There have been numerous much-needed discussions in the last few years about the risk-based approach to cybersecurity instead of simply focusing on the maturity-based approach.
Even more encouraging is the progress that has been made on the alignment of expected-maturity with risk-priority.
The financial Industry, in general, is always at the forefront of these conversations and has led the way in most cases. Despite all the shortcomings and agony that the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC CAT) created, the tool has attempted to map inherent risk to maturity expectations.
Though the FFIEC CAT and National Institute of Science and Technology Cyber Security Framework (NIST CSF) reignited a lot of conversations around the risk-based approach, they were neither the only ones nor the first to do so. ISO standards such as ISO 27001/2 and ISO 27005 were encouraging a risk-based approach to cybersecurity for a while. Gartner analysts have been writing and encouraging on this topic for at least a decade.
“Most of the cybersecurity practitioners come from a technical background. They do not usually think in terms of risk, they do think in terms of threats”
However, there are a lot of things that still need to be done. Most of us are still employing simple maturity-based cybersecurity, which tends to be costly and, a lot of times, becomes just a checklist exercise. Is it because of a lack of will or lack of ability, or is it something else?
Listed below are some of my thoughts on this issue and how to address those based on my own experience as well as talking to various practitioners over the years.
1. Tell me “How”: There are a lot of publications and guidelines on “Why” a risk-based approach to cybersecurity is required; it has been going on for more than a decade now. Lately, there have been more publications and guidelines on “What” could be done and what that looks like. However, there is not a whole lot of guidance on “How” that could be achieved.
I am not suggesting that a regulator comes up with a prescriptive methodology that one should be adopting; I am merely suggesting that as practitioners we should make this “How” part a little bit easier to follow.
2. Develop Cross-Disciplinary Skill-Sets: Most of the cybersecurity practitioners come from a technical background. They do not usually think in terms of risk, they do think in terms of threats. When we are asking these technical professionals to learn risk management, articulate those in the terms businesses and/or executive understand, and then drive the change, are we not asking them too much? Is it better if we hire someone from finance/economics discipline and train them on basics of cybersecurity?
Educators/consultants such as Douglas Hubbard and Jack Jones have done a great job in educating practitioners on quantification of cyberrisk. However, the challenge is in the understanding of the risk itself amongst the cybersecurity practitioners.
Also, there has been a lot of focused education on cybersecurity; I am suggesting we should have considerable efforts on the education on cyberrisk as well, which could be achieved through collaboration across different colleges within or outside of the same university and industry.
3. Executive Education & Awareness: There has been a lot of discussion on educating the board and/or executive management about cyberrisk. There are even training and certifications provided by the National Association of Corporate Directors (NACD) in conjunction with Carnegie Mellon University (CMU) targeted to these corporate decision makers, which is great. But, in general, do we even have minimally cybersecurity and cyberrisk educated members in these decision-making bodies? We know cyber practitioners have been expected to learn the language of business. Is it fair to expect the corporate decision makers to learn at least a few words and terminologies of technology while almost everything in business is going digital? It is totally understood when a corporate decision maker does not understand how a firewall works (he/she is not expected to understand), but when the term firewall itself is too technical for him/her, it is very hard to initiate a conversation.
With so much progress we have made in the cybersecurity and cyberrisk in the last few years, these are considerably easier problem to solve. But, this does not solve by itself though, this requires attention and some effort.