Let Risk Management out of the cyber-barn!

Security is too serious a matter to entrust to security experts

Technology security has been dramatically changing its approach over the past years, moving from virus fighting based on known signatures to fast adapting malware and now to lightning-fast bots and agents attacking technology strongholds relentlessly.

Cybercrime has evolved into a large scale, global industry which carries its own business rules, network, market-place and today even its own service providers, offering attack platforms for hire. As the saying goes, criminals need only one break to succeed, while defenders must be right every time.

Cybersecurity has been a quasi-exclusive focus of technology security discussions, leaving other aspects often unchecked; meanwhile technologists have barely been able to keep up with the evolution of the risk, which increases with every additional device or solution involved into business dealings.

Ensuring adequate security means both establishing advanced tools and procedures to defeat attacks and protect assets, but it also means recognizing that a breach will occur, sooner or later. Cybersecurity is fallible, and multiple other vulnerabilities (insider, mobile devices, zero-day exploits linked to core systems, SaaS links, etc.) make wonder why there are not more frequent breaches.

Even though cybersecurity has been evolving at a very steep pace, rogue states and global crime organizations research - and find - new vulnerabilities and zero-day exploits continuously. Keeping up with it has turned into a highly specialized field, with certifications and specialized toolsets.

On the business side, banks and financial services have been under scrutiny for ensuring the continuity of their operations, especially when facing “black swan” events. This was illustrated with the Basel Frameworks (now Basel III) and other risk management tools. Risk Management experts and crisis management scenario specialists exist now to help banks and others prepare and test response mechanisms.

Here are a set of silos (cybersecurity, business sustainability, crisis management, market agility), each focusing on a particular “risk compact” or compliance area, barely talking to each other. Meanwhile, executive teams and board members are struggling to gage the sustainability of the business and which steps to take to protect the business and the equity. New frameworks have been focusing on Enterprise Level risk management, but large areas have been left behind, such as comprehensive business resilience and the agility of the eco-system.

We need to bring together multiple specialties and fields of expertise to harden the resistance to impacts and provide a much-desired business resiliency taking a 360-degree view of the business.

Below is a quick self-assessment of exposure:

If your tally of “N” shows 1 or less, you are in good shape and just need to expand your current practice.

If the tally is 2 or 3, you are at risk and need to define a business risk mitigation plan.

If your tally is 4 and above, you are not protected against major impacts and are at risk of major or critical disruption.

An alternate way to look at this simple table is to imagine being a member of the BoD trying to assess how much exposure the business carries.

The goal here is not to create unnecessary scares, but a healthy wake-up call that protecting only data and technology assets might only help survive a major technology-fronted hit. This is not enough if data integrity, customers, processes or facilities are compromised. This is not enough if key vendors and partners are not able to maintain the integrity of the supply chain, resources, distribution and sales channels, because they are the ones under attack.

The net value of a day of production (for each entity assessed) is the amount at risk daily if a major incident occurs. The accumulated disruption impact is however the real issue: after a while (often quite short), the aggregated losses, liabilities and market impact reach a threshold of profitability, and then the viability threshold.

When viability is invoked, the entire business has no financially and operationally viable solution to continue operating on its own power. This is a going-out-of-business situation, indefinitely.

You have been breached and you will be breached

Security breaches are inevitable, and the capacity of cyber-criminal to find new exploits is far superior to the current capacity to stop them.

Bots and Artificial Intelligence tools have started being used in cyber-attacks, which defense requires significant upgrades in the defense mechanisms and strategies.

The main vulnerabilities are not really in the technology realm. Although not all IT organizations have a top-notch security practice, most are able to deter, identify and in most cases recover from the common attacks. The most critical vulnerabilities are - no surprise –  found with the weakest links. Personal accounts of employees, pseudo account from an inline printer, email / access from contractors and partners, social media accounts, smart phone connections: an entire battery of weak spots are the bread and butter of industrial-grade hackers.

The continued breaches from banks, credit scoring companies, retailers, social media companies have caused more than 200 million accounts information to be compromised last year. It only takes a few steps of social engineering to turn the compromised data into a path for breaches.

Most people agree that the numbers tell the story: nobody can permanently defeat hackers; not the NSA, not the FBI, not large corporations or even countries (remember the Ukraine power grid attacks in 2015 and again in 2016?) are immune to breaches. Adequate strategies and approaches to be deployed in response to those statistical facts are still missing in many organizations.

What should we do, then?

Organizations need to start preparing for the breaches to come and define the Level 0 and Level 1 priorities. If a major breach occurs, wiping out all useful data, stealing all customer information and making impossible to continue operations, what is the remediation plan?

In California and other places prone to earthquakes, people stock up water, first necessity supplies to ensure several days at least of food, water and emergency equipment would a “big one” happen. The same approach to business continuity is needed, assuming a major and devastating breach, even if we do not know where and how it will strike.

Let’s rethink security to adopt dispositions now to make businesses more resilient, more agile, to minimize a potentially successful hack (or other) attack.

What-if scenarios are routinely used to create strategic plans, production schedules and solutions to projects. Using risks models and creating catastrophic scenario where the risk in undetermined but the impact is major can create patterns of responses, in many cases highly reusable.

Building a comprehensive Risk Management Plan

The first step in building a comprehensive plan that ensures continuity and minimizes the potential impact of adverse events, is the representation of the overall business or business line into a self-sufficient model.

The first layer consists in the organic operations, front and back ends. This is how the business operates, including production, sales, marketing, administration, technology, HR and all key functions. Previous process architecture diagram or Balanced Scorecard exercises can provide reusable information for this stage.

The second layer is built around the now mapped core, broken down into functional areas such as Supply Chain, Distribution or Sales Channels.

The result can start with something like the high-level chart here, then start to build the details in successive layers.

A good test is to role-play a “day in the life of” the business, or an order-to-cash end to end life cycle. Building around this first component will make it easier to categorize and name other related or co-dependent processes.

Once the core processes and sub-processes and their associated resources have been captured, the exploration extends to all close partners and providers.

The goal here is to identify the critical components of the eco-system, without which the business or function cannot operate. A Staff Agency for instance can be important, with their ability to provide desirable resources rapidly and effectively. But would they cause the company to stop its operations if they were unable to operate for a day, a week or a month?

On the other hand, a core part provider for a manufacturer could cause a plant to go idle if the stoppage of provision exceeds the available inventory. In a just-in-time or time-sensitive supplies (e.g.: pharmaceutical industry), the operating window can be even smaller.

The exploration does not stop at the core supplier but could reach the risk evaluation of the core supply or raw material. Would a provider of components or parts use materials or components then processed during the production cycle, a safety check would be to check if this provider has sufficient alternate supply channels for these components, and how fast / how long these alternate supplies could be active. 

Say a company has an inventory on hand worth a month of production, and a core supplier defaults for three months or more; there will be an interruption of the production and the entire business, unless an alternate supply or manufacturing solution can be found and deployed within the one month supply available. A recent illustration: Ford announced in May 2018 that they were suspending production of their F-150 truck in several plants on May 10th, after a magnesium-based parts provider saw its plant burn down on May 2nd.

The Need is Here and Now

A sudden E Coli outbreak in salads, closely followed with a salmonella outbreak could disrupt food processing plants which then might impact eateries, cafeterias and restaurants, as fresh ingredients cannot be stocked in advance or kept in a fridge more than a few days.

It is very unlikely that tacos, sandwich and submarine eatery chains included produce outbreak in their cyber-security plans. But this is a likely event, which occurred before and will certainly re-occur soon.

There is a need for a comprehensive plan here and now, before a major event creates the disruption.

The Basel III Standards for global banks relies on stress tests and crisis scenarios, to determine and test the response to a major crisis. Although the approach is primarily driven by a concern about the capital adequacy of a bank “too big to fail”, the implementation of the recommendations has shown that the hardening of a bank’s processes and operations creates collateral benefits, such as increased agility and better coordination of responses and decisions.

Useful sources include the framework created by Linda Tuck Chapman in her book “Third Party Risk Management: Driving Enterprise Value”(available online), or the more general Enterprise Risk Management packages available, in association with a risk maturity model like RIMS. The Australian inspired ISO 31000 standards family can also be useful in its definitions and approaches.

Starting light and building up from this foundation is highly advisable; it can be easy to be overwhelmed with various tools and models. The original assessment of the risk and the business approach to sustainability and risk management should always determine which tool(s) to use, not the other way around.

Building a playbook of crisis scenarios to strengthen a business would not only better prepare the organization to cyber-risks and incidents, but also to events adverse to the business, the market and the eco-system.

Here lays the main driver for launching such effort here and now: in addition to keeping the organization on its toes regarding security watch and alerts, a comprehensive framework increases the agility, resiliency and overall response on incidents and major decisions.

Most Cyber-security plans already include Business Continuity and Response Team models, which can be adapted easily to cover the non-technology and inorganic components of the business landscape.

Let risk management out of the cyber-barn and look at the larger picture including when cybersecurity will fail to stop an attack, when Internet Exchange Points will crash or when a core supply or market will become unavailable without notice.

We have the tools, the framework, the rationale and the capacity to (finally) become more pro-active in facing the ever-changing looming threats: what is stopping us?