The typical organization faces a wide variety of cybersecurity risks. Often, the legacy risk management attempts of the past were determined by opinion and judgement. We know that data and facts are far stronger as a basis for any risk management plans and strategies.
Closely related to these factors, is the understanding that every risk has an ongoing cost, whether or not the risk materializes. In simple terms, one can take the impact of the risk (loss) and the probability of the risk materializing, and this gives us the ongoing cost of carrying this specific risk. In cybersecurity, few have been able to properly measure the probability of specific risks. Attempts have been made by some to look at vulnerabilities and get a real picture of risk.
These efforts inevitably fall short, since we need to have comprehensive data to develop comprehensive risk management. Efforts to “quantify” vulnerabilities alone, or asset exposure alone, are insufficient. As the insurance industry has established over three hundred years of experience, there must be data at the foundation of any risk model that is based on actual losses and loss patterns. Losses are monetary events. These events are of great interest to management, customers, stakeholders, regulators, and shareholders. Many of these groups have minimal understanding of cybersecurity in technical terms. Yet they do understand the value of avoiding loss, and they support efforts to eliminate risk and reduce the cost to the enterprise.
Cybersecurity risk turns out to behave much like other risks faced by the business. Credit risk, supply chain risk, operational risk, and other risks all have been managed for decades through formal, quantitative methods. In the 1600s with the rise of commercial shipping, the transfer of goods on a global basis was fraught with risks. Ships encountered storms, war, piracy and other hazards. Once shippers and buyers grew tired of unanticipated and uncovered losses, these conditions gave rise to the global insurance industry via the formation of Lloyd’s Syndicate in 1688.
Businesses from that time forward have essentially made a market for insurance underwriters willing to take on the risks of others for a price or premium. Over time, the valuation of risk has become more sophisticated thanks to actuarial science, the reinsurance market and other dynamics. Today, most risks faced by business are properly analyzed, understood and addressed. We know that all risks are a function of a threat meeting up with a relevant vulnerability. An automobile may have a vulnerability such as malfunctioning anti-lock brakes, or even an impaired driver. Yet this does not trigger a risk – it is merely a vulnerability or in other words a potential exposure to risk. However, when that risk meets up with a threat, such as an unexpected object in the road, the combination of the two conditions – “Threat + Vulnerability” – results in a condition where the risk can be triggered. Understanding these dynamics paves the way towards an understanding of risks in detail, and this in turn is the foundation for effective risk management.
In cybersecurity, many have given up on this level of realistic, data-driven risk management. Many believe that cybersecurity risk simply cannot be measured, let alone actively managed. The limitations of legacy methods in cybersecurity risk have led many to simply throw up their hands, often accompanied by the mistaken belief that cyber risk management is simply unattainable. A large part of this behavior, self-limiting as it is, was based on the fact that many purported “risk management” attempts in cybersecurity were simply analytical methods applied to vulnerabilities. A vulnerability is an exposure to risk, not the risk itself. These legacy models omit the role of threats, and therefore present an incomplete – and dangerous – picture of risk.
Finally, to be serious about comprehensive risk management in cybersecurity, we must include the risk dynamics of each domain through which an attacker can trigger a risk and the associated losses. More often than not, cybersecurity is within the domain of corporate information technology. This is an understandable offshoot of the way that cybersecurity as an area of responsibility evolved as a technology function.
In the majority of organizations, this has resulted in artificial limits to the authority and scope of corporate cybersecurity teams. While nearly all cybersecurity organizations address central servers, storage, networks and increasingly mobile and cloud environments, many do not have responsibility let alone basic visibility to other areas outside the purview of corporate IT. These domains include everything from “Internet of Things” devices to supplier technology exposure, shadow IT, and Industrial Control Systems (“ICS”). Further, most cybersecurity insurance programs and strategies are determined by the finance group, risk management or others – often without the input of the cybersecurity organization.
Bringing together these various and often disconnected efforts requires a comprehensive understanding of cybersecurity risk throughout the enterprise. We must understand fundamentally that the attacker does not care about organizational boundary lines, and will find whatever opening there may be, no matter where it may be locate or assigned.
Does the absence of comprehensive cybersecurity risk have a cost? Since all risks have an ongoing cost, any factor that increases risk leads to an increased cost. We have found that understanding the origins and contributing factors in the cost of risk allows a much more effective determination of the available methods – and the most effective methods – for reducing and even eliminating these harmful risks.