Cyber Risk Governance: Cyber Risk Management Beyond the CIO
There’s an awkward moment after you tell a Fortune 100 company, who spends $90M a year on people and “best in class” security technologies, that 10,000 of their 25,000 endpoints are at various degrees of compromise. A flash of anger, fatigue, and disbelief is mixed with a frustrated lack of surprise. That awkward moment epitomizes 2016 as the year of the breach, the serial failure to compensate for a mismatch in threat, technology, and strategy. Security is not in a box, so what do we do now? We lead.
Cyber security is a fascinating leadership challenge because the need is absolutely “no fail”…without digital and network integrity, we struggle to survive in a global predatory jungle. This year, relentless leading news stories reminded us our lives exist in state of ubiquitous digital risk and ubiquitous digital vulnerability. (Article) In 2016, the public realized cyber security is the nexus of defense from vulnerability and aggression between global threat actors and the average person.
“Information technology is widely recognized as the engine that drives the U.S. economy, giving industry a competitive advantage in global markets, enabling the federal government to provide better services to its citizens, and facilitating greater productivity as a nation.” NIST SP 800–39
“Organizations depend on information technology and the information systems that are developed from that technology to successfully carry out their missions and business functions. Information systems can include as constituent components, a range of diverse computing platforms from high-end supercomputers to personal digital assistants and cellular telephones. Information systems can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems, testing and calibration devices, weapons systems, command and control systems, and environmental control systems). Federal information and information systems6 are subject to serious threats that can have adverse impacts on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation7 by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems. Threats to information and information systems include environmental disruptions, human or machine errors, and purposeful attacks.”
Cyber attacks on information systems today are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated. Successful attacks on public and private sector information systems can result in serious or grave damage to the national and economic security interests of the United States. Given the significant and growing danger of these threats, it is imperative that leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks.” NISP SP 800–37
Our lives and our businesses have been virtually exposed into a digital jungle filled with nation-state competitors, criminals, malcontents, idealists, guardians, corporate giants, family businesses, all employees, all customers, all patients, and even little old ladies. Yes, there have been many awkward moments in 2016 for sure. A new path is required for cyber risk management beyond information technology and across the entire organization.
A New Path, Cyber Risk Governance- Coup d’Oeil
Cyber risk is a board issue requiring oversight to ensure a unified and integrated effort reduces that risk across the company. Cyber risk permeates companies beyond traditional network risk. A cyber risk mitigation strategy needs to be developed, implemented, and sustained across the entire corporate organization. Cyber security is the nexus of businesses’ network defense. The network is the gateway into the kingdom. Cyber risks must look at the matrix of organizational risks and vulnerabilities driving insecurity through people, processes, technologies, and products. Those organizational risks are beyond the purview of IT. The finance and insurance industries offer insightful paths for other industries to consider.
Cyber Risk Governance: Ubiquitous Cyber threat + Ubiquitous Cyber Vulnerability + Ubiquitous Cyber Risk = Cyber Organizational Risk Management
In business, we follow the money. An Advance Notice of Proposed Rulemaking (ANPR) was jointly issued by the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) on October 19, 2016. Cyber risk management and improving organizational resiliency is the focus of the notice for banking institutions. The document foreshadows the future ahead for those financial institutions with over $50B in assets. Their premise is simple- cyber risk is institutional risk. The notice elevates cyber risk directly to the Board for oversight and seeks to normalize the organizational risk management approach across the C-Suite. A frustrating reality facing CIO’s and CISO’s for some time is the responsibility to reduce cyber risk beyond their ability to control, in areas clearly beyond their authority, and even sometimes beyond their influence.
The ANPR notice elevates cyber risk beyond the CIO by outlining enhanced risk standards and expectations in five categories:
- Cyber risk governance (How does the Board govern cyber risk?)
- Cyber risk management (How does the business manage cyber risk?)
- Internal dependency management (How does the business manage internal assets, plans, practices, technologies, procedures, etc. that create cyber risk?)
- External dependency management (How does the business manage external assets, plans, structures, 3rd Parties, etc. that create cyber risk?)
- Incident Response, cyber resilience, and situational awareness (What’s the CIO and CISO’s plan to identify, defend, mitigate, and recover from threats? How do they maintain organizational visibility on emerging cyber threats, and how does that effectbusiness operations and continuity?)
Conspicuously, cyber risk insurers look to organizational risk management, not technology to reduce cyber insecurity. There is a necessary expectation by insurers that a compliment of security technologies and expertise will vigilantly defend the network, but it’s through organizational risk management that insurers lower their cyber risk. At face value, this may seem as an indictment to the security industry, but 2016 demonstrates security appliances cannot compensate for unmanaged organizational risk. More boxes, more people, and next generation technology will not reduce cyber risks or bring better security. Cyber risk is an organizational challenge. It needs to be said that defending the network is likely the most difficult technical challenge in the Digital Age of business. Valiant efforts by CIO’s and CISO’s, their network admins, and security analysts are simply overwhelmed technically, operationally, and strategically. Typical to most networks, human behavior and human nature are glaring weaknesses exploited by attackers, advantaging themselves further through misaligned organizational practices and procedures. Some experts estimate that 95% of all cyber risk is based on human and organizational behavior. Leadership is required to assess, mitigate, and reduce organizational (cyber) risks. An over reliance on technology to compensate has and will fail. Spear phishing (clicking on bad things), patch management, and poor password discipline are prime examples of attacks and vulnerabilities, a stronger “back to the basics” corporate security-minded culture can make a measurable difference. Better cyber hygiene, a security minded corporate culture, and vigilant realignment of company wide procedures and practices will significantly reduce cyber risk for most companies.
Who Leads Organizational Cyber Risk Mitigation? Your CIO? Maybe not.
Cyber risk is business risk and 2016 demonstrates the extraordinary risk climate, which requires the oversight of the Board, and the leadership of the entire C-Suite. Typically, the institutional home for risk mitigation has been led by the CFO or consolidated within the authority of the Risk Mitigation Officer, not guided by a CIO. The CIO and CISO battle three realities: 1) Technology is only part of effective cyber risk reduction; 2) Admitting technology investments are expensive and insufficient, but still necessary. This relegates them to a perpetual inadequate “cost center” seat at the table; 3) Organizational cyber vulnerabilities beyond their control, undermine their efforts to defend the network. It takes the more than the CIO to map the organization to a sustainable cyber risk-reducing framework like NIST 800 or ISO 27001. Once realigned, it is sustainable. It’s necessary for leaders to come to terms with the situation and forge a path forward that’s effective. Engage and embrace the organizational and people-centric realities or ignore them at your peril. Assessing, understanding, and mapping cyber risks organizationally is a business leadership imperative, not a CIO driven effort, or at least not for now, in most organizations. Effective cyber risk reduction requires the leadership of all.
In the NIST Cyber Security Model (Levels 1–5), we see the evolution of business cyber risk unfold. Expanding this model to improve security outcomes in today’s ubiquitous threat environment. In 2016, the year of the breach, the need to manage business (cyber) ecosystem risk by asserting greater authority is the foundation for a new Level 6 in our version of the NIST Cyber Security Maturity Model. We believe this new level drives the conversation forward towards improving cyber risk reducing outcomes. Since our earlier article, here, the concept for a Level 6 encompasses the CIO, but may not necessarily be led by them.
As “Defense in Depth” was adapted from US military strategy, so do we adopt and adapt “Unity of Effort” as an appropriate concept to describe the actions required across the C-Suite to reduce business cyber risk. A common broad based definition: “Unity of effort is the state of harmonizing efforts among multiple organizations working towards a similar objective. This prevents organizations from working cross-purposes and it reduces duplication of effort. Multiple organizations can achieve unity of effort through shared common objectives.” Unity of effort is the empowering core of enhanced cyber risk governance and the catalyst for effective cyber risk reduction. Unity of effort is the cohesive glue that holds organizations together under assault, in the defense and during resilient growth. It is entirely leadership driven, but permeates the culture, processes, procedures, technology choices, and other internal and external dependencies.
The Phalanx: The Need for Stronger Industry Alliances
As unity of effort plays an essential role within companies to reduce organizational cyber risk, stronger alliances must be formed by industry to provide better, more coherent, and more valuable solutions. Industry needs to provide coherent solutions through performance-driven alliances. Boards and C-Suite leaders need the outside assistance and perspectives of consulting organizations who can see the challenges organizationally, functionally, and technically. An industry alliance of coherently integrated experience, services, and technologies offers remarkable value to companies seeking to reduce cyber risks. Once assembled and proven, an industry alliance approach is scalable.
Mapping the alliance capabilities to an existing cyber risk reduction framework like NIST 800 series or ISO 27001 bridges capabilities to cyber risk reduction outcomes. It provides the roadmap for the Board and key leaders to make a buying decision. An industry alliance driving risk reducing outcomes and better results will overcome legacy “non-bias” arguments made by consultants. Boards and corporate leaders needs to embrace those whose reputation is tied to results, not just beautifully bound and printed documents. Comprehensive cyber risk assessments should also reveal vulnerabilities outside these current frameworks, and connect them to reduce risks. Corporate leaders and their boards need help to understand, manage, and reduce their cyber risk.
Partners work together with a focus on limited business purpose and limited joint value. An industry alliance reflects a deeper cohesion, driven by results, unified through common purpose, and committed against common adversaries. The customer does not want a hodge-podge collection of incoherent security capabilities and canned consultant reports. This non-solution plagues the industry now. The customer wants a cyber risk reducing OUTCOME… a sustainable, defendable network with affordable risk transfer options, and an acceptable level of residual risk. Build the industry alliance through companies with services and technologies that can deliver on the unified promise and purpose. Together, “we” can deliver extreme value through results.
Industry alliances built on trust, performance, competitive strength, and value can only be sustained through results. The cyber marketplace is overwhelmed and fatigued by broken promises and vacant solutions. Assess the market for emerging technologies and services with 80% or better compliment, and then integrate them. Build a team that has the vision, insight, and capabilities to fluidly integrate them from the strategic, through the operational, and down to the technical level. A new approach towards reducing cyber risk integrates allies and their unified core value proposition in a bundled fashion. A task force-like concept will deliver customers results across their organization.
Reduce Cyber Risk Through Unified Expertise, Technology, and Risk Transfer:
Leverage Industry Allied Consulting Expertise
1) Engage clients through the C-Level Leader with broad-based organizational influence and understands organizational risk management.
2) Develop a healthy path to the board that condenses and accurately speaks to organizational cyber risks, separating technical jargon from cyber’s core business impact in terms of risk, operations, and vulnerabilities, liabilities, and costs.
3) Consulting success must be tied to reducing organizational-wide cyber risk: Assess, Understand, Prioritize, Enable. What are the keys to kingdom and other vulnerable business essential components? How are they vulnerable? What are the critical elements to comprehensively reducing their cyber risk?
4) Integrate strategy with the dynamics inside the organization, culture, and build a coalition of the willing whose best interest is aligned with cyber risk reduction, beyond mandates. No easy task.
5) Recognize the existing investment, pride, and challenges preventing cyber risk reduction.
6) Align cyber governance, cyber risk management strategy, technology acquisition strategy, operations plan, and risk transfer strategies to reflect ground truth realities and identify an achievable path to transformation…from ‘As is..To be’. No easy task.
7) Map organizational threats, vulnerabilities, gaps, needs, against your Allied products and services within a recognized cyber framework, NIST 800-series, etc.
Leverage Industry Allied Technologies and Services
8) Technologies (and services) supporting an organizational risk assessment should provide insight, direction, and actionable intelligence during the consultative phases.
9) Position technologies (and services) to reduce workloads and fill known performance gaps, and aiding human capital constraints. ‘Threat transfer’ from low density/high cost expertise (SME intrusion analysts) to a high-density sustainable employee base (quality network admins) by integrating better processes and automating your defenses.
10) Don’t chase the 1% threat, reduce the broader risk by concentrating on the network architecture, operations, and admin fundamentals.
11) Use highly accurate, automated 3rd party internal and external risk assessment technologies that validate self-reporting and manual methods.
12) Leverage constant risk monitoring, externally and internally, so alerting, and scoring provides visibility into actual attacker behavior and organizational behavior, by monitoring attack a customer’s attack surface, employee behavior, and network behavior in an integrated fashion. Tip and cue through machines first, and humans second.
13) Provide risk visibility in “real-time” to leaders and defenders. Scale risk-based network awareness into ACTIONABLE intelligence for network admins and security analysts.
14) Establish cooperative and non-cooperative visibility and triage third party cyber risk. Give Corporate Governance visibility to their ecosystem cyber risk.
15) Integrate actionable threat intelligence across defended networks using the global threat visibility of large provider networks, powered by innovative internal security technologies. Provide services that translate threat intelligence into actionable tasks for network admins, don’t assume they get it.
16) Combine digital blockchain encryption technologies and network integrity monitoring to ensure documentation integrity, network behavior, and internal network data segmentation protect the most valuable digital assets.
17) Fully integrate across a large reliable provider architecture that reduces infrastructure complexity, which increases cyber risks.
18) Package consulting, technologies, and services within a strategic vision. Allies are only those that can deliver. Articulate the vision. Only results matter.
THE GOAL- Ubiquitous Cyber Risk Reduction Through Ubiquitous Defense: Defend the network everywhere.
Visibility for Allied Risk Transfer Orgs
19) Provide insurers accurate organizational and technical assessments through risk scoring that is supported by threat and vulnerability data.
20) Provide constant monitoring, so risk scoring could be indexed to novel approaches like “adjustable rate insurance premiums” based on the daily or average risk score.
21) Provide network visibility and audits without compromising traffic, intellectual property, and creating vulnerability through unintended effects.
22) Provide accurate visibility through external constant monitoring for breached data, compromised accounts, and attacker activities targeting the insured client.
23) Reward customers by managing organizational risk and risk metrics through lower premiums and better comprehensive coverage.
This isn’t easy. Yet, there is a clearly defined need in the market resulting from the consistent failure of fractured approaches. Global industry must consolidate and reorganize after 2016, and embrace these strategic cyber challenges with a comprehensive approach. Our effectiveness will have implications for generations to come. We must have the will to fight and the will to lead.
So what do we do now? We lead.