Cybersecurity Work Matters: Southeastern Cyber Cup Opening Keynote

Thanks to the Georgia Institute of Technology for inviting me to participate in the Southeastern Cyber Cup Mini-Session Virtual Program today! My objective with the opening keynote was to share insights that educate, inform, and inspire current and future professionals to understand the value of their work within a business.?

It is notable that more than 200 significant cybersecurity incidents have been reported globally so far in 2024. “Reported” is the key word. Many incidents happen daily that are not reported for various reasons. For most of the 200 reported incidents, each of these incidents was preventable. Failing to assess risk or to invest adequately in risk mitigation is often the root cause of the problem.

1?? Management of cyber risk will never be effective without support from corporate leadership.

The duty of care describes the legal obligation placed upon organizations to act appropriately to protect others based on the risk they should have foreseen. The duty of care starts at the highest levels of the organization, and the duty applies to management of cybersecurity risk. Risk management standards like COSO, ISO 31000, and NIST SP 800-39 promote enterprise-wide engagement in risk management from the board to the CEO and the c-suite to individual stewards of systems and data. The problem in many organizations is that corporate executives outside the cybersecurity function are uninvolved or unaware of what is necessary for success, and the cybersecurity function is charged with using limited resources to perform duties far beyond the limits of the security function.

The board of directors in partnership with the CEO should establish an effective risk appetite framework, an effective risk appetite statement, formal risk limits, and define the roles and responsibilities required for managing risk within the organization. The risk appetite framework provides the foundation for risk capacity, risk appetite, risk limits, and risk profiles that drive business decisions about what risk to accept, what risk to avoid, and what risk to mitigate in pursuit of business objectives.

An ideal implementation enterprise risk management that integrates cybersecurity into the process leads the board and the CEO to establish boundaries, the c-suite leader of each business function to be accountable for cybersecurity risk in his or her department, and the owners of systems and data to provide day-to-day management of cybersecurity at their level. This model positions the CISO to support the c-suite as a peer and security practitioners to support the system and data owners who are responsible for managing cybersecurity risk for their assigned assets.

2?? The primary responsibility is cybersecurity is management of risk, not management of technology.

Confidentiality, integrity, and availability are expressions of risk that require management to limit exposures. While technology is often involved, the real work performed by security professionals focuses on threat modeling, control assessment, and maintaining a list of actions that must take place to maintain risk at acceptable levels.

Human capital is a limited resource. The best use of human capital resources would be for organizations to dedicate specific people to specific business functions and objectives.

Information technology professionals are adept at managing information technology, which makes management of information technology by cybersecurity professionals an unnecessary duplication of limited human capital resources.

Organizations that separate risk management and technology management tend to realize significant benefits when separation of duties allows actions taken by one part of the organization to receive independent verification that those actions were effective and produced desirable results.

3?? If security is free to focus on management of cybersecurity risk, the practice of risk management is more effective.

Risk management in a cybersecurity context involves establishing the context for risk that we want to manage, the process for assessment and analysis of risk, response to risk, and risk monitoring.

Risk context is important because the nature of risk changes, and the scope of risk varies for different parts of the organization.

Risk assessment is important because the activity helps the organization understand existing exposures, and the results of assessment help management prioritize response based on the impact of findings from the assessment.

Risk treatment is important because to honor the legal obligations related to the duty of care and to protect the revenue, reputation, operational resilience, and regulatory obligations of the organization. Risk treatment is a business decision, but the decision is informed by the risk assessment work performed in the organization.

Risk monitoring and communication are important to ensure the business stakeholders responsible for risk understand what we have done in the past, what is being done in the present, and what must be done in the future to maintain risk at an acceptable level and to satisfy the legal obligation for the duty of care.

4?? Application: How does Capture the Flag (CTF)?and other assessment work fit into this equation?

Whether you are a security student, an individual contributor, or a security leader, the organization you serve cannot manage cybersecurity risk without you. The business has important risk management responsibilities: establishing risk culture, establish risk boundaries, and providing resources to manage risk. Cybersecurity professionals work to protect the organization and its interests by reducing risk as much as possible given the influence of risk culture that drives behavior, the boundaries that determine how much risk we can accept in pursuit of business activities, and the effective use of limited resources to respond to everything identified in the assessment.

Effective assessment is imperative. For most practitioners, risk assessment is the primary performed to support risk management. Assessment can be technical or non-technical. Patching, vulnerability assessment, and penetration testing provide as much information to help an organization understand what exposures exist and how to prioritize response as policy reviews and security control assessments.

Resources

Most of the conversation focused on the applicability of these standards and one important financial risk management book.

• NIST SP 800-30 Rev. 1 , Guide for Conducting Risk Assessments
• NIST SP 800-37 Rev. 2 , Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
• NIST SP 800-39 , Managing Information Security Risk: Organization, Mission, and Information System View
• NIST IR 8286 , Integrating Cybersecurity and Enterprise Risk Management (ERM)
• Financial Stability Board , Principles for An Effective Risk Appetite Framework
• Book , The Essentials of Risk Management, Third Edition