Senior Executives broadly agree that Cyber Risk is now the most critical category of risk across all types of organizations.
The confluence of two factors is evident:
1. The digital transformation of business processes has dramatically increased dependencies on the cyber infrastructure.
2. Cyber attacks are becoming more sophisticated and more wide-spread to the point of being an unavoidable, daily business reality.
This, however, is frequently where the agreement ends. Senior executives from different parts of the organization do not have the same level of visibility into cyber threats, vulnerabilities and the possible impact of breaches or disruptions.
Without a shared understanding of the cyber risk posture there cannot be consensus on priorities, risk appetite and, critically, budgets. Creating this shared view of cyber risks is the foundation for consistent action and investment.
Most senior executives consider the cyber security information provided to them too technical and difficult to absorb. This is not surprising since most information comes from cyber security tools that generate data overload in a few siloed domains. Most of the information lacks business context and stretches the patience of executives that still must drive decisions relying on the available data.
This information challenge is compounded by the rapidly evolving nature of cyber risk. All elements are subject to their own drivers of change: the business impact of possible attacks grows as more transactions go online; attack patterns and threats change continuously and so do the technologies and techniques used to defend against those threats. The result is a thoroughly confused set of senior executives and shifting directives for the teams executing cyber security.
This is where the organization’s Information Risk Management System creates very concrete and measurable value by introducing a common framework to think about current and future Cyber Risks at a higher level of abstraction. It also provides a common language to discuss priorities and translate shared insights into action. The framework must answer a set of basic but inherently complex questions that every executive has:
The answers to these questions, must be expressed in a jargon-free way, without over-simplifying the challenging.
Risks can be expressed qualitatively, semi-quantitatively or quantitatively, but with a sharp eye on the time and effort required to conduct risk assessments.
The needs of senior executives put a premium on simplicity and clarity when describing the cyber risk posture. For cyber security professionals, however, the focus is frequently on technical detail. They need to address specific and sophisticated threats that are by their very nature difficult to compare with threats in other parts of the organization.
Any CISO’s key challenge is to keep these two groups aligned. This means to provide cyber risk information to executives on a high level of abstraction while cyber security professionals can operate at a much more fine-grained level of detail.
This means to manage a two-way flow of information where senior executives set risk appetites and budgets while cyber security professionals communicate the status of cyber risk mitigations and changes in threats and vulnerabilities.
This adds another essential requirement for the frameworks that need to be deployed: they must support a big picture view and still allow to zoom into the finest detail.
Creating a common language from scratch would be extremely time-consuming, and unlikely to succeed. Therefore, leading organizations, leverage established standards to accelerate the journey to a shared view of the organization’s Cyber Risk posture. We see even highly advanced security companies, that have developed their own frameworks migrate to established standards in order to keep up, with the tremendous rate of change. For organizations that are just starting out to consolidate their cyber security practices there is no other choice.
The best starting points are ISO 27001, the NIST Cyber Security Framework (CSF) and industry-specific frameworks such as FFIEC CAT (for banks) or HIPAA (for the healthcare sector). In almost all cases, organizations follow multiple frameworks and harmonize their requirements to avoid duplication.
For high-velocity deployments the MetricStream Cyber GRC solution provides pre-packaged content that includes over a dozen frameworks with mappings to a shared control catalog based on NIST SP800-53. It is easy to expand the pre-packaged content with other standards, or specific requirements. If a significantly larger set of requirements must be covered, the Unified Control Framework (UCF) provides a wide array of content that is easy to integrate.
Importantly, these are starting points for Cyber Security teams, but not for senior executives. They do, however, provide the tool set for communicating at a higher level of abstraction. For example, NIST CSF maps to hundreds of controls, but provides a structure of 5 Functions that are split into 23 categories, by aggregating to 5 functions (or also 23 categories), it is possible to present a big picture view of cyber maturity to senior executives.
In addition to the frameworks mentioned above, standards such ISO 27005 or NIST SP800-30, provide examples of risk scoring algorithms, that can drive risk assessments at a high level of abstraction, while still considering detailed compliance results, that are captured by testing controls or requirements at a great level of technical detail.
What we ultimately need to tame cyber risk, is concrete action on the ground. It is about implementing processes and technologies, that protect against risks, detect and respond to attacks, and enable organizations to recover from attacks. The measure of a successful cyber security risk management program, is to achieve the maximum mitigation of risk with a given set of staff and budgets.
Sustained action must be initiated from the top. In order to prioritize initiatives, the necessary information, about threats and vulnerabilities, must be generated from the bottom-up. By leveraging established frameworks, the CISO can create a common language, to talk about cyber risk, and assure that the circular flow of information does not stop.
By assessing the mitigating effect of each cyber security initiative under consideration, the executive team can crate consensus on priorities. With clear priorities from the top, the initiatives on the ground can be executed quickly, and feed more data into the virtuous cycle of information. With established frameworks and state-of-the-art cyber risk management solutions, executive management will not only buy into the initiatives, but will also see, measurable results.