The cyber risk management model in its current form is broken. While cyber risk management is more important than ever for business executives, it’s more difficult for CISOs and cybersecurity teams to do thanks in part to an overwhelming attack surface, a huge number of vulnerabilities and sophisticated threats.
New ESG research, which is about to be published, shows that what has worked in the past is no longer an option. I’m an employee at ESG, and I’ve been knee-deep in the data for the past month. Here are a few of my initial impressions of the findings:
Business managers are far more involved than they used to be. A few years ago, business executives didn’t want good security; they wanted good enough security. Back then security professionals bemoaned these half-hearted cybersecurity efforts, longing for CEOs with cybersecurity knowledge who were truly invested in strong cybersecurity controls and oversight. Note to cybersecurity pros, be careful of what you wish for. The ESG data indicates that corporate executives and boards are much more involved and demanding these days. This is forcing CISOs and InfoSec teams to collect and analyze more cyber risk data and present it to the mucky-mucks in business-friendly terms. The data indicates that this is already driving a new, more comprehensive model for cyber risk management. Cybersecurity spending continues to increase, but there are growing limitations. Cybersecurity budgets have been growing on an annual basis for as long as I can remember, and there’s no end in sight anytime soon. Yup, executives are willing to increase spending as a means toward protecting their organizations, but they also want to better appreciate what they are getting for their money.For example, CFOs want to understand what additional protection they get if they increase spending by the $1.2 million the CISO is asking for next year instead of the $1 million they planned on. Business executives, GRC managers, and cybersecurity professionals are trying to figure out how to measure ROI on cybersecurity spending by analyzing incomplete data using vague metrics. There is a pressing need for improvement here. All cyber risk management inputs are growing rapidly. A basic cyber risk management formula looks like this:
Cyber risk = Vulnerabilities x Threats x Consequences
OK, so here’s the problem ―everything is rapidly increasing. The overall attack surface (i.e. devices, data, cloud-based workloads, applications, etc.) is growing, leading to more vulnerabilities from the get-go. For example, one of the big take-aways from the ESG research was the growing need for third-party risk management across organizations’ business partners to guard against indirect attacks a la OPM and Target.
At the same time, threats are more targeted and sophisticated. As far as consequences go, organizations are dealing with multiple angles here, including financial risk, operational risk, and reputational risk. Add all these changes together, and cyber risk management workloads are growing and becoming more specialized, while the ramifications of poor cyber risk management practices carry a high cost.
There is no such thing as a cyber risk management baseline.Risk management tasks such as vulnerability scanning, third-party risk audits, and penetration testing have always been conducted on a periodic and independent basis ―once a month, once a quarter, multiple times per year, etc. Often, these activities were guided by auditors, regulations, or even business partners rather than any cohesive and holistic risk management strategy.
Here’s the problem with this methodology ―everything is changing constantly, and every aspect of cyber risk management is interrelated. So, when one thing changes, it impacts everything else. How can you possibly benchmark cyber risk management at any point in time? You can’t. This means we must accept this realization and strive for continuous risk management measurement.
The research paints a clear picture: Cyber risk management is becoming more important for executives and more difficult for CISOs and cybersecurity teams.
Clearly, the current cyber risk management model is broken, and something must change. More on this soon.
