In this article I want to share with you the secrets to being able to assess whether the enterprise cyber risk in your organization is being managed effectively using a simple set of questions. These are questions that will work even if you are not working in the security function – and I think average workers being able to understand if cyber risk is managed is important.
Why? Because if the enterprise you are working for is not on top of its cyber risks, then unless you are very close to retirement, you might want to start looking for someplace else to work.
Think about it: How many companies have now gone out of business or had to downsize because they could not keep the technologies they use secure? Where do you think that trend is headed, up or down?
What got me thinking about this was new research on enterprise risk management from ISACA, CMMI Institute and Infosecurity that showed me the heartening news that cyber risk appears to be the number one priority for most enterprises. Yes!
But (you knew the but was coming) … when it comes to cybersecurity risk, there is no better analogy for how too many organizations continue to manage the task than this:
Early on in the Owen Wilson/Ben Stiller remake of Starsky & Hutch, they find a dead body washed up on the side of river. Hutch says that this kind of problem is next to impossible to solve and adds, “All right, I say we push it out and hope the current pushes it down to the next precinct.”
One of the innate problems with risk management is that second word - management. Just as it infers, the objective for risk management is not necessarily to fix the problem, the objective is to find the most efficient way to manage it.
How do risks get managed?
If a risk makes it into a formal risk-handling process, it will usually be managed through one or more of the following tactics:
- Preventing the risk from impacting
- Reducing the potential impact
- Having a contingency plan
- Transferring the risk either to someone else (for example getting insurance) or forward in time
- Just letting the risk impact hit and accepting the consequences and costs.
In my many years of auditing security at organizations, pushing the risk down the precinct was rarely a conscious act of the risk management department. What I found on many occasions was, instead, several people that intentionally chose to keep the risk information buried away from the risk register: “It’s too big a risk to put on the risk register…” is something I have actually heard … more than once.
Is it surprising that many cyber risks get buried? After all, if you present an overwhelming wall of risks to any right-minded senior executive without the confidence and clarity to know how to manage those risks, they will probably look for a replacement risk manager (not necessarily one that can manage the risks, but at least one who can push it down the precinct).
Knowing a risk exists is just a step on the path to risk management. Understanding how to cope and mitigate it is the real key to success.
Is my enterprise managing risk well?
I do not know if your specific organization is managing cyber risk well, but it is easy for you to work out. Here are some the most useful questions to ask yourself that will help you make that determination:
- If you became aware of a huge potential risk to an important technology in your organization (i) do you know how to report it? and (ii) would you expect the organization to deal with it effectively? (Or would the organization try and bury or dismiss it?)
Effective risk management requires establishing and sustaining a culture where risk information is greeted as valuable intel. If your enterprise treats risk information like you just shot someone’s pet, the chances are almost 100 percent that it does not have the resources to manage cyber risk.
- How often is your enterprise hit with unforeseen technology outages?
This should be another easy way of working out if your enterprise is on the cyber ropes, being pummeled by opportunist hackers. The difficulty here is that each person thinks that his or her own experience of technologies is normal.
For example, if your email goes down every few weeks for several hours during peak work periods, you might think that is okay. Let me just say that it is not. Apply logic. Unexpected interruptions to business operations due to technical outages are one of the most regular symptoms that cyber risks are out of control.
Do you know of any technology outages that your organization has chosen to hide/keep secret?
Across the infosec community, there are many discussions about how organizations should choose to be more transparent about sharing threat intelligence. The problem is that this point is rarely countered because of an enormous elephant in the room; nobody wants to disclose a cyber-attack if the reason for success is that his or her organization is riddled with vulnerabilities.
I have audited many organizations and I can tell you that the majority, even the very large ones with huge budgets, are riddled with vulnerabilities. You don’t have to take my word for it, take a look at the risk survey results and ask yourself this one final question: If cyber risk really is such a huge priority and most organizations think they are doing quite well at it – just what is going wrong?