Open in app

Sign in

Write

Sign in

Sometimes That Cyber Risk Shouldn’t Be So Quickly Accepted

Opinionated Security
CISO & Cyber Leaders
Published in
10 min readDec 23, 2020

Is the cyber security team performing their duty, if, without further action, they accept any cyber risk that could potentially put the company at significant risk including potentially a position that may be considered negligent? There has to be a more reasonable answer to the increasing trend of allowing any risk to be accepted because in the name of “enabling” the business.

Cyber teams are often between a rock and a hard place. Cyber teams can’t abdicate their responsibility to inform the company about cyber risks in the name of enabling the business. They also can’t always be obstructing the business especially when the obstruction starts late in a deployment process.

I’d suggest that a sound model to emulate here is the legal team. The legal team certainly doesn’t abdicate their very similar role in informing the company about legal risks. Neither, then, should the cyber team do so around cyber risks.

RISK ACCEPTANCE

For review, there are four choices that an organization can make about cyber risks.

  • avoid (not start the risky activity at all or stop the activity entirely)
  • accept (start or keep doing whatever the risk is)
  • mitigate (I use the word, “treat” in this post)
  • transfer (usually covering by cyber insurance or contracting out the risk)

What’s often forgotten is that multiple choices can be made such as mitigating part of a risk and accepting some other part of the same risk.

Risk acceptance is fundamentally the easiest choice for the business owner while risk avoidance is often the most easy for the cyber team. This puts these two teams at odds from almost the beginning of the process. Usually, the cyber team identifies a risk and says, “stop.” The business owner then says that they want to keep doing whatever activity contributes to that risk.

These simple but opposing viewpoints are the source of a large percentage of security friction in most organizations. Once a wise cyber practitioner understands them, they can work to remove that friction right from the starting point and find solutions that both enable the business and meet the security requirement (or some temporarily acceptable substitute.)

To provide the reader some context, I’m a huge believer that the cyber team should enable the business. I’ve been a champion of enabling the business long before it was starting to become cool. The is little room for the cyber security team to be the “Department of No”. This is especially true when there seems to be plenty of evidence that the users will go on to find a way to do what they need to do anyway…. usually in the most risky and least insecure way. Saying no all of the time isn’t a value additive strategy over time.

The company’s overall cyber risk is the sum total of each of these more granular risk decisions so the fundamental question isn’t whether or not a given cyber risk should be accepted by the business owner. The fundamental question is if the acceptance, transfer, or treatment of a particular cyber risk being considered by the right level within an organization’s leadership. “Right level” meaning a level of leadership that has been empowered and formally delegated within the organization to make risk decisions relative to that particular type of cyber risk.

Imagine if a given cyber risk that was so quickly accepted later became the root cause of an incident. After the details of the incident are escalated, the executive team, C level, or Board then say the dreaded words that no security practitioner wants to hear — something along the lines of “if we had known about this cyber risk, we would not have accepted it [e.g. made a different decision or resourced whatever was needed to treat the risk or avoided that cyber risk entirely].”

No cyber leader wants to be in that situation. I’d imagine that such a situation might have potential “job in jeopardy” implications especially if it wasn’t the first time.

The premise of this blog post is that there are some cyber risks that exceed our delegated ability to determine risk acceptance. These risks need to be identified and elevated to a different executive level (VP, the C level executives or perhaps even the Board) in order to ask them if they are willing to accept the same risk. The cyber team should own the responsibility for ensuring that acceptance of cyber happens at the right level.

EVERY VIEWPOINT IS IMPORTANT TO ENABLE THE BUSINESS

A key point is the risk acceptance decision process needs to fairly account for all sides involved in the decision inputs. It should neither be the way for the cyber team to control all decisions nor the way for a cyber team to be lazy and just let the business owner make all of the calls. The business owner should have a voice in the process in order to explain why the opportunity is greater than the risk. The cyber team should have an equal voice in explaining the risks associated with acceptance. For significant opportunities that carry enough reward, the real risk owners (hint: usually not the cyber team and perhaps well above the cyber team) can weigh the fairly presented inputs of each side and make what is ultimately the right decision for the company. Note that this decision might be made even in the face of ongoing elevated potential for cyber risk.

As cyber security professionals, we have to be ok with the decision if we mean what we say and are truly focused enabling the business. No business decision is truly risk free. The risk has been documented, considered, and adjudicated at the right level and so we can go through the risk acceptance process knowing that the full range of viewpoints where considered.

I’ve grown into the viewpoint that enabling a process for being inclusive of a range of viewpoints upon which the best business decision can be made is the best way to enable the business. Even if accepted, most rational organizations will find a way to minimize the amount of risk even when a great business opportunity presents itself.

So where do we start?

A MODEL THAT WORKS FOR MY ORGANIZATION

In my organization, the path to the executive team for accepting some critical enterprise risk is through the CISO laterally moving though the enterprise risk management (ERM) function and then upwards into the executive team.

We started by gaining agreement with the ERM on the concept of a cascading delegation tree for risk. The underlying assumption of our agreement is that the Board is the owner of all risk within the company. The Board delegates decision making about certain risks to the executive team who then delegates decision making about most of the operational risks to ERM. It’s the ERM that then further delegates decision making about most cyber related operational risks to the CISO and the cyber team. No matter the delegation, the accountable risk owners are still way above the CISO and ERM.

This delegation through the ERM also doesn’t remove the CISO or the cyber team from the decision making process. We are still the subject matter expertise whose job it is to help decision makers regardless of level to understand a given cyber risk and gently guide them to a decision that meets the needs of all parties.

The result of that agreement between cyber and ERM was a five point decision tree that outlined and classifications for each escalation decision. At a conceptual level, the taxonomy we used resulted in 5 decision making levels for acceptance of any given cyber risk.

5 — Critical cyber risk that warrants an out of band risk elevation to the ERM and likely the executive team. There is either not time to apply controls or the controls that can be applied would still yield a critical level of residual cyber risk which puts the company at immediate risk.

4 — Severe cyber risk to be considered at next ERM meeting. The risk itself meets certain well defined criteria around the amount that residual risk remains after recommended controls have been applied OR the risk meets the criteria for #3 and the business owner does not want to or cannot implement the cyber risk treatment plan recommended by the CISO resulting in a potentially unacceptable level of untreated risk. This level may also include risks with certain criteria that are transferred and the contracted organization doesn’t possess the appropriate controls to treat the risk.

3 — Serious cyber risk that the CISO can choose to accept or transfer without additional controls put in place or after a recommended set of additional controls are made part of the cyber risk treatment plan.

2 — Abnormal level of cyber risk that the VP level business owner can accept or transfer without additional controls Or risk that meets the abnormal criteria that has a cyber risk treatment plan on which a manager level business owner and the cyber security teams agrees.

1 — Routine level of cyber risk that any manager level business owner can accept or transfer without additional controls being required.

The taxonomy for the above scale (critical, severe, serious, abnormal, and routine) is important as the classifications will determine the balance of where cyber risks are adjudicated. You certainly don’t want to miss risks that the ERM as proxy for the executive team would care about. You also don’t want or need to have the ERM involved in every single cyber risk decision.

Using this system and its related well crafted taxonomy, you will have pre-negotiated the list of cyber risks that are delegated to business owners to make and their level as well as to the cyber security team. In short, we should never have an executive that is unaware of a risk acceptance decision because the decision wasn’t elevated to the proper level.

APPLYING THE CONCEPTUAL PROCESS TO REAL LIFE

We learned a lot as we started to apply the above conceptual process to real life cyber risk management.

Beware Of Over-scoring: If everything is critical, nothing is critical. I like to say that, if you think about any cyber risk long enough, you’ll generally find something that will make you think that the risk is critical. If you find that your center point density of cyber risks are around “severe” or “critical”, your taxonomy likely isn’t correctly tuned for your organization. You’ll want the density of your cyber risks to be between 2 and 3 so that the 4s and 5s are obvious outliers that need the immediate attention that they deserve.

One approach that may help is to remember that you need to think of the risk before and after any risk treatment plan is applied. You might have a critical risk that is significantly reduced by a risk treatment plan and a business owner that is agreeing to apply the risk treatment plan.

Don’t Start Measuring Too Early: In order to improve any process or enterprise program, you need to be able to measure it. The same holds true with the cyber risk decision making process. The approach outlined in this post will provide tons of juicy data points upon which senior cyber leaders will be able to build compelling metrics and other measurements. That said, any wise security practitioner will want to run a proof of concept for a few months to ensure that the initial taxonomy, definitions, and balance of decision making are correct. Once the data is clean and accurate, you can start reporting on the progress of the program.

Accept Cyber Risks Only For A Negotiated Period Of Time: There should never be risks that are accepted forever. I’ve been doing this a long time and never seen a cyber risk that couldn’t be time-boxed in some acceptable meaningful way with some thought. At some point, it should be put under a risk treatment plans or compensating controls put in place. For the seemingly impossible cyber risks to mitigate, the risk should have a plan to transfer or sunset after some period of time. The time and the path to mitigation or avoidance should be clearly articulated in the terms of the risk acceptance form.

Plan For The Inevitable Audit or Regulator Review: Not all auditors will understand why we accepted certain risks and, in the worst case, not all cyber risks end as we hope meaning that regulators may become involved after the risk turned into a reportable incident. Your organization may also need to file a cyber insurance claim at some point because of a cyber risk that had been accepted. In order to prepare for these, you’ll want to ensure the following:

  • The entire cyber risk acceptance process is documented and available. Auditors and particularly regulators will need to see that you have a repeatable and known process to make informed decisions about cyber risks and that you aren’t just letting anyone make risk decisions willy-nilly.
  • The full documentation and outcomes of any given risk acceptance decision can be associated with its corresponding specific line item in your cyber risk register. This will be especially important for any risk decisions from level 3 to level 5. You’ll want to be able to demonstrate that any risk decisions in question were prudent and well thought out based on available information.
  • A summary of a given cyber risk decision that includes both the rationale presented by the business owner and the risks highlighted by the cyber team. With this summary, auditors, regulators, or anyone from the cyber team can easily rebuild and understand the key decision inputs if needed.

SUMMARY

So the good news is that the cyber pendulum seems to be swinging towards enablement. And, I believe the pendulum swing in that direction is a good thing. Business owners need to own their risks rather than viewing the cyber team as owning all cyber risk.

Like almost all pendulums, however, there is some danger that the pendulum could swing too far and become something else other than enablement. For example, at the first sign of pushback, the cyber security team at worst just shrugs and moves on without documenting the risk, or, at best, the first line supervisor signs a risk acceptance form regardless of the nature of the cyber risk involved and then everyone moves on.

Cyber teams, like legal teams, exist to inform of the potential consequences of risk as part of their duty to protect the organization that they serve. Ensuring that cyber risk is adjudicated at the right level is part of that duty. What’s new is that this might mean a risk decision that is elevated beyond the cyber team.

In my view, the right decision being made for the business is more enabling than blindly accepting every decision made by the business.

Finding a balance that works for everyone is the key.

As a senior cyber practitioner, that balance is yours to find.

For more insights into how cyber leaders can best enable the business and build rock solid cyber programs, please follow me on Twitter at @opinionatedsec1

Ciso
Risk
Cybersecurity
Infosec
Leadership

--

--

Opinionated Security
CISO & Cyber Leaders

Written by Opinionated Security

66 Followers
Editor for

Tony Grey * CISO for an insurance company * grew team from 3 to 22 * led large software teams at Microsoft * blogs about cyber leadership & program development

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams