In numerous discussions and forums recently, the conversation about the need for a risk management approach to cybersecurity has quickly devolved into a discussion about cyber hygiene and, ultimately, a discussion about compliance (with perhaps some simple metrics thrown in).
+ Also on Network World: Match security plans to your company's 'risk appetite' +
This pattern of following a difficult, but business-oriented discussion of risk to a trivial oversimplification is common within government and industry circles—and even among the most sophisticated CISOs. What we really need, however, is a holistic risk framework and a solid commitment to risk-based measurements in order to accurately understand and defend against the most serious cybersecurity threats facing our country. Too often we focus solely on cyber hygiene, while important, doesn’t fully address the more severe risks organizations face with increasing frequency.
Consider the analogy to personal hygiene. Do we believe everyday tasks such as brushing our teeth, washing our hands and taking a shower will prevent serious illnesses, birth defects or cancer? No. We believe that although good hygiene will help prevent many common ailments and even life-threatening diseases—from periodontal disease to the flu—it fails to thwart those more complex ailments. Because of this, we know we need to continue funding cancer research to find a cure, taking antibiotics for serious or chronic infections and leveraging technology such as MRIs to identify internal maladies that don’t respond to simple hygiene changes.
Simple practices don't prevent serious risks
In a similar way, cyber hygiene lends itself to simple surveys, compliance scans and audits. But will those perfectly acceptable practices help prevent more serious risks? I’d argue not, as those real risks often require something much more analytically sound and scientifically grounded. It is certainly good to be able to report that an organization passed an audit on a required security compliance regime, but it is difficult or impossible to describe how much risk was reduced by that level of compliance (or how much remains).
What is needed is a truly analytical framework that enables executives to communicate in the language of risk and the language of the business. And while I like some aspects of NIST 800-30 (mainly the definitions), it’s certainly not helpful for implementing a risk approach. At the highest level, a risk analytic approach should answer these questions:
- Which threats are most likely to occur?
- What are our greatest vulnerabilities?
- What would be the consequence if a threat event was successful?
Translating these into business terms is key, and measuring them so that risks and countermeasures can be prioritized is essential. Further, the approach needs to be analytically valid and automated, not just a once-in-a-while paper endeavor.
Like human hygiene, organizations must maintain regular cyber hygiene for healthy outcomes. But it’s critical they don’t neglect the tools and processes that mitigate cyber risk—the most serious threats to our security. Both are critical, and it’s essential we understand the differences.
Are you seeing good examples of risk programs? Please share! In subsequent posts, we’ll discuss analytical approaches and review some good examples.