How Risk should be measured in a Big Cybersecurity Dept

For the first article of the year I wanted to take a big picture approach.  It’s often been said that the Cybersecurity department protects the firm/business /government/institution from the “the bad guys”.  That is a good elevator pitch l, but what do we really do every day?

One of my old CISOs said once: “we evaluate risk every day.”  Then, we move around our resources to mitigate the threats and vulnerabilities in the market.  Or, as another good Cybersecurity practitioner told me, it’s like a roulette game, where you have to move around your chips at every spin of the wheel.  Most days you get the bear, and hopefully the bear doesn’t get you.

This is also why you don’t let Cybersecurity be done by Risk Management, Audit and Compliance departments.  They have their place and it’s an important one.  But, they are fundamentally looking at risk with respect to process and regulations.  They are not trying to respond to the facts on the ground that are in play now and might affect us in the future near and far. This has to be done with technical AND process mitigations.  This is why the  Cybersecurity department is separate and is the lead/first line of defense (after possibly everyone else in the firm, who needs be operating in a culture of Cybersecurity awareness.  But, more about that in another post.)

When we are talking about evaluating risk for Cybersecurity, we are talking about 3 steps that are some permutation of this thought/equation:

       Residual risk = inherent risk - mitigated risk

The trick, as I’ve written in previous articles, is to quantify this so you aren’t depending on the humors of your gut. This isn’t the place to show you how to do that, but you can find all you want in my previous articles and at HubbardResearch.com.  It should be needless to say, but, I still seem to have to keep saying it:  if you can’t measure it, you can’t manage it.  I won’t go over the same ground that many management consultants such as Drucker, Doerr and a host of others have.  I’ll just say simply, if you can measure that a board is 1ft and another 1ft 1” you know a heck of a lot more about them than saying they are both of “moderate” length.

Step 1:  So in Cybersecurity you usually have a part of that department that deals with the inherent risk of a system.  This is usually called CyberRisk, and also deals with audits, regulators and compliance as those folks are dealing with the same types of questions.  Inherent risk, at a very basic level, can be dealt with by an evaluation of the data that is in the system and the criticality to the business.  The type of data is thé key in determining what risk the business is carrying if that data is breached.  Similarly, the criticality is about what happens when that data is breaches both from a regulatory and compliance perspective as well as a reputational and internal threat perspective.  This is not to be confused with when the business wants the system to recover from an outage.  It’s related, but, not the same.

Step 2:  now you have hopefully a weighted number representing the inherent risk.  You now need to figure out what the controls are that are lacking in the system, and how you might mitigate them by making up for missing controls or adding alternate/mitigating controls.  This is usually the province of à Cybersecurity Architecture area within Cybersecurity.  Cyber architecture is trying to build a common and reusable set of technical and process building blocks/architectures to reduce the inherent risk in systems to one that is acceptable.

You notice I changed to a verb:  that is important, because we may need to be actively changing our tech environment to increase the strength of our controls to compensate for what is lacking.  This is very much a give and take/agile type process.

Step 3:  the end result of this should be a residual (“left over”) risk number that is acceptable  to the overall risk appetite of the firm.  Each firm needs to evaluate where that number lies for them historically and in light of current and future events.

For example, in one firm we evaluated the sum of CVSSs for all the CVEs on our systems.  You could see it go up on Microsoft patch Tuesday, and then come slowly down as patches were rolled in over the course of the month until the next patch Tuesday.  It wasn’t too hard from there to establish “DEFCON 1, 2, ,3, 4, and 5” as multiples of that average baseline.  Again, it told you much more than gut feeling.

This setting of what level of Residual risk is acceptable and not is where you work with your Cybersecurity Operations area and Enterprise Risk Management department.  The Ops area needs to give you feedback on what they can actually support (monitor, triage and possibly fix of the worst happens).  Risk management contributes by working with Cybersecurity to set that Risk in the context of the overall risk that the firm is carrying in all other areas (financial, operational, compliance, …) and figure out what acceptable is for firm.

There you have it.  3 steps.  It sounds simple, but often is hard to organize, implement and coordinate in practice without a clear understanding of the above.  That is the experience in a seasoned Cybersecurity pro.