By Cheryl McGrath
Vice President and General Manager – Canada
Optiv Security
Virtually all cybersecurity organizations today want to reduce enterprise risk, but they often do not have the expertise, resources and organizational structure to do so. In many cases, cybersecurity pros spend the bulk of their time mired in the tactical management of a confusing array of security systems, rather than being laser-focused on tracking, managing and reducing enterprise risk. And, this is not the fault of cybersecurity organizations – most are understaffed (due to budgetary limitations, the ongoing cybersecurity skills shortage, or both), undervalued by the executive suite (so cybersecurity is left out of business initiatives that can minimize cyber risk), and work within corporate structures that do not assign a central point of authority for risk management (so nobody is given an explicit mandate to manage enterprise risk).
“How could this be?” It’s actually not that hard to understand – the cyber-risk landscape for enterprises has changed faster than enterprises themselves can change. Consider the risk landscape just 10 years ago – smartphones were still early in the adoption curve with about 16% of the mobile phone market, cloud computing was in its infancy (Microsoft Azure, for example, was first announced at the end of 2008), regulations were more scattered and loosely enforced than today, and ransomware was a fringe cyber threat (a status that would dramatically change when Bitcoin became operational in 2009 to create the ideal ransom-fulfillment platform).
From an enterprise risk perspective, cybersecurity often was a secondary consideration. Take supply chain, for example. The perceived business risk of having a supplier become unavailable due to natural disaster, political unrest or other uncontrollable circumstance was much more concerning than the potential risk of suppliers becoming hacker “onramps” into the corporate network. So, the supply chain executive would be congratulated in the boardroom for reducing enterprise risk with diversification, while the security organization would have no idea that its attack surface just expanded with the addition of new partners. The perceived reduction in risk (a more resilient supply chain) was actually just a transfer of risk (new cybersecurity vulnerabilities).
Today, however, data breaches are potentially far more damaging than they were 10 years ago – due to the insidiousness of attacks (ransomware), the increased business reliance on new IT paradigms (mobile, cloud, digital transformation), and the presence of new regulatory regimes that have real enforcement teeth (GDPR being the ultimate example). Data breaches, whether through third parties or direct attacks, are no longer secondary considerations to enterprise risk. In many cases, they are the primary source of enterprise risk.
Risk-Centric Security
This shift in the cyber-risk landscape requires a commensurate response from not only cyber security departments, but across all executives within these organizations – commercial and government entities. Enterprise risk can no longer be a fragmented discipline because, as our supply chain example shows, new business initiatives almost always introduce significant new cyber risk, which means fragmented risk management. Operating in disparate silos, where business leaders don’t consider enterprise risk across their organizations, is an untenable practice. Enterprises need to assign a single source of accountability for enterprise risk – someone who is responsible for connecting all the dots between business operations, liability and digital infrastructure. This type of ownership ensures that all “risk stakeholders” understand how the organization is changing, and how risk needs to be managed. (That supply chain exec cannot add any more partners without consulting the CISO!)
From a cyber-risk perspective, security organizations need to shift from an outside-in threat-centric strategy, to an “inside-out” risk-based strategy, if they ever hope to have a material impact on enterprise risk. For example, rather than investing in new tools and programs simply to mitigate the latest threat or regulation in the headlines (the outside-in approach), a more sustainable and effective strategy is to first understand your specific enterprise risk, and then make security spending and staffing decisions accordingly (inside-out). Hurricanes are a horrible threat to houses, but if you use “inside-out” thinking and understand that, in Canada, power outages and ice storms are far more likely risks to your house than hurricanes, you’re going to invest in generators, not metal shutters for your windows. This same thinking needs to be brought to enterprise security.
Even if an enterprise has not consolidated risk management into its organizational structure, cybersecurity leaders can adopt an inside-out risk-centric approach to security. This starts with understanding your organization’s specific risk profile – which will differ in every case (a hospital faces far different risks than manufacturers … not to mention other hospitals).
Once a complete risk profile is built, organizations can begin rationalizing their infrastructure and optimizing operations to mitigate their unique risk landscape. In most cases, organizations simply have too much security infrastructure – and when taking a risk-centric approach they can actually improve infrastructure effectiveness by reducing the number of tools and vendors. By doing this, they make things simpler to manage – enabling a more intelligent deployment of staff and outsourced resources. This allows organizations to dramatically reduce the “firefighting” aspect of cybersecurity and instead use staff for more strategic issues (like making sure new supply chain partners conform to enterprise cybersecurity requirements, so they don’t become a source of third-party risk).
Finally, if an enterprise is not inviting security leaders into business discussions, then security leaders should make a point of injecting themselves into those discussions. It’s easy to become comfortable in the “security bubble” and wait for an invitation from businesspeople, but it’s more effective to get outside of the bubble and simply talk to them. This will lead to a greater understanding of emerging business requirements and initiatives, while also educating the businesspeople on the importance of managing cyber risk.
Not long ago there was a time when CIOs had a difficult time getting a “seat at the table” in the boardroom. Today, particularly with the trends mentioned earlier, CIOs are at the center of business strategy. The sooner CISOs and other security leaders adopt a risk-centric approach to cyber security, the sooner that transition will happen for them as well.
