We spend a significant amount of time in our field talking about cybersecurity threats and their evasive nature, but what about the evasive nature of cybersecurity risk? If anything seems like a barrier to company security today, it’s risk. Customers need to know more about how to think about it, measure it, and manage it in more modern and realistic ways.
Yes, there are frameworks. These serve a purpose for basic alignment and internal discussions. Government efforts like NIST make freely available resources, which are part of educating the community. MITRE serves a purpose in deconstructing and recreating threat tactics and techniques that inform our collective knowledge. Many an organization knows the five-by-five types of risk matrices.
Yet when it comes to operating in the dynamic, demanding, difficult world of running a business, we have to do better.
It starts with shifting the lens to risk appetite and risk tolerance. Knowing the inventory of your systems, people and processes that make up your business is helpful for nuts and bolts. What’s just as important, however, is how you will approach the market with your own leadership philosophy and decision making to navigate risk. How much risk will you tolerate? What is your leadership team’s risk appetite?
I often work with customers who have hit the wall, so to speak, on how to move forward with identifying, managing, and planning for risk. What I recommend first is to ensure that the critical C-suite members are all aligned on accepting that risk is part of any endeavor. Sounds simple, but it’s surprising how some still accept zero as an acceptable metric. Walking across the street, hiring a new person, acquiring a company, investing in a technology, opening a new branch – every action has associated risks.
Accepting that risk happens can then open the door to scenario planning and working through what actually impacts a business. In our process with Deepwatch customers, we peel away the common culprits pointed to as risk. Is it really an outage of your web site that’s the most high impact risk to your operations? We also look at the reality that not every single system and user can be considered “critical.”
In a recent example, as we worked through our standard intake with a customer from the manufacturing industry, ecommerce operations disruption came up as a risk. Through our risk identification process, however, it became clear that something far more important was at stake. This company supplies several other manufacturing outfits with its products. If its physical manufacturing processes were interrupted, the business consequences would be far more severe than just the one line of business running through the ecommerce site. By far, this was the actual risk that cybersecurity as well had to mitigate.
Knowing this insight, gained through our risk process together, the company could then be more effective at pinpointing extensive safeguards and mitigations in priority order. This is not, however, just a conversation. As a technical person, I know the quantitative elements also matter, and I also know that in their back-to-back schedules, that has to be less burdensome for customers. That’s where an assigned value can be brought in.
In our case, we use a Threat Probability Value, TPV, to translate our analysis in operational steps. We let the customer define their level of risk tolerance for each variable. Then we tune the technical platform accordingly. What is an “uh oh” risk moment for one customer is different for another, and this calibration ensures our managed response work is tightly aligned to what truly matters to the business.
Getting your arms around risk can be evasive, but adapting to risk tolerance conversations and then identifying and prioritizing work can bring great clarity. As always in cybersecurity, I’ll also close with the constant reminder that our work is never done. Knowing and managing risk happens daily, and cybersecurity actions and procedures are part of that daily habit. If you’d like to discuss this, do not hesitate to reach out. It’s important we all continually move steps closer to getting better at adding security capabilities to manage across risks.