Volatile Cyber Risk Assessment

After forty years assessing cyber risk it is clear that we are doing it wrong!

This article is not about risk assessment methodologies and quantification of risk. This is a whole different and equally important subject.

This article is about the focus of risk assessment; the controls we are reviewing in order to determine risk. Importantly, the organisational level of controls that are assessed.

The problem with most cyber risk assessments is that they can become unreliable quickly due to many factors and this rate of volatility is usually tied to the levels at which the controls are implemented and maintained. Those controls at the operational level much more likely to experience reduction in effectiveness compared to those at the tactical level and similarly, those at tactical level more likely to change compared to those at the strategic level.

The reality of cyber risk management

One big factor is the reality of cyber risk management in most organisations. Outliers in both directions include low numbers of highly vulnerable organisations and at the other end, a few who are highly resilient. The majority of businesses are aware of the risk and usually have staff at operational level working diligently to maintain cybersecurity. Some of these are even supported by tactical level management who do their best to sequester budget to support resilience activities. However, many of us in the cyber security community know that the reality for most organisations is that cybersecurity is done on a best-efforts basis and is not supported at the strategy level.

The big problem here is that because operational controls are subject to rapid change, key staff responsible for maintaining them may fall sick or leave, lack of investment and focus may cause them to degrade and changes to threat actor methods may cause them to be overwhelmed or otherwise ineffective.

Operational assessment challenges

So, given this volatility, why do we continue to be so heavily reliant on 'down-in-the-weeds' controls assessment? Internal and external audits, resilience certification, due diligence exercises, supply chain assessments, cyber underwriting etc. all rely on controls assessments which, by industry experts own admission, are a point-in-time snapshot that may quickly become unreliable, especially given the organisational challenges mentioned. And the problem is that if these changes (see my article on Controls Degradation) are not detected, they may lead to unacceptable levels of exposure to cybercrime.

In an effort to head off concerns surrounding operational level controls volatility, some are turning to real-time or active monitoring of controls. Whilst this clearly has value, it is both complex and can be expensive, especially with the constant remediation activity required that is more akin to the little Dutch boy sticking his finger in the dyke.

Turn this on it's head and one may logically argue then that assessments should primarily be focused on cyber risk management at the strategic level. Of course, strategic assessment results may not offer absolute assurance of specific controls, however, if one is seeking assurance of overall cyber resilience, then surely understanding whether board-level strategy is supportive of effective cyber risk management will give a high level of confidence that tactical and operational level controls are effective.

The line of sight to operational control effectiveness is entirely possible. Ask yourself this simple question. If an organisation has a board-level cyber champion, clear knowledge of their data assets, adequate IT and cyber budgeting, good payment control, appropriate IT and cybersecurity staffing levels, excellent skills and awareness and great software version control, then are they likely to have MFA enabled?

I am not advocating that assessment of strategy should replace assessments of tactical and operational controls. Absolutely not! However, because both time and cost often restrict our ability to undertake assessments at the operational level, rather than trying to find some magic subset of volatile operational controls that will satisfy the need for a light touch, we should instead be looking to assess the cyber risk management strategies of an organisation as a more reliable measure of confidence in their cyber resilience.

There is however, one further problem that many in the cybersecurity field have failed to solve, that is the problem of board-level engagement with cyber risk. If boards are not engaged properly, they do not form or manage strategically. As the famous warlord Sun Tzu said "Tactics without strategy is the noise before defeat." and this could not be truer that when it applies to cyber risk.

Many attempts to engage boards have been largely met with tacit enthusiasm but this is generally short-lived and does not result in long-lasting support or meaningful improvements. My view is that the approach has been wrong. If you were to ask a cybersecurity expert or pundit to sit through and understand a common strategic subject; let's take Balance Sheet Analysis, how long do you think you would maintain their attention? I would suggest not long. And so it is when the cybersecurity community attempt to train boards in the operational, and even tactical, aspects of cyber risk management. Case in point; trying to explain the importance of patching cadence or MFA to board-serving executives.

We need to change the narrative by explaining cyber risk in a form which is already recognised as strategic. Essentially, what are those board-level strategies that have both support and direct effective cyber risk management.

Strategic assessments will, I suspect, reveal significant problems. However, solving these problems with effective strategy will engage boards in the proper way and ultimately lead to significant improvements in resilience to cybercrime.

www.cyberseven.global #cyberseven