Hands up all those who think they have a great cyber risk assessment capability in place. You know, one that is embedded within the organisation, produces consistent and trustworthy results and is relied on by senior management. Not many takers, eh? It’s a tough call. When Security Leaders are asked this question, you will often see the flicker of anxiety in their eyes before they launch into the stock response of how important cyber risk assessment is in their security strategy. They quickly move on to telling about the methodology and the software tools that they have in place, the number of assessments they do and the great person that they have leading the charge. But when you scratch the surface and ask about the business value of information risk assessment, the look of concern returns. CISO’s instinctively know cyber risk assessment should be at the centre of what they do but few would admit that their capability is performing at the level that they really need. It’s seldom a point of pride or a flag waver for the information security function.
In many ways this is unsurprising. For most of us cyber risk assessment is still something of a dark art. It is the hazy stuff of soft skills, analysis and judgment as opposed to the more comfortable and clear-cut territory of running a security project, hardening a device or deploying security software. We compound this uncertainty by launching into programs of cyber risk assessment that are driven more by enthusiasm and management will than by a clear sense of objective, scope and benefits. The wreckage of these programs is there for everyone to see as the risk analysts root march their way through hundreds of applications, networks and technology components. This is tough going for everyone. The team get punch drunk, analysis becomes mechanical, inconsistency creeps in and the results become less and less useful. Management reports are ignored or, worse still, paid lip-service to by business leaders. Soon it is unclear to anyone why this thing started at all.
The real problem with these programs is that they are difficult to back out of when you have set them in motion. The logic is impeccable and easily explained to us and to management, but somehow the delivery isn’t quite what we expected. The answer quite often lies not in the type of methodology or tools that are used but in the lack of a benchmark for what constitutes a great cyber risk assessment in your company. What is a good assessment? What does it look like? Is it technical in nature or is it focused more on managerial and procedural issues? Are the risks described in detail or do they only contain the main observations? Risk analysts need not only the right training and skills but also a clear benchmark for what constitutes a great cyber risk assessment if they are to try and hit the target. This sounds simple but is surprisingly difficult as it requires a clear understanding of what constitutes business value in your organisation. Each organization has unique goals, drivers and culture that affect cyber risk. It’s not generic, but subtle and very, very specific – it is an intrinsic part of your organisations cyber risk ecosystem. Your goal is to run cyber risk assessments that make a genuine difference – every single time.
The mood in the business world is changing. Cyber security is no longer an ivory-tower activity. You’d better get your cyber risk assessment program right as once you’ve started then the expectation is that you will be producing something of real value. If your capability is outcomes based as you have rightly declared, then business leaders are going to want to see what those outcomes are and how they help the organisation. Falling back upon the reasoning that cyber risk assessment is required to meet a compliance requirement won’t wash any more. Business leaders are now starting to hold the feet of CISO’s to the fire on the value of their cyber risk assessment program and what it brings to the organisation. Having a poor cyber risk assessment capability in the war on cybercrime is a bit like turning up for a gunfight with a knife. It’s holding you back and you owe yourself more.
About the author
Principal Consultant, CRMG