Making Sense of Systemic and Cyber Risk Management

Like the old tv commercial, you can pay me now, or you can pay me later…

Time, money, resources, risks, and threats. Never enough of the former, way too much of the later. This pithy statement sadly describes the current state of cybersecurity for many organizations.

When you or your organization are under the gun due to cyber issues, just discovering a breach or data spill or in the middle of an active attack, how do you make the call? What gets the priority? Is it what makes the pain stop now, or is it what will minimize the pain going forward? What is your first response, Band-Aid, tourniquet, amputation, euthanasia? How in those moments do you know if you made a good decision or a career ending mistake? Do you review or grade your responses over time? Honestly, let’s just get out the short swords now everyone…

As an industry, I see more and more leaders take the quick seemingly painless route based on very little data and information. It’s an opportunity to buy a new product that appears to be custom made just for this problem, but as it turns out, it’s not helpful for next weeks’ issue at all and even worse it is not part of a bigger plan (usually)… oh and it’s hard to integrate with your other 31 “must buy now” cyber tools from the last few dozen events. That’s never happened to anyone reading this has it?

How many times can your organization absorb this knee-jerk route to cybersecurity before it no longer sustainable? Will there be any money at this point? Can you afford to make this kind of mistake more than once? Can you afford to make this kind of mistake ever? It’s one thing to be decisive when you have the information you need to make a decision, it’s another when you think you do, and you don’t.

There are entire libraries of books and published frameworks on how to secure your organization and manage risk effectively. The problem is nobody starts that way. Few people understand how to assess plan and manage risk, fewer do it continuously. The CISO never gets hired before the CFO. The IT and Cyber teams’ best intentions give way to overarching growth and operational needs and corners invariably get cut. The one absolute truth here is that it costs way more to apply security later than at the beginning. It feels right and noble when you are MacGyver’ing it together with your hair on fire. However, let’s not kid ourselves, to our adversaries, externally and internally, our infrastructures often resemble a shanty town, just after a natural disaster in their stark lack of resiliency and inconsistent application of policy and standards.

The whole point here is that we have made cybersecurity way too complicated and complex. We are so busy treading water we can’t take the time to prioritize changing so that we can actually improve. We have been trained to act decisively in our organizations and in our leadership cultures, but we constantly fall into group think and operate like a herd of prey animals. If I had a bitcoin for every time I heard “because that’s the ways its always been done” I would have A LOT of bitcoin. Effective Cyber Security Risk management boils down to three key areas, know your assets (what you have), have visibility to and baseline your network (what’s happening now) and use threat intelligence (what’s likely coming next) to inform your current and near-term cyber risk.  Easy to say, hard to do in our modern world, but not impossible. More on this in a future post.

As a leader do you have a plan for the next 12-36 months to get and stay secure? Is it driven by a recent comprehensive organization-wide systemic risk assessment or do you just kind of hope (and pray) you don’t get popped (again, that you know of)? Probably not the former but hopefully your organization is better than the latter.

Imagine how great it would be if your technology helped you operate and manage risk better. We need to stop trying to convince ourselves what we are doing is the right thing tactically when all we are is “too busy to change”. Take that first step, assess your organizations’ systemic risk. Dig deep into your people, your processes, and your technologies. Take those findings, really assess your true risk honestly from an organization wide perspective and use well understood operations’ lifecycles like the NIST Cyber Security Framework as a north star to continuously evolve better operational capabilities. Please stop spending money just on point products during crisis and focus on understanding, managing and mitigating your systemic risk as a regular part of doing business. While this is turning into a board room concern, the practitioners among us may have to lead the way.