According to the UK National Cyber Security Centre (NCSC), around half of all businesses experienced some form of breach in the past twelve months. Attacks on businesses take place all the time, and defending against these attempts takes up a huge amount of effort, time and energy. It’s therefore not a surprise that security and risk are high priorities in enterprises - 98% of enterprises flagged that security is a high priority for senior management, compared to 75% overall.
As a security leader, you are responsible for the strategy to address these risks, writes Richard Seiersen, Chief Risk Technology Officer, Qualys. However, the biggest problem is whether what you define as a strategy for security actually supports what the business wants to achieve.
Where are you starting from?
The old adage is that every problem looks like a nail when all you have is a hammer. When it comes to strategy, it is easy to fall into the same trap over time. For example, if you are a CISO with a technology background, you may concentrate on the technology aspects first as that is where you are most comfortable. Facing a strategic problem? The answer is more technology! For other CISOs that came up around regulation or in consultancy, it might be tempting to call in more consultant support, or dive into the regulation first.
Charles Kettering, head of research at General Motors, developed the phrase, “A problem well stated is a problem half solved.” For too many security leaders, this is an area that they have not been taught, so they will look at what they are familiar with in terms of technology, risk and approach.
See also: CISOs, unis, investors turn to richer metrics as security training evolves
Security strategy should be treated as a function of how the business sets out its objectives and measurable goals. By defining our approach as "mitigating and transferring the most plausible losses that impact business objectives", our strategy will more likely line up with the business. Security strategy should then look to eliminate the most plausible risks that impact those business objectives.
Business strategy looks at how to deliver more value to more people across more channels. For CISOs, reducing risk to those business objectives is where your efforts should be directed. In turn, this helps us to defeat those digital adversaries and threat actors that are the most likely to create losses. Alongside, we can work out where those risks of disruption exist that might lead to plausible financial impact, to regulations getting broken or loss of revenue that the business team does not expect. At the same time, we do also have to work on how to deliver those risk mitigation and transfer programs with minimal operational impact over time.
Getting strategy right
Business leaders approach strategy by looking at where they can win, and how they will win once they decide to make a move. According to A.G. Lafley in Playing to win: How strategy really works,“The heart of strategy is the answer to two fundamental questions: where will you play, and how will you win there?”
As CISOs, we have to get involved in business strategy earlier, and that involves understanding the risk scenarios that most plausibly impact those business objectives. This has to be expressed in monetary terms, so that we can explain that impact in context to the business.
Many CISO may think quantifying risk in business terms is too hard. They will in turn fall back on taken-for-granted "best practices" like heat maps. Such tools are more like horoscopes – impregnated with vague risk terms and various shades of red, yellow, and green – as opposed to documents meant to drive financial decisions. But the mindset of perfect precision, as opposed to adequate accuracy, halts most security leaders dead in their tracks.
What makes this hard is our concept - or our misconception - of measurement. When confronting some amount of irreducible uncertainty we need to hold to a standard of acceptable accuracy over impossible precision. This requires capturing financial impact as a range of plausible losses. And likelihood? That has to be treated as a probability. And a probability is a means of discerning what is most plausible across what is possible. Following this, we can use our understanding to continue making improvements, balancing accuracy and precision with speed and cost.
The ultimate goal here is to reduce risk in ways that are efficient uses of both capital and operational resources. This includes not only mitigation through investments in "people, process, and technology" but also includes risk transfer through insurance. In all this, we have to work within what the organisation can afford and can achieve compared to what the business stands to gain or lose. Our overall objective should be to help the business win and deliver that risk elimination as a product of our approach.
Communication and understanding risk
“The meaning of the communication is the response you get.” – anonymous
Most breakdowns in risk management can be attributed to communication or a lack thereof. And when I say communication I really mean a failure to collaborate with operational and business stakeholders. Collaboration means meeting them on their terms as it relates to their business and objectives – not the other way round!
The process of effective communication breaks down into these steps:
- Quantify Risk:This process includes both operational metrics and cyber risk quantification (CRQ). You may not always share these details with leadership.
- Qualify Risk:Use terms like decelerating, accelerating, scaling etc that communicate operational efficiency over time and how it impacts their objectives. With business and risk leaders, discuss the exceedance of risk tolerance in financial terms and its likelihood. This is core cyber risk quantification (CRQ).
- Communicate:Meet regularly with business and operational stakeholders both individually and in risk committee. Share operational metrics and CRQ status as it relates to their business objectives.
- Collaborate:Given risk state, get agreement on resource allocation changes (people, process, technology) that support the achievement and resilience of objectives. Again, keep the focus on what the business wants to achieve.
- Advocate:With your business stakeholders in lock-step-agreement, approach the money people (CFO team and related) for resources.
- Decide:A decision is an “irreversible allocation of resources.” In short, allocate a budget and cut the checks, and communicate those decisions to the board.
In conclusion, security strategy should always be in service to business objectives. In operation, security strategy involves operational and capital efficiency applied to the mitigation and transfer of the most plausible risk to business objectives. This cannot occur in a vacuum. It’s about collaboration around objectives and shared advocacy on resources.