At ESG, we are just about to publish some new research on cyber risk management and I’ve been knee-deep in the data for the past month. Here are a few of my initial impressions:
- Business managers are far more involved than they used to be. A few years ago, business executives didn’t want good security, they wanted good enough security. Back then, security professionals bemoaned these half-hearted cybersecurity efforts, longing for CEOs with cybersecurity knowledge who were truly invested in strong cybersecurity controls and oversight. Note to cybersecurity pros, ‘be careful what you wish for.’ The ESG data indicates that corporate executives and boards are much more involved and demanding these days. This is forcing CISOs and infosec teams to collect and analyze more cyber risk data and present it to the mucky-mucks in business-friendly terms. The data indicates that this is already driving a new, more comprehensive model for cyber risk management.
- Cybersecurity spending continues to increase but there are growing limitations. Cybersecurity budgets have been growing on an annual basis for as long as I can remember and there’s no end in sight anytime soon. Yup, executives are willing to increase spending as a means toward protecting their organizations, but they also want to better appreciate what they are getting for their money. For example, CFOs want to understand what additional protection they get if they increase spending by the $1.2 million the CISO is asking for next year instead of the $1 million they planned upon. Business executives, GRC managers, and cybersecurity professionals are trying to figure out how to measure ROI on cybersecurity spending by analyzing incomplete data using vague metrics. There is a pressing need for improvement here.
- All cyber risk management inputs are growing rapidly. A basic cyber risk management formula looks like this:
Cyber risk = Vulnerabilities x Threats x Consequences
Okay, so here’s the problem – everything is rapidly increasing. The overall attack surface (i.e., devices, data, cloud-based workloads, applications, etc.) is growing, leading to more vulnerabilities from the get-go. For example, one of the big takeaways from the ESG research was the growing need for third-party risk management across organizations’ business partners to guard against indirect attacks a la OPM and Target. At the same time, threats are more targeted and sophisticated than in the past. As far as consequences go, organizations are dealing with multiple angles here including financial risk, operational risk, and reputational risk. Add all these changes together and cyber risk management workloads are growing and becoming more specialized while the ramifications of poor cyber risk management practices carry a high cost.
- There is no such thing as a cyber risk management baseline. Risk management tasks like vulnerability scanning, third-party risk audits, and penetration testing have always been conducted on a periodic and independent basis – once a month, once a quarter, multiple times per year, etc. Often, these activities were guided by auditors, regulations, or even business partners rather than any cohesive and holistic risk management strategy. Here’s the problem with this methodology– everything is changing constantly, and every aspect of cyber risk management is interrelated. So, when one thing changes, it impacts everything else. How can you possibly benchmark cyber risk management at any point in time? You can’t. This means we must accept this realization and strive for continuous risk management measurement.
The research paints a clear picture: Cyber risk management is becoming more important for executives and more difficult for CISOs and cybersecurity teams.
Clearly, the current cyber risk management model is broken, and something must change. More on this soon.