As a new CISO arriving at your office on your very first day of work you have already discovered that finding out your business’s current cyber risk situation is essential. Although it can be very tempting to walk over to the head of IT or security operations and ask them what the most significant cyber risks at the moment are, and surprisingly you will have found out that this may not initially be the most effective use of your time.
You do most definitely need to meet and talk to the top leadership of the business, and every IT, Security, and Operational manager as soon as possible, but to truly find out what you need to know to be able to deliver on your job you need to have a solid understanding of what cyber risks exist that can harm your business.
If you do not already have a current cyber risk posture assessment available, and by current, I mean one that top non-IT management has received within the past two months, then almost the very first task you will have as you sit at your real or virtual new desk will be find out what the current real cyber threats to your business’s existence are.
Have you noticed how many times I used the words ‘your business’ in the first three paragraphs of this article? And how few references I have made to IT, Security, and Technology? This is no accident. Cyber risk must be seen a business concern. Not just blindly chasing cyber risks that may have affected some other business but focusing on damaging cyber risks in the context of your business’s primary commercial objectives.
A new word came into existence in early 2000s as online self-help medical websites appeared.
Cyberchondria: a belief that you are suffering from every disease that the internet has ever heard of.
This term is unfortunately also applicable to the world of cyber risk management – an unreasonable belief that every technical cyber security vulnerability mentioned on the internet exists today within your IT systems and that is being actively attacked by as yet invisible adversaries. There are unfortunately also no shortage of cybersecurity solutions on sale that appear guaranteed to cure every such cyber vulnerability or concern.
Cybersecurity is by its very nature a battle fought with technology, but it must never be seen simply as a technological battle. Very few businesses are information technology driven, most businesses are simply information technology enabled, being practically built around doing or selling things profitably. Using IT, data, and automated processes to increase both opportunity and profit.
So, before you map any of 37,000 or so CVEs onto your systems, start asking how much work the last patch Tuesday release will require to fix a few of them, or ask what still needs to be done with the new security platforms to make them work, it is a really good idea to find out which of your business systems represent the most risk. Not risk from random CVEs or configuration errors, but which business systems actually deliver the most revenue, value, or profit to your organisation, and which would cause the most damage to the business if they were compromised.
You will already have a list of business assets, but if that list still looks like an IT inventory, with serial numbers, license keys, and IP addresses, you will need some additional information before you can begin to prioritize which of the inevitable vulnerabilities that exist pose the greatest threat to your business.
An accurate IT asset list is still a really good place to start, but there is more to the value of those assets than their purchase and maintenance costs. The data and information that is contained, processed and enriched within those systems will be orders of magnitude more valuable than the replacement cost of the infrastructure or licenses that support it. [How to Quantify an Asset List]
Obtaining an idea from the business itself around how any interruption, loss, theft or damage to that information will affect your business’s operation and reputation is essential if you are to be able to prioritize cyber risks in the context of business success and prosperity.
Until you have obtained that understanding of what a really bad day looks like from your business context, and hence working out how much a really bad day or days will actually cost, prioritising any prevention or remediation actions is mostly impossible. As is evaluating the effectiveness of any existing solutions in the prevention of ‘bad days’.
It is very likely that such an exercise might already have been undertaken from an IT availability perspective. If so, then mapping cyber threats to IT availability risk should be a relatively simple process. Mapping the business impact of primary revenue processes to availability of IT systems is less likely, and if it has only been done as an IT compliance exercise you may still need to review it. Likewise for customer impact, regulatory impact and business licensing issues. Don’t skip on these, you can thank me later.
Most, if not all, of your conversations around business value, and threats to that business value will require inputs from the top business echelons of finance, sales, marketing, R&D, design, warehousing, manufacturing, materials, engineering, transport, risk, etc. Don’t be too technical, and especially avoid offering cybersecurity anecdotes to show your understanding but do seek to understand what each of their concerns are in terms of their own business specializations. Learn to listen to the emotion behind the problems being shared.
Only then will you be able to start mapping your understanding of the actual cyber threats that matter into their individual risk equations. Cyber threats are technical by nature, but if their prevention, detection, and resolution are not correctly prioritized in the context of impact to your specific business domain, they can easily become financially crippling, and sadly almost always ineffective in delivering the functions for which they were purchased.
This exercise of understanding where the greatest value is created within your business is an essential first step in evaluating which cyber threats and which associated vulnerabilities could combine into cyber risks that could irreversibly damage your business. That state will be the foundation of your initial cyber risk posture assessment.
From here it becomes much easier, your cybersecurity understanding in combination with the business perspectives shared by your colleagues will readily allow you to define the prioritization of suitable controls and the appropriate measurements required to ensure that they are effective in reducing the cyber risks that matter. This prioritization then becomes the map for your cybersecurity strategy, a strategy with well-defined and measurable cyber risk managing deliverables. Perhaps even a strategy that can be started on within your first 100 days?
Cyber threats to your business will always be present, as inevitably will be the never-ending stream of new vulnerabilities and inevitable accidental errors in your business systems. There are many tools available to help you track and manage these, but the range of multiple scanning and intelligence controls and their combinations, although perhaps looking like compliance, often become overwhelmingly exponential in complexity and never seem clearly indicative of cyber risk you can manage.
Once you have determined your cyber security posture in the context of your own business risk though your ability to map and prioritize action and response shifts heavily in your favor. There are contemporary toolsets that help you automatically maintain your hard won position by continually correlating threats and vulnerabilities in the context of your own business risk. These tools are described by Gartner as Continuous Threat Exposure Management – CTEM, and are seriously worth considering before changing or upgrading any of your operational security control platforms.
I like to think though from a cyber risk posture perspective is that the secret value from the C in their acronym though is not that they are Continuous, but that they are configured to map into the specific Context of your own business, so you only focus on risks that matter to your bottom line, not those of every other cyberchondriac driven security tool.