The risk posed to organizations by cybersecurity threats is large and increasing. COVID-19 related adjustments at home and at work, the move to a remote workforce, and increasing nation-state activity all contribute to the massive increase in cybersecurity risk.
There is an immediate need for organizations to quickly implement or mature their cyber risk practices, and even more so as the reality of a new era of remote work and other changes settle after being driven by the COVID-19 pandemic. The cyber risk landscape and cyber-attack surface have changed across the board due to the pandemic, and attackers, including nation-state groups, are leveraging the situation with both opportunistic and targeted campaigns.
The rush to digitalization due to the pandemic has organizations across sectors that have traditionally relied on legacy technology fighting an uphill battle when it comes to cybersecurity. CIOs, CISOs, and their teams face two key issues - the first being that they have to determine where and how their cybersecurity posture has changed, and the second being that they must direct their teams to efficiently mitigate the cyber risk posed by the gaps they find in their new posture.
These two steps are key to activate an effective cyber risk management program and are necessary to manage cyber risk in our increasingly digital world.
Know Where You Stand on Cybersecurity and Expose Your Gaps Before They Expose You
Many organizations, especially state and local governments as well as critical infrastructure sectors, have an immediate need to assess various facets of their organizations and must know where we stand on cybersecurity as their organizations settle into this “new normal”. CIOs and CISOs know that the first step of determining how their posture has changed will protect their organizations from potential losses because of failure to identify new cybersecurity blind spots, especially within their most critical systems.
That first step of “knowing where you stand” is oftentimes the most difficult part of the process for information security organizations - because it involves shedding light on what is unknown, which is both a technical and emotional process. We underestimate the fact that for many organizations, especially those reliant on legacy tech, ignorance can be bliss.
Security and technology leaders with a clear understanding of the potential impacts of cyber risk, and who are willing to expose even their own failures within the effort to implement a secure digital transformation initiative, are in a position where their work has the opportunity to create immense value.
Going through that initial process of assessing where security gaps lie is a brave and necessary step. To understand what these risks mean to each unique organization, security leaders have to determine where their program stands at the most baseline level across cybersecurity best practices at a minimum, which usually translates to compliance.
Popular voluntary frameworks like the NIST Cybersecurity Framework, which can be tailored to fit the needs of any unique organization, is a great place to start. CISOs and CIOs are able to know where they stand on cybersecurity and IT best practices by assessing their organization against compliance standards or security controls from frameworks like the NIST CSF, which credibly maps to standards such as ISO27001, the CIS 20, DFARS/NIST SP 800-171 and NERC-CIP.
Adding cyber risk on top of all of these standards by leveraging cyber risk quantification and measurement methodologies such as NIST 800-30, FAIR, and other methodologies help organizations move from a compliance mindset to a risk-based approach. Building a cyber risk strategy around to identify risks across technology, operations, and assets, while tying them to strategic organizational objectives is also important to facilitate this shift.
Close Gaps by Improving Processes and Adopting New Technologies
Once information security teams identify where their most significant gaps lie, the second step is to close those gaps in the most efficient way possible. This process comes with its own set of hurdles - data aggregation via email chains, clip-board Q&A sessions with teams across departments, and of course, spreadsheets.
Ideally, all of this activity would be communicated effectively to leadership, and managed by the CISO in the most optimized way possible through workflow automation, real-time tracking, and measurement that facilitates advanced dashboards and audit-ready reports. However, many organizations are still reliant on massive spreadsheet documents to manage their best practices, and are stuck in their manual processes and static reporting methods, resisting change mainly because it’s “how they’ve always managed compliance”.
It’s clear that security leaders want to prioritize risks effectively and combat cyber threats by knowing that best practices are in place, whether in the area of network security, incident response, application security, identity and access management, business continuity, and other areas. To manage risk across cyber, IT, and to measure the success of new cyber risk management processes and initiatives, CISOs and CIOs need to standardize on solutions that can be implemented rapidly, used immediately, and maintained easily.
These systems not only help with step one - knowing where they stand against key frameworks or standards but also function like a system of record, a simplified management system that enables accurate data to inform resourcing discussions around cyber risk management activities and mitigation strategies. There is no better time than now to make these changes.
Adopting More Effective Processes and Tech Requires a Culture Change
Making the switch from how things have always been done isn’t just a matter of ripping and replacing legacy tech - it’s a true culture change.
As organizations embrace digital transformation, appointing roles such as Business Information Security Officers (BISO) who translates their cyber and technology risk profile into business terms, or appointing Digital Risk Officers whose primary role is to manage potential risks associated with new products and services is becoming more common. Innovating in the area of cyber risk and compliance management aligned with frameworks and standards cannot be ignored.
As a customer of ours recently told us, “Even our most advanced pivot tables couldn’t deliver the experience that an integrated risk management solution has, but we wouldn’t have known that unless we made that hard decision to change our culture, not just our tools”.
How are organizations changing culture successfully? Initially, creating tribal knowledge around the importance of cybersecurity and the magnitude of cyber risk is key to encouraging this culture change to come from the top - or executive leadership. If organizational leadership unifies its strategy around building a cybersecurity program that is as clear, actionable, and measurable as any other business function, the CIO and CISO are inherently more understood and therefore have the opportunity to become more supported in their efforts to create a risk-aware culture and build cyber resiliency.
Here are a few recommendations for facilitating executive-level buy-in to build an enhanced cyber risk management strategy by improving processes, adopting tech, and prioritizing security in the face of digital transformation:
- Whenever able, speak about the impact of these risks on the bottom line, continuously connecting technology, operational, and organizational risk issues to the priorities of their CEOs and boards
- Define risk appetites and discuss any new risks that occur versus the defined risk appetite continuously
- Define key risk indicators (KRIs), and align these metrics with organizational performance management, metrics and to inform decision making
- Unite cybersecurity, IT, and other technology risks with the broader operational risk strategy, focusing on how these various forms of risk could impact strategic objectives to better prepare for the future
- Assigns risk ownership across the organization, documenting which risks to transfer, avoid, mitigate, or accept and why
- Whenever possible, present cybersecurity risk management initiatives with a focus on Return on Security Investment provided to the organization, and how this impact helped the organization achieve goals
Facilitating this understanding by implementing clear measurement, measuring Return on Security Investment (ROSI), and visualizing the impact of cyber and IT compliance and risk management with dashboards and reports are just a few of the tools at the disposal of the CIO or CISO who implements an integrated risk management solution.
When organizational leadership aligns to build cybersecurity resilience and boost productivity, even the largest enterprise cyber risk assessment and mitigation projects become just a bit easier to get buy-in around in the boardroom... even if the board meeting is remote.