Our language for describing and discussing cybersecurity risks is failing. It’s failing to elevate our conversations with boards and company executives. It’s failing to provide a full picture of an organization’s security risks. It’s failing to garner investment in critical processes, technologies and people to defend organizations from cyber threats.
To solve a problem, we need to know where we’ve been and where we’re going. We’ve used the same language to describe risk for many years: risk = likelihood x impact.
But it’s not as easy as a mathematical formula with easy calculations. Instead of simplifying the situation, we’ve added cybersecurity terms like threat, vulnerability, threat actor, exploit and probability to make this harder. We further complicate the problem by using terms such as threat, threat actor and vulnerability interchangeably.
These terms are defined by NIST and other standards and accrediting bodies, but in practice, we often conflate them, confusing ourselves and the audience we’re seeking to enlighten.
Systems are more complex than ever. The number and complexity of attacks have increased, and new languages, tools and computing capabilities have advanced at a rapid pace. The scale of impact has also increased exponentially, resulting in thousands of attacks, such as NotPetya, SolarWinds and the Exchange Server hacks.
How should we talk about risk?
We need ways of talking about risk that do the following:
- communicate levels of danger to our intended audience;
- are relevant to decision-makers;
- lead to decisions, actions, investments and implementation;
- are repeatable and broadly usable across a variety of industries; and
- are backed by comprehensive data that indicates risk levels.
Organizations have inadequately addressed this problem in several ways:
- by writing Securities and Exchange Commission 10-K filings with risk factors that are generic factors and divorced from the underlying business;
- by estimating the probability of a material impact in the next three years with unhelpful calculations;
- by calculating and tracking the mean time to identify, investigate and respond to incidents that provide good insight but not actual solutions;
- by applying the Factor Analysis of Information Risk methodology when there’s limited quantitative information;
- by filing risk registers with identified issues and tracking items through a risk mitigation process to resolution; and
- by outsourcing risk scores from various systems in an attempt to capture risk in a single value analogous to individual credit scores for loans.
Business leaders need access to cyber-risk data about their systems and third-party ecosystems. With digital transformation driving more systems to the cloud and more cloud services providing business value, this type of data is crucial. Ecosystem data will not only indicate the cyber risk, but give enterprises a more complete, contextual view of their overall risk. Upon analysis, enterprises will discover their remediation priorities so they can better manage risk and act before a potential security incident.
How should we manage risk?
Organizations must learn what drives their risk and how it connects to other organizations’ risks.
For example, a client looked at its supply chain and third-party risks and grouped them into high, medium and low ranges based on a composite cyber-risk score. It rated each organization based on its importance to the client’s delivery and value chain.
Surprisingly, the client found a small number of vendors in each category were critical — or, inversely, high risk — to the company’s success. Armed with this more detailed data, it became apparent there was a small number of companies — much smaller than the initial high-risk group — with an outsized impact on the company’s success.
One note: For this example, we treated supply chain and third-party risks interchangeably rather than limiting supply chain risks to partners that provide materials for us and third-party risks as the dependencies responsible for delivering our products.
Organizations need to stop focusing on tedious, manual data collection and analysis and focus on risk management as a whole. Standardizing the way industries assess third-party risks, rather than requiring organizations to answer irrelevant and redundant questions, helps free the supplier and the customer to focus on mitigating risks and securing their organizations. Automated risk insights and validated cyber-risk data can help organizations gain an accurate view of their overall risk, enabling them to quickly identify vulnerabilities and mitigate risks before they pose a significant threat.
By preparing and thinking about how to detect events, even in adverse conditions, organizations can drive an early response and recovery effort. Early detection, response and recovery make organizations more resilient during unforeseen or highly unlikely events.
About the author
Todd Inskeep has over 30 years of security leadership and innovation experience. He currently leads Incovate Solutions, where he focuses on executive engagement to support security throughout digital transformations. He has been a CISO and has led cybersecurity assessments for global and regional companies in the oil, gas, pharmaceutical, financial, and high-tech and global manufacturing industries.
Inskeep has multiple patents and was executive-in-residence at MIT Media Lab. He started his career at the National Security Agency and holds a bachelor of science in electrical engineering and a master of science in strategic intelligence.