What InfoSec Pros Are Getting Wrong With Cyber Risk Acceptance Forms
As information security professionals, we love the easy answers when easy is available. We should because, well, there is so little that is easy about our career path. That said, the easy path may help us but often doesn’t help to accomplish our goals of protecting the organization that we serve.
We can take a path that seems right at the expense of putting the process work in place to better serve our organization. The better solution will serve your organization both when there is only a risk of an incident and also after a risk has manifested into an incident.
Here is only one example.
I was watching an information security podcast recently and the interviewee, an industry thought leader, was asked how they deal with situations in which the business isn’t on board with making recommended security changes. The interviewee proudly talked about a having a risk acceptance form and telling the person that didn’t want to make the change that the cyber risk had been documented and that they would need to sign the risk acceptance form. The interviewee also casually mentioned that no one ever signs the form but the lack of action of signing the form didn’t matter and the responsibility for inaction would still pass to the person. There was no further comment about the process so one can assume that no further action would be taken around accepting that risk.
Infosec pros generally are aware of this approach and support it primarily because we feel like the cyber risk form in some way “protects” us and our interests as cyber professionals. We see cyber risk acceptance in everything from physical endpoints to application security. The approach, however well intentioned, raises a number of questions about both our role as infosec professionals and the effectiveness that an unsigned piece of paper has in the organizations that we are trying to protect.
Lets think about some of the issues that the cyber risk acceptance form doesn’t necessarily resolve in all cases:
- The person being presented with the risk acceptance form might not actually be responsible for making decisions about the risk
- The person might be responsible for the risk, but not have the authority to accept the risk
- The person responsible for the risk may not have the right resources to treat the risk now or in the future
- The person responsible for treating the risk might never be made aware of the risk to make the right decision
- The cyber risk might not ultimately be as pressing as presented by the infosec team
How much standing would an unsigned cyber risk acceptance form carry if any or all of the above were true? Not much.
Think these don’t apply? Any cyber practitioner that has worked in an organization with significant tech debt and legacy systems knows that tech debt eventually becomes infosec debt and the ownership of fixing tech debt isn’t nearly as clear cut as we would like.
Further complicating the effectiveness of the cyber risk acceptance form is the fact that some cyber risks should never be accepted. A cyber practitioner that allows blind acceptance of a negligent activity without developing and tracking a treatment plan for that cyber risk isn’t doing their organization any favors. Don’t believe me? Ask your general counsel.
Then, you have the potential “boomerang effect” of your cyber risk acceptance form. The cyber risk goes south and your incident response team has a really bad day or week. Later, the regulators arrive and start asking questions. You show them your unsigned cyber risk form and explain that you identified the risk and only had inaction. The regulators then ascertain and interview the rightful owners or decision makers for that risk. They say that (1) they were unaware of the cyber risk and (2) had they known about the risk that they would have made a different decision. You have no formal process to raise the visibility of the visibility nor proof that you ever tried to. The unsigned cyber risk form can easily become the catalyst for the blame to boomerang back on you.
Hopefully, this helps to clarify that an unsigned risk acceptance form protects neither you nor the organization that you serve.
So, how should cyber practitioners deal with business process owners that aren’t voluntarily putting significant cyber risks under risk treatment plans? A form isn’t going to help you. You’ll need a process and taxonomy for managing cyber risks that ensures that cyber risks are identified and categorized such that the visibility can be raised to the right level for decision making for that given cyber risk.
Defining that process in its entirety is outside the scope of this post but I’ve previously outlined how to build an effective cyber risk program.
An effective cyber risk management process also reduces the probability for some sort of showdown between the infosec team and the business unit, developer, IT pro, or others. You’ll have a supporting system that can help discern the right ownership and give the rightful owner a chance to excel by doing the right thing. If they can’t because they lack the right resources or prioritization, the process can raise the issue to a level where these resources or prioritization can occur because the right eyes are on the issue. In the case of a “contested risk” in which the security team and business process owner disagree on the path forward for treating a relatively serious cyber risk, the process also provides both the business process owner and the info security team to make a fair case as to their rationale to the right level of decisionmaker.
Suffice it to say that both sides will need to produce solid arguments if a risk treatment plan for a cyber is contested. “Errrr….it’s security” might only be compelling in a highly regulated industry.
The most compelling aspect of this broader approach is that there is a trail of documentation if the risk ultimately goes south as a result of being accepted that the risk was identified, went through a process with the right people involved at the right level, and a reasoned business decision was made that didn’t pan out.
Putting this in place takes work though. It also can’t happen in a vacuum. You’ll need to interact with other teams in your organization that deal with business risk. You also may have to engage with execs to lay the groundwork and have them understand the importance of their visibility on the right set of cyber risks as determined by your taxonomy.
But the work will be worthwhile. The outcome ultimately protects the organization far more than an unsigned sheet of paper with some individual contributor or first level supervisor supposedly accepting a risk by default. And, we’ll agree that our job as cyber practitioners is to effectively protect the organization rather than just try to protect ourselves.
Let’s ensure that we have the best processes to serve our organization before and after incidents. It’s worth the work.
For more insights into how cyber leaders can best enable the business and build rock solid cyber programs, please follow me on Twitter at @opinionatedsec1
You can also find more of my previous content at the “CISO & Cyber Leaders” publication on Medium: https://medium.com/ciso-cyber-leaders