Risk Controls Compliance vs Risk Reduction

Risk Controls Compliance and Risk Reduction are 2 fundamental concepts in CyberSecurity. You can have the first without a lot of the 2nd, but you can’t have the 2nd without the first.

I have been into a lot of meetings in my CyberSecurity career that people label “Risk Reduction”, where they present something like this, usually blessed by one of the Big 4 (if I’m honest, I’ve come up with a ton of these myself):

A listing of controls for one area of CyberSecurity that they are interested in:  Identity Management, Vulnerability Management, Audit Management, or all across the NIST framework.  They show a listing of 3 to n controls, where n > 12 but < a number that one or several persons can’t work on by themselves and automate the collection of with a spreadsheet or the next step up from that, such as Sharepoint.  Some of these might actually be related to the controls as mandated by their CyberSecurity Policy, which are usually based on the NIST 800-53 list of controls.  These are nicely tiered up into columns of “Green”, “Yellow” and “Red” where limits are put on the allowed number of applications and environments in the firm that comply (note that word) with this control.  So usually something like 9x% is “Green”, let’s say even 99% and above in a very risk adverse and heavily regulated firm like a financial institution.  “Yellow” is then a step function down, let’s say 99 to 95%, and “Red” is  less than 95% compliance.  This shows that the Firm has almost no tolerance for risk to any regulator or other such auditor, and will call out those that do not comply (again that word).

A more mature department will have a very long list of these, track them monthly, show a trend, and call out publicly those that are out of compliance (that word again).    An even mare mature department will show a path to “green”.  Most people and CyberSecurity departments measure and manage compliance  (again) to controls as listed.

But what is this showing you?  Well, what it is showing you is an ASSESSMENT that the controls are in operation and are effective.  It gives you a good feeling about risk reduction in that you can show that most of your firm is COMPLYING to the controls.  So you are going in the right direction.  You just don’t know how fast, how much faster you might want to go, and if it’s worth it.

So, in that vein, here is the question that many Audit and Risk Committees have asked me, and I suspect many other CISOs, Risk Practitioners, and fellow travellers.  “HOW DO YOU ADD IT UP…..what is my overall risk, in dollars?  If I have 20 green controls, 50 yellow, and 10 red, what is my overall risk?”

Ask in the analogy above and my harping on the word COMPLIANCE, is that you can’t answer that question systematically.  Not without taking this further.  Your method is showing that the firm is COMPLYING to your controls framework, which is, as we said an ASSESSMENT.   This assessment shows you that the undergirding or FRAMEWORK of the process of risk reduction and management is in place, but the framework is not in itself risk measurement and management.  If you stop here, you are saying little about the actual state of risk and its reduction quantitatively.    You are heading in the right direction, but you can’t really prove it.  Most Cybersecurity departments, even those that are marked as very mature by our big 4 Auditing firms, do stop there.

The error here is not one of intent, it’s one of completeness.  One would expect auditing firms to be biased to this kind of a measurement, in that they are setup to audit.  Auditing is about checking that controls and the frameworks they introduce are in place and operating.  All well and good and necessary.   But, it’s not enough.

A Cybersecurity department needs to be much more than just an extension of Audit or Compliance, much as a military is much more than just a logistics and destruction capability.   Just as the military, a Cybersecurity department needs to be oriented also to the actual measurement of risk and point itself at the actual threat and vulnerabilities so it can work on the reduction of risk in a methodical way.  To do that and be effective you need a quantitative way.

So, there is a way to quantify risk, and measure it.  The above is the start, but isn’t it.  This is the undergirding or framework, which is a good exercise, but not the exercise of risk reduction. Doing that will get you to be able to answer the question from the Audit and Risk Committee of the Board.  It also means being able to go the next level, which is to take these inputs, convert them to a quantitative risk measure,  extent them across the firm, and if you are really good, be able to predict such questions as the value of “if I do this is it worth the cost for the reduction of risk/how much risk do I actually reduce?”   

There are ways to do this.  See, for example,  “How Risk should be measured in a Big Cybersecurity Dept” in this blog or most things by Doug Hubbard and the statistics of risk.  This is where you really do need to go to answer the question of the Board.

So, we shouldn’t call the exercise of building a controls compliance framework Risk reduction.  It’s a necessary input into that, it even does reduce risk as a byproduct, BUT, it does not measure and manage risk.  What we are doing with this exercise is assessing compliance.