UK Security Leaders explain why current approaches are failing
Genuinely effective Cyber Risk Management – where security risks are consistently identified, communicated and prioritised – has continually proven to be one of cybersecurity’s toughest challenges.
There’s no shortage of approaches, frameworks and methodologies aimed at structuring and streamlining risk practices. And no shortage of benefits in having an agile and capable risk management process; done well, organisations can be confident that they are minimising critical flaws and vulnerabilities that can expose them to cyber attacks, while also maintaining regulatory compliance.
Yet organisations persistently flounder in their attempts – both to create a comprehensive and reliable risk picture in the first place – and then to be able to accurately quantify and contextualise that risk in the face of competing priorities.
Add in the most precarious threat landscape in history, together with the ever-evolving, ‘never normal’ state of today’s business world, and the need for a far more data-driven and joined-up approach to Cyber Risk Management becomes ever more pressing.
It’s clear that ‘how’ organisations approach managing security risk has a considerable bearing on how successful they are at protecting their data, assets and customers.
But huge inefficiencies and inconsistencies start to arise from organisations’ manual approaches to risk assessment and mitigation, heaping pressure upon tightening budgets.
It’s important to first understand the state of security controls, so that cyber teams can be more data-driven about the level of risk they face.
Yet speak to any assembled group of security practitioners and it quickly becomes apparent that many current methods of collecting and monitoring control inputs, – and operationalising cyber risk – are no longer fit for purpose.
“I’ve often struggled to take the state of the current controls, to efficiently and routinely assess them, feed them into some risk assessment process, build a risk inventory at the right level of proportionality and materiality – and then say, well, what does that actually all mean,” states Simon Rigg, Interim CISO and Board Advisor, Coeus Risk Management.
“And on the back of that, there’s something I’ve never managed to achieve – but I’ve always wanted to – and that is to use that data (after being given a load of budget to go off and run a programme) and go back to the board and say: ‘here’s what I’ve been able to do in terms of taking the most amount of risk off the table, as quickly as possible’. AND be able to demonstrate that.”
“As opposed to my typical story of ‘thanks for the money. I’ve got some brilliant things. It’s all a bit complicated. I can’t explain it to you – but we’re much safer than we used to be’.
Which doesn’t really cut it, these days.”
These problems – of the struggle to monitor controls, convert control states into risk, contextualise, and then communicate this all in a language that the board and stakeholders understand – are widespread. And, as many UK security leaders of global companies have explained, continually thwart efforts to effectively manage cyber risk.
The Challenge to Assess and Monitor Controls – and Create an Accurate Picture of Risk – Across an Organisation
“We have a distributed security model, varying capability and equally differing methodologies used across the organisation. So the difficulty I have is actually having a single view of the controls – and compliancy – across the business. At the moment we’ve got quite a struggle to get a consistent approach to providing feedback on our controls.” – UK-based Security Leader
“There’s no commonality between many departments and no commonality between the divisions within them either. So in the risk framework, the top control that is lacking is risk governance. And that then becomes very difficult when you’re talking about rolling up to an enterprise level and looking at actually what are the benefits versus the risks.” – UK-based Security Leader
With regards to internal risk assessment, cross-functional collaboration within organisations has always been challenging.
But struggles to assess security controls in a consistent and unified way – together with differences in how objectives are measured, and habits like compartmentalisation – lead to complexity. Inefficiencies and inaccuracies can bed in, ricochet around departments and then all the way up to the board.
The Challenge of Assessing Third Party Risks
“When you try to get inputs from third parties, you’re actually swimming against the current – because the goal of these organisations is to conceal stuff and just be compliant with whatever you require, in the ways that you ask them. You can’t actually assess any controls inside of their organisations, unless they expose them to you. Which they never do.” – UK-based Security Leader
“We’re not looking at sending out questionnaires to our third parties – it’s a complete and utter waste of time, effort and money. We’ve learned that everybody either lies or paints a rosier picture if you ask them questions. So we’re moving towards getting rid of all that and doing continuous control monitoring because we cannot trust human gathering of these subjective surveys.” – UK-based Security Leader
Assessing Third Party risk brings with it a raft of inefficiencies and inaccuracies. Security teams frequently tell of the struggle to get any meaningful insight on control states from subjective questionnaires, while facing the pain of being swamped with similar requests themselves.
Third parties represent a monumental risk if they are not adequately monitored or controlled, especially as suppliers become ever more prevalent in organisations for core business functions. Manual and subjective assessment is just not good enough for today’s high-stakes threat environment.
A Lack of Tools to Assess Control Effectiveness, Without Resorting to Manual Checking
“In our large organisation, everything’s pretty much done the manual way – so most of our control testing is manual. We’ve made good progress on knowing what our controls are – but in terms of assessing effectiveness, it’s a really mixed bag.
My biggest problem is that I don’t have ways to validate controls based on assets and applications, we usually do that manually. It’s a point in time exercise. We do audits and manually verify – but it’s a different dynamic, there’s lots of game playing.” – UK-based Security Leader
Without the tools to continually monitor control effectiveness, risk and control gaps can go unchecked, potentially leading to blind spots. Security value diminishes and it becomes ever harder to understand the real impact and urgency of risks that inside the organisation, enough drive genuinely informed decision-making.
The Challenge of Communicating Security Risks to Stakeholders in Terms That They Understand, So They Can Fully Understand Impact and Urgency of Risks
“I’ve tried everything to help the board understand. I’ve tried the fish in the tank, Lego, Barbies – everything but the chicken coup. I do everything I can think of to make security risk interesting. And I’m happy to have auditors anytime, because I can say to the board ‘it’s come up by auditors’ and someone will trust them – more than they trust me even though I know my product and system inside out.” – UK-based Security Leader
“The important thing is the data – if you have the data, then there is no question of trust from the board because you’re just showing them the numbers. But in most cases that isn’t the case, and when you do any kind of qualitative thing, then trust is the key issue.” – UK-based Security leader
The continued practice of risk managers communicating to the board through qualitative reports that lack business context can both alienate the board and degrade trust. Security leaders and risk managers – with far greater knowledge of their organisation’s systems and risks – are forced to rely on auditors’ reports to raise issues, which can leave control gaps.
There is also the issue that risk managers lack the necessary tools to create multiple risk treatment options and ‘what if’ scenarios -meaning significant time is spent on recommending control improvement plans that rely on manual subject matter expertise.
It’s very clear that organisations can vastly improve the speed, accuracy and confidence of organisational decision-making by embracing intelligent automation.
By leveraging a huge library of cyber risk scenarios – and by utilising advanced machine learning techniques – organisations can transition to genuinely effective and aligned quantified risk reporting.
Especially as regulators gear up to insist on cyber risk quantification, businesses would be well-served to focus their firepower on quantification tools that ensure risks are properly prioritised based on their potential financial impact and likelihood.
This will ensure that cybersecurity risk is effectively – and easily – translated into business problems that boards are already equipped to solve.
“As security practitioners we have to ask ourselves some really challenging questions. What I want to be able to do is reduce the risk on the table,” adds Rigg.
“But what am I going to tackle first to de-risk the organisation as quickly as possible and buy myself some time to do the other things? And historically that’s always been a really horrible problem – because you get a bunch of practitioners in a room and we’d argue all night about which controls are most important.”
“And I think to have a capability that allows you to be more data-driven in that conversation – and to be able to size that outcome in some quantifiable way – is an environment that, over the last 25 or 30 years I have prayed for.”
“To have a capability to be more data-driven – to be able to go back to the board and say: ‘here’s what I’ve been able to do in terms of taking the most amount of risk off the table, as quickly as possible’ – and to be able to demonstrate that, is something I have prayed for.”
Add in the most precarious threat landscape in history, together with the ever-evolving, ‘never normal’ state of today’s business world, and the need for a far more data-driven and joined-up approach to Cyber Risk Management becomes ever more pressing.
It’s clear that ‘how’ organisations approach managing security risk is key to how successful they are at protecting their data, assets and customers.
The first step is to understand the state of security controls, so that cyber teams can be more data-driven about the level of risk they face.
But with such inefficiencies and inaccuracies, how can security teams hope to demonstrate prudence and reasonable due diligence to the board?
But huge inefficiencies and inconsistencies start to arise from organisations’ manual approaches to risk assessment and mitigation.