Are We Doing Our Part to Reduce Risk Properly?
The hardest part of any security professionals’ job, cyber or otherwise, tends to be dealing, in some cases, with a limit budget and management group that does not fully comprehend the value that the security professional’s role plays in the organization. Many smaller organizations with funding restrictions often view Cyber Security practices as a constraint on the business and any expenses going toward defending the business are overhead that could be better spent elsewhere. So, this leaves the security professionals in a tight spot. It’s understood that antivirus and a firewall are not enough to defend against the advanced threats of today, but neither is security departments with inadequate funding and support. How do we start the process of either changing the perspective of upper management or, at a minimum, getting their help? To put this uphill battle into perspective, an article published by Krebs on Security in December of 2018 listed that only 5% of top 100 firms listed a Chief Information Security Officer or Chief Security Officer on their sites executive team page. Not that other firms did not have the positions filled; it was just typically found that they report to the Executive Team but were not equal in the importance, concerning being listed on the website, to the organization as say the Chief of Human Resources.Let us address how we can start to make an impact.
What Message Could We Be Sending?
In any book, certification course, academic course, or another resource concerning how you properly reduce risk, it generally starts with a risk assessment. This makes sense, right? There can not be an effective direction or action that mitigates risk if we do not first understand how that risk presents itself to the business and if we blindly throw controls against the business it only builds a false sense of security. Therein lies the first problem.Many an organization put through a security audit or assessment comes out with a lot of great things happening. Security Policies and Procedures, check. A list of current assets, check. Security awareness training, check. Risk assessment…. risk assessment, no answer. So how have we adequately addressed risk and wisely spent company dollars if we have not aligned controls with the accompanying risks?
The response is we have not. While we may to some degree mitigate risk, we are throwing darts at a target we have not defined. CEOs and CFOs like to see a coherent strategy for why money, time, and change is necessary, so when security professionals come to the table and say we need to do this because NIST says so or else, that does not represent strategy and in some cases is interpreted as doomsaying.
How Do We Bridge the Gap?
In short, we must become professionally bilingual. If you want to make an impact with your management team, you must put things into a perspective they understand, considering their culture and financial limitations. As with the previous example on approaching the CEO/CFO role, let us say you are now armed with a risk assessment and recommendations. Now when you approach the team about changes that should be made you have evidence and recommendations that align with the request. You can put in front of them the systems you are trying to protect, and the CFO can at a glance estimate a dollar value for those assets. This is the beginning of the process. Next is determining where the team wants to mitigate risk, and to what degree, avoid risk, transfer risk, or if they will be accepting the risk as presented. To some, this may seem like a fantasy, but the reality is you must get to this point. Your Executive Team is responsible for the risks to the organization and if you are not having these discussions with them and walking away with action items or acceptance then you must identify how to get the information to the executive level so they can make informed decisions against the organization's current risk profile.
What Can be Done Today?
It all starts with awareness and whether that awareness is brought to the table with logic and facts or a security seminar your executive team attends, it cannot be avoided forever. It is not acceptable to take “If we don’t know it doesn’t impact us” as an appropriate response to a lack of action. The world is taking due diligence and due care more seriously than it ever has before.
Here is where to start:
1) 1) Know your culture and the people that make it up
2) 2) Be as unbiased as possible in your identification of risks to the organization
3) 3) Be reasonable in your expectations for mitigation
4) 4) Be levelheaded in your presentation of facts and findings to the executive team
5) 5) Remember that even if you don’t agree with acceptance of risk it’s your executive teams’ decision to make
If you can get information to the top and it allows them to make conscious, well-informed decisions based on that information, then you have assisted the industry in taking major steps for the better.