<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Efficient Demotivation: How Black Box Risk Solutions Disempower Cyber Professionals

down-arrow

As information security shifts from a siloed function to an increasingly relied upon business function and enabler, business executives and Boards have taken a greater interest in understanding how information and cybersecurity risk impacts the enterprise as a whole. In the time when cybersecurity was a business function, the governance, risk management, and compliance (GRC) tools that CISO’s turned to were sufficient. It allowed each function within a cybersecurity program to operate and in the sporadic occurrence that a CISO had to report out the performance of their program it was possible (albeit a full project in and of itself) to use GRC software to deliver that information. However, with an increasing number of Boards seeking out cybersecurity talent and the creation of information security committees, a modular approach to cybersecurity program management is no longer adequate.

The need that many CISOs have faced is one of how to translate the metrics and data that they have previously collected in GRC solutions into actionable information and strategies to report up to the rest of the executive team and the Board especially as it relates to the business impact that cyber risks have on the enterprise. In the face of this quandary, black-box cyber risk quantification tools have emerged. Black-box solutions, for our purposes here, are defined as a solution or tool that ingests cybersecurity risk assessment data and produces a distilled metric or small set of metrics to “articulate” the risk posture of the organization with little-to-no explanation of how those metrics were generated from the assessment. For reasons we’ll examine here, this is extremely detrimental to information security leaders and potentially jeopardize the future cybersecurity program itself.

Building Trust with Business Leaders

We are still in the early stages of seeing Boards and business leaders committing to cybersecurity as a business function. After seeing the financial impact of data breaches and cyber events in recent years, the industry is now very aware that today effective cyber risk management is no longer optional. That said, as more Boards recruit information security experts, form committees, meet with CISOs, and do their own research, we must realize that there is a learning curve. The result of that learning curve is that CISOs must be teachers in the Boardroom to an extent.

When presenting to other executive team and Board members, CISOs are often the expert in the room as it relates to the unique configuration of cyber risks the organization is facing. The consequence of that is that they must be able to articulate the background of the metrics presented to executive management and the Board. However, the implication of black-box risk quantification solutions is that there is very little explanation for how those metrics were generated. While the promise of “advanced algorithms” backing one’s risk metrics may sound appealing, in fact, it can and often does hurt the credibility of the CISO presenting the metrics themselves. CISOs are often seen as one of the leaders of digital transformation efforts within the enterprise and must use these opportunities to build trustworthiness that they have the knowledge to help shape the organization for the future.

Black-box Solutions Bring Their Own Risk

We are starting to see the increased risk of software that operates outside our realm of understanding. Gartner has stated that it sees artificial intelligence emerging as the preferred attack vector for cybercriminals; in essence, if the software can do something that humans cannot then it becomes exponentially more difficult to determine if the result has been tampered with. Consider in the case of black-box risk quantification a cyber attack could go largely unnoticed if the black-box tool was adjusted by the bad actor to hide the attack itself.

By implementing a black-box solution, CISOs are opening their own organization up to a host of new risks that many see as unnecessary. For many (if not all), the risks that black-box tools offer far outweigh the potential benefits of ease of use.

Leveraging Open Source and Gold Standard Cyber Security Risk Management Frameworks

Especially in this phase of cybersecurity as a business function, where many executives are still developing an understanding of GRC activities and their own cybersecurity and GRC program, leveraging well understood and recognized risk management processes and frameworks give CISOs an advantage in the Boardroom. Instead of spending time explaining a potentially limited understanding of a black-box solution, CISOs can clearly present how various risks align and inform business objectives all while being prepared to clearly explain how those metrics were calculated. In many instances, CISOs are not as used to the level of scrutiny that they are currently exposed to like other members of the executive team, having operated in a silo for decades previous. By making use of frameworks produced by well-known organizations (NIST’s SP 800-30, for example) or frameworks that are clearly understood by the information security community (i.e. FAIR) and can be explained, it enables CISOs to present with both knowledge and confidence, building credibility with the Board and executive team.

Getting a Clear Understanding of the Entire Cybersecurity Program

The avoidance of black-box tools to quantify cybersecurity risk is only one piece of the puzzle for a future-facing information security leader. Integrating GRC practices under the banner of integrated risk management, enabling faster feedback loops and enabling teams to address uncertainty and act with integrity together rather than with a modular approach. For an information security program and leader to feel fully empowered and supported, effective solutions must deliver transparent metrics both on the risk and compliance functions.

You may also like

3 Ways Financial Institutions are ...
on January 14, 2021

Financial services firms have often been at the forefront of security since the inception of the first Chief Information Security Officer in the 1980s. Why? For the same reason ...

3 Steps for Secure Digital ...
on January 12, 2021

It comes as no surprise to readers that the COVID-19 pandemic vastly catalyzed digital business. From the rapid, necessary adoption of remote work to the precipitous rise in ...

Augmenting Legacy GRCs During ...
on January 7, 2021

From Silos to a Category to Modern-Day From the early days of internal audit and external audit, governance, and policy management silos and into the era of enterprise governance, ...

Alison Furneaux
Embrace Cyber Risk Transformation ...
on January 5, 2021

Widespread Digitalization Puts Increasing Demands on Risk and Compliance Programs The scope of risks to be managed is increasing. Especially over the past year amid the COVID-19 ...

Alison Furneaux
Practice vs Process Maturity: ...
on December 18, 2020

Information security maturity has never been more important. In the wake of the COVID-19 pandemic, the catalyzation of digital transformation and the ripple effects on businesses ...

Top 5 Cyber Events 2020
on December 15, 2020

2020 brought a lot of unforeseen circumstances with it. A lot has happened between the rampant risk in cyber attacks across the digital landscape to the COVID-19 pandemic ...