Digital transformation demands more cybersecurity, not just because it means “more IT” but also “riskier IT.” Newer technologies – such as mobile devices, social networks, cloud computing, artificial intelligence (AI), and the Internet of Things (IOT) – tend to emerge without adequate security built in, or to disrupt existing security models. Deeper blends of the virtual, physical, and social worlds merge into something new, often with profound security implications. In extreme cases, digital outages or cyberattacks could stop elevators, crash vehicles, start fires, explode pipelines, or turn off medical devices.
Cybersecurity for the digital business addresses “information risk,” which includes both “cyber-risk” (from attacks on IT), “IT operational risk” (from IT errors, failures, and outages), and compliance risk. It’s the security leader’s job to propose controls or workarounds to protect the business, whenever possible in a way that doesn’t impede or slow innovation. It is the business leader’s job to work with security to balance opportunity and risk.
One would think it should be easy to gain executive-level support and information risk ownership. But as we see from many surveys, cybersecurity still isn’t considered strategic by many executives.
What is creating this cybersecurity deficit not only in executive awareness but in security programs themselves? With all the news coverage of cyberattacks and vulnerabilities, there’s a sense of drowning in information risk, that cybersecurity is getting worse. But there’s no clear accounting of how bad it is, how we can fix it, how much that should cost, and what we should do today.
What if we could account for information risk? Imagine risk appearing on a business’s future- or forward-looking accounting ledger or forecast, as shown in Figure 1. Much as forecasted operating assets and revenues comprise the “assets” side of the ledger, outflows from risks that could materialize into losses could join forecasted business expenses on the “liabilities” side.
Figure 1: Risk on a Conceptual Accounting Ledger
Source: “Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment,” Copyright © 2020 by Dan Blum. Published by Apress, available under open access license at: https://www.apress.com/gp/book/9781484259511. This figure and portions of this post are excerpted from the book.
The typical business doesn’t (yet?) have a ledger like Figure 1’s. However, risk is the context and raison d’etre for security programs. What’s less well understood is that just as business executives are accountable for the financial bottom line, they’re also accountable for risks. Business leaders – such as the CEO and lower-level line of business (LOB) leaders – are the “risk owners.” (The CEO is accountable to the public, and lower-echelon risk owners are accountable or responsible to the CEO). Risk owners must ensure that actual losses remain at a tolerable level, and to do that requires risk management.
The good news is that many businesses do track risks at the enterprise level using a “risk map” or “risk register.” The risk map is a common tool used in enterprise risk management (ERM) to represent the top risks to the business. Top risks may be presented as a simple list from 1 to N or displayed on a graph the potential impacts. These are business risks around big market conditions, competition, and liability scenarios as well as operational risks not limited to IT.
As I wrote in Rational Cybersecurity for Business: The Security Leaders’ Guide to Business Alignment, I strongly recommend that security leaders weave information risks into the enterprise risk map presented to executives. Engage business and IT managers to develop assumptions on potential business impacts and make security concerns more transparent to the business.
Just as business and security leaders must align on risk management (the Big Why), managers and staff down the organizational ladder must align on identifying assets at risk, their vulnerabilities, and the threats to them (the Big What) as well as security countermeasures and controls for managing the risk (the Big How).
The day your CISO can present to the Board in a way that quantifies information risks, weaves them into the risk map, and puts them on a conceptual ledger like my figure using numbers from the latest annual report will be the day cybersecurity really matures at your business.