossary of terms.? Circulate and socialize this glossary and agree on critical cyber risk management terms and concepts.

In Appendix D of my book Enterprise Cyber Risk Management as A Value Creator | Leverage Cybersecurity for Competitive Advantage [11], I define “Twenty-Five Essential Terms for Your ECRM Glossary.”? This Appendix may help you jump-start your effort.

One of the best references on the subject—and my primary resource in writing that Appendix—is the glossary compiled by the Computer Security Resource Center (CSRC) at NIST.[12]?

Questions Management and the Board Should Ask and Discuss

1.???? Has your organization’s C-suite and board discussed and agreed upon a standard set of definitions related to cyber risk and cyber risk management?

2.???? Have these definitions been documented in your organization’s ECRM strategy and framework documents and communicated via ECRM training?

3.???? Do you believe your organization has already, or is currently, conducting ongoing, rigorous, comprehensive, enterprisewide risk analysis that would meet regulatory requirements?

4.???? At the most basic level, does your organization understand that risk exists when and only when there is an asset, a specific threat, and a particular vulnerability?

5.???? Has your organization produced an enterprisewide risk register?

6.???? As C-suite executives and board members, have you discussed, debated, and established your cyber risk appetite?

7.???? If your organization has conducted a risk analysis, are you using the results of that analysis to inform your cyber risk treatment decisions?

8.???? Do you believe your C-suite and board are fully exercising their leadership, oversight, and fiduciary responsibilities concerning ECRM?

9.???? Do you think engaging an experienced, reputable ECRM partner would be valuable to establishing, implementing, and maturing your organization’s ECRM program?

#riskmanagement #enterprisecyberriskmanagement #cyberriskmanagement #cyberriskilliteracy #cyberopportunitymanagement #cybersecurityvalue #boardcyberoversight #boardofdirectors

Endnotes

[1] BrainyQuote. “You can't have people making decisions about the future of the world who are scientifically illiterate. That's a recipe for disaster.” (n.d.) Accessed January 30, 2024. Available at https://www.brainyquote.com/quotes/neil_degrasse_tyson_531123

[2] Quotable quotes. Goodreads. “If you wish to converse with me, define your terms.” Accessed December 21, 2022. Available at https://www.goodreads.com/quotes/7799868-if-you-wish-to-converse-with-me-define-your-terms

[3] TitanFile. "Top 10 Cyber Security Threats of 2022." July 22, 2022. Available at https://www.titanfile.com/blog/top-10-cybersecurity-threats-of-2022/

[4] “Threat.” Glossary. Computer Security Resource Center (CSRC). National Institute of Standards and Technology (NIST). Accessed December 21, 2022. https://csrc.nist.gov/glossary/

[5] “Vulnerability.” Glossary. Computer Security Resource Center (CSRC). National Institute of Standards and Technology (NIST). Accessed December 21, 2022. https://csrc.nist.gov/glossary/

[6] Cisternelli, Eric. Bitsight. “7 Cybersecurity Frameworks That Help Reduce Cyber Risk.” August 15, 2022. Available at www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk

[7] SecurityScorecard. “Top 25 Cybersecurity Frameworks to Consider.” March 23, 2021. Available at https://securityscorecard.com/blog/top-cybersecurity-frameworks-to-consider

[8] Bitsight. “Cybersecurity maturity model.” n.d. Accessed January 28, 2023. Available at www.bitsight.com/glossary/cybersecurity-maturity-model

[9] National Institute of Standards and Technology (NIST). “Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1.” April 16, 2018. Accessed July 10, 2023. Available at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

[10] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Available at https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

[11] Chaput, Bob. “Enterprise Cyber Risk Management as A Value Creator | Leverage Cybersecurity for Competitive Advantage, 2024. Clearwater. Available at https://amzn.to/3NYdafQ

[12] Glossary. Computer Security Resource Center (CSRC). National Institute of Standards and Technology (NIST). Accessed December 21, 2022. Available at https://csrc.nist.gov/glossary/