PART II
CHAPTER 6
Knowledge will forever govern ignorance; and a people who mean to be their own governors must arm themselves with the power which knowledge gives.
– James Madison
Opportunity
In Part I, we gave you tools to bolster your foundational knowledge of how businesses operate and make decisions. We wrapped up Part I by providing you with different business case methods and templates you can use to put your foundational knowledge together and formulate business cases to secure funding for components of your cybersecurity program. In Part II, we will build upon Part I and introduce additional tools that transform common topics regarding cyber risk into enterprise risk dialogue.
Let's just come out and say it, and you already know it, organizations must treat cybersecurity as an enterprise risk rather than relegating it to simply an IT issue that “those tech guys” will handle. Due to high-profile cybersecurity incidents such as those affecting Home Depot, Target, and Equifax, the Securities and Exchange Commission (SEC) established a cyber unit in the Enforcement Division. In the last few years, the SEC has also published numerous documents offering guidance to board directors. The new guidance covers disclosure obligations relating to cybersecurity risks and cyber incidents, as well as Cybersecurity and Resiliency Observations offered by the Office of Compliance Inspections and Examinations (OCIE).
More recently, domestic and global privacy regulations have come into law, including the General Data Protection Regulation and the California Consumer Protection Act. These new laws have active enforcement bodies that will not hesitate to issue material penalties for failure to comply. Presidential Executive Order on improving cybersecurity within the United States (EO 14028) is in direct response to more recent incidents such as the ones that impacted Solarwinds, Colonial Pipeline, and, later, Kaseya.
Now more than ever before, companies of all sizes have come to recognize cyber risk as a business issue. Research from the University of California at Berkeley concludes that boards deem cybersecurity risk an “existential threat,” yet they are not confident they can provide effective governance and oversight. Board members mostly agree they are just now wrapping their arms around cybersecurity and believe the cyber risk environment will not stabilize predictably over the next few years. At the same time, boards are struggling with difficult questions, including whether to address cyber-risk as a central part of overall business strategy discussions and whether it should be prominently featured in board-level investment or merger-and-acquisition decisions.1
The National Association of Corporate Directors (NACD) is attempting to educate board directors, yet acknowledges that “many directors don't feel comfortable talking about emerging technologies, cybersecurity, and other complex topics.” The NACD continues to recognize that only a small percentage of directors believe their board has a “high” level of comprehension of cyber risks or that information security reporting meets their expectations. Less than half of organizations believe their board and executive management have a sufficient understanding of cybersecurity to properly evaluate security controls. When NACD asked public company directors to rank the quality of the information provided by senior management, cybersecurity information quality was rated the lowest. Nearly a quarter of public-company directors reported that they were dissatisfied with the quality of cybersecurity information provided by management. Only 15% said that they were very satisfied with the quality of the information they received.2 Meanwhile, over 65% of CISOs now report to their boards at least two to four times each year, and their audience is increasingly the full board rather than a separate subcommittee.3
Principle
The internet has allowed organizations to integrate business with technology. Technology has been the driver for exponential economic growth since the 1950s. As technology has evolved and as organizations have become more agile in adopting technology, mainly through the use of cloud-based applications, the attack surface has increased. Just pull up your favorite media website, or log into Twitter on any given day, and you will see a new cybersecurity incident in the headlines. Protecting all data all the time is impractical, especially considering the constantly evolving threat landscape and dynamic nature of organizational strategy. The odds of success are exceedingly low, and the cost is infeasibly high. The odds of winning the multistate lottery, Powerball, grand prize jackpot is 1 in 292,201,338.00.4 The cost of a single Powerball ticket is $2. For that price, you may say, “Sure, I'll take a chance at it,” but what if the cost per ticket were $200, $2,000, or $20,000? This is the complex decision facing the executive leadership teams and boards of directors every day. How do you balance investment in risk mitigation with the business opportunity? When does the cost to mitigate risk become wasteful?
There is a better way forward. Cybersecurity risk should be integrated into the overall enterprise risk management (ERM) program to address the challenge of security and privacy in the face of data sprawl. ERM is the process of evaluating risks to identify both threats to an organization's financial well-being and opportunities in the market. The goal of ERM is to understand an organization's tolerance for risk and then identify, articulate, and manage risk according to that tolerance. Without an ERM program, organizations struggle to understand the impact of cyber risk on the business. Many organizations do not have a formal ERM program, but someone is undoubtedly responsible for enterprise risk. This may be the general counsel or the chief financial officer (CFO). Make them your friend. They have likely wanted to form a formal ERM program. Volunteering to help them do so is a golden opportunity to ensure that cybersecurity risk is integrated into overall enterprise risk. For the purposes of this book, we are going to refer to this function as the “ERM program” or the “ERM group.” Although there may not be a formal group at your organization, the principles discussed in this chapter and throughout the book still apply.
The value and benefits of integrating cybersecurity risk into an overall ERM program are multifold. So, where do you start? Boards of directors love “best-practices” vs. “making it up as you go,” even though what you come up with may be “better.” Corporate directors want to know that you aligned the security program to established best practices. A defined framework also provides a level of “top cover” for the organization in case it ever has to defend its stance on cybersecurity. Make sure to take due care in understanding the size, complexity, and industry of your organization. Benchmark the cybersecurity program's maturity, compared to the organization's peers using the framework you selected. The board will want to know how you stack up against your peers in the industry, and it will use this benchmark to inform the organization's risk appetite. The reason is not because they do not like risk or are afraid to experiment or innovate. Corporate directors tend to avoid “invent and chose your own adventure” for a reason. The reason is because tried and-true best-practices are defensible in the worst-case scenario that a cyber incident suffered by your organization leads to litigation in the courts.
Throughout my career, I have found that COSO is an excellent place to start. In 2017, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released an update to their ERM framework. Many of the revisions are designed to absorb cyber risk as yet another business risk, but a deeper discussion surrounding precisely how to do so is warranted, and this is exactly what we will do in the next two chapters. Some benefits of using COSO to integrate cybersecurity risk into the ERM program include:5
· Securing the involvement of senior leadership and the board in cybersecurity initiatives
· Better alignment of cybersecurity with strategic business objectives
· Raising cybersecurity's profile within the organization ensures that enterprise risk is more accurate
· A tailored risk profile that reflects specific threats to the organization and the industry as a whole
· Increased visibility and transparency that drives better identification and treatment of risk
· More cost-efficient risk treatment
The COSO ERM framework asserts guiding principles that are grouped into five components of risk management:
1. Governance and culture
2. Strategy and objective-setting
3. Performance
4. Review and revision
5. Information, communication, and reporting
In this chapter, we will focus on the first two management components, governance and culture and strategy and objective-setting, as these establish the foundation of an ERM program and, by extension, a cyber risk management program. We will cover performance, review and revision, and information, communication, and reporting in Chapter 7 – Translating Cyber Risk into Business Risk as they focus on the actual execution of an ERM program and, again by extension, a cyber risk management program.
Governance and Culture
What the data shows is clear. Now more than ever, boards need quality information that helps them govern. While they continue to grapple with the learning curve required, and the composition of boards continues to evolve, cybersecurity leaders must also rise to the occasion. We must find ways to bridge the knowledge and communication gap. To do so will require a solid understanding of the activities that comprise governance. Further, it will require an empathetic view of the audiences we serve. Closing these gaps is a large reason why we wrote this book. There's not a minute to waste, so let's get started.
Governance and culture are foundational to an ERM program as they establish oversight and the cybersecurity risk tolerance for the organization. The treatment of risk starts here, and only after establishing ERM can you begin to treat cybersecurity risk strategically vs. tactically (a.k.a. – fighting fires). The five COSO principles for building Governance and Culture are:
1. Exercise board risk oversight
2. Establish operating structures
3. Define desired culture
4. Demonstrate commitment to core values
5. Attract, develop, and retain capable individuals
Exercise Board Risk Oversight
Board-level governance over cybersecurity risk entails keeping tabs on the organization's cybersecurity program, strategy, and performance. As you are aware, this is nontrivial. Corporate boards worry about adequately disclosing cyber risk. They are even more concerned with cyber incidents that may have a material impact on the value a company provides to its shareholders. Further, it has become clear that each director carries a fiduciary duty and a personal liability associated with how they govern cyber risk within the companies they serve. In recent years, directors have started asking more informed questions like “Are we secure enough?” However, such a seemingly simple question is surprisingly difficult to answer. What's worse, a thorough answer may require a nuanced technical discussion that is difficult for many boards to fully comprehend. Nevertheless, boards are eager to adequately oversee their organization's cybersecurity initiatives.
Corporate boards have long been composed of “old white guys”; however, there are signs that some diversity has begun to enrich dialogue in the boardroom. On the flip-side, the boardroom isn't getting any younger as the average age of a corporate director continues to increase.6 At the time of this writing, we, the authors, are in our forties. We specialize in cybersecurity, and we grew up during the rise of the internet. Yet, it's fair to suggest that we are challenged to continuously educate ourselves on the latest technology innovation and keep pace with the changing threat landscape. In response to this, many corporate boards have chosen to engage external advisers to help “bridge the gap”; however, there is no reason why you cannot bridge that gap by applying some of these key activities to your organization. In fact, common frameworks and regulations, such as SOC2, ISO27001, and NYDFS, require board involvement and oversight, so you can leverage those requirements in the framework or regulation applicable to your organization to engage your board.
Establish Operating Structures
For cybersecurity risk to be treated as an enterprise risk rather than an IT risk, cybersecurity teams cannot operate in a vacuum. Establishing a cybersecurity steering committee is nonnegotiable. In fact, do whatever you can to fight for it. We will talk later about a use case where I did not fight for establishing one and the cascading effect that it had.
The cybersecurity steering committee should consist of a representative from each department. This includes, but is not limited to, executive leadership, IT, finance, legal, HR, accounting, sales, marketing, operations, and so on. The committee should be chaired by the CISO (or equivalent) to provide a forum for two-way communication between the various business units and cybersecurity. The cybersecurity team can gain an understanding of the critical data or processes that must be protected for each business unit, solicit input from the business when proposing new security controls, and review new and existing risks and their treatments.
Establishing a working draft of your risk appetite is a great project to tackle with this team if you don't have that already documented. You should also plan to update the committee on the evolving threat landscape and work to translate what that means to the organization. Implementing and enforcing security controls is much more effective when cybersecurity is done with the business and not to the business. Consider sharing the business model canvas, value chain mappings, and risk-adjusted value metrics that you produced using Chapter 2 – Business Strategy Tools. Better yet, involve the committee in reviewing and updating these working documents.
A vital benefit of the cybersecurity steering committee is bringing diversity of thought into various security issues. Via the steering committee, the cybersecurity team can be a business enabler instead of posing as a roadblock. For example, the sales team may bring up the fact that they cannot easily access customer records in the customer relationship management (CRM) system while traveling. IT may then propose moving to an SaaS solution or to enabling a mobile solution via mobile application management (MAM). The cybersecurity team can discuss what investments will be required to secure the proposed solutions consistent with the corporate risk appetite, and executive leadership can approve the investment required to implement a complete solution.
Define Desired Culture and Demonstrate Commitment to Core Values
These two COSO guiding principles go hand-in-hand. Do a quick Google search on recent cybersecurity incidents, and you will see that the root cause of just about all of them involved the weakest link in a cybersecurity program – people. Another excellent resource for curated cybersecurity news is www.TruKno.com (no, I am not a paid spokesman). We often talk of people, process, and technology. Notice how people comes first. Let's face it: as cybersecurity professionals, we generally shy away from squishy topics like people and culture. There is a misconception that we are a bunch of black-hoodie-wearing introverts who cannot or choose not to engage in even basic conversation. However, soft skills and personal interaction are required for a thriving security culture. Security culture requires intentional effort. “Culture eats strategy for breakfast” is a famous quote from legendary management consultant and writer Peter Drucker, However, like a child, culture requires constant nurture and nourishment.
Your organization's core values should consist of a strong cybersecurity culture, and your cybersecurity culture should align with your organization's core values. Your organization's core values are defined by the board of directors and the executive leadership team. When the top of the organization drives a strong cybersecurity culture, and when your cybersecurity policies, awareness training, employee accountability, etc., emphasize your organization's core values, it is relatively easy to inspire employee commitment to cyber hygiene.
There is no singular definition of a strong cybersecurity culture. Nor is there universal agreement upon what elements must be present. Nevertheless, my experience is that strong security cultures exhibit these essential elements:
· Security culture is not a thing you do as an organization. Security culture is a thing you are as an organization. Ben Horowitz, a co-founder of Andreessen Horowitz, states, “Your culture is how your company makes decisions when you're not there. It's the set of assumptions your employees use to resolve the problems they face every day. It's how they behave when no one is looking. If you don't methodically set your culture, then two-thirds of it will end up being accidental, and the rest will be a mistake.”7 This core concept is set by the board of directors and the executive leadership team. Security culture is emphasized and embedded into every technology and process decision.
· Trust. There is a high level of trust between employees from the executive level to the individual contributor. This trust is typically built upon transparency, honesty, and follow-through on commitments. Stephen Covey defines the “4 Cores of Credibility” as: (1) Integrity, (2) Intent, (3) Capabilities, and (4) Results.8 Strive to establish and maintain trust within your immediate team in addition to promoting the importance of trust between your team and the rest of the organization. Remember the adage, “Trust takes years to build, seconds to break, and forever to repair.”
· Awareness, awareness, and more awareness. How can people be held accountable for their actions if they are not aware of what is required of them? Security newsletters and annual training videos are not enough. Successful security cultures elevate security training to the levels of the organization's safety and ethics training. Consider bringing in people with backgrounds in marketing and education to develop and manage your cybersecurity awareness and training programs to deliver engaging content that employees will be less likely to ignore. Of course, use simplicity as a guiding principle.
· Cybersecurity champions. Who are the security champions across your organization? Can you name some? If not, then encourage the development of a cybersecurity champions program. Much like the cybersecurity steering committee, a good champions program develops key individuals organization-wide to evangelize the importance of your organization's cybersecurity strategy, goals, and challenges. It also allows you to gain valuable feedback from “the front lines” about the performance and obstacles that policy and controls are having on how people are executing their job responsibilities. Gain executive support for the cybersecurity champions program by building a business case around how the program will contribute to your organization's business goals. A good cybersecurity champions program will have a substantial force-multiplier effect for your undoubtedly constrained cybersecurity team.
· Make it fun and rewarding. Taking a novel approach may invalidate or disrupt long held beliefs about security. Stimulating and delightful new experiences in this context can invigorate curiosity and passion. Surprises can inspire a “sticky” security culture. I am not a psychologist, but I don't need a PhD to know that engaging content is more memorable. Positive reinforcement is likely to go much further than punishment, shame, or guilt. A monthly prize for the “champion of the month” or for the person who reported the “coolest” phishing email are cost effective means to make security fun.
Attract, Develop, and Retain Capable Individuals
The notion that there is a colossal cybersecurity talent gap has been beaten into us through various studies and publications. One example comes from (ISC), the world's largest nonprofit membership association of certified cybersecurity professionals. You may recognize them from the popular CISSP certification. In that study, (ISC) estimated that the cybersecurity workforce at the time consisted of 2.8 million professionals but that an additional 4.07 million professionals were needed to close the skills gap.9 Another study that was released around the same time by Cybersecurity Ventures estimates that there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014.10 The numbers between the two studies differ a bit but suffice it to say that there is a huge talent shortage facing our industry.
The cyber threat landscape evolves daily and even hourly in some cases. Attackers seem to get smarter and more efficient through increasingly simple yet sophisticated attacks. How do we keep up? The reality is that your organization is unlikely to have the budget and resources to keep up with it all. Therefore, you should consider a mix of both in-house and outsourced talent. For example, you may decide to keep your governance, risk, and compliance (GRC) functions in-house but outsource security operations and incident response to a managed services security provider.
Above all, invest in your people. This seems obvious, but a report conducted by the Enterprise Strategy Group and the Information Security Systems Association (ISSA) called The Life and Times of Cybersecurity Professionals 2020 found that there is a continuous lack of training, career development, and long-term planning for cybersecurity talent within organizations. The findings noted that “cybersecurity professionals often muddle through their careers with little direction, jumping from job to job and enhancing their skill sets on the fly rather than in any systematic way. This, combined with the continued cybersecurity skills shortage, has stalled cybersecurity progress.”11 Help correct this disturbing trend by creating a plan to encourage continuous learning. That can be part of formal training, like a SANS Institute course (although we're increasingly discouraged by the exorbitant pricing models they exhibit) or a certification bootcamp. It can also involve a paid subscription to an online platform like Cybint, Pluralsight, or Cybrary. Additionally, it can leverage education reimbursement to a college or university. Some of the accountability for continuous learning lands on the employee, and the rest resides with the employer. Do not disincentivize an employee from investing in themselves by not providing them with a path to do so. Daniel Pink outlines a framework to do so through autonomy, mastery, and purpose.12 Hint: intrinsic motivation tends to have a greater effect than extrinsic motivation. In other words, learning, growth, and job satisfaction outweigh pay in motivating employees of the 21st century.
Don't be afraid to get creative and stretch your team's skills. Python for Managers, Crucial Conversations, communication training, and project management skills are every bit as relevant and perhaps more valuable than simply producing another Offensive Security Certified Professional. Whatever mix of in-house vs. outsourced talent you choose, it is vital to have a strategy to attract, develop, and retain the talent that is right for your organization. Doing so will require an investment in time and money, so it is crucial to create a business case around how your strategy around cybersecurity talent supports your organization's goals. Chapter 5 – Articulating the Business Case gives you tools to help you create a successful business case.
Strategy and Objective-Setting
Strategy and objective-setting work together to complement a risk management program. Organizational risk tolerance is defined and aligned to strategy. Business objectives reflect risk tolerance and strategy, laying the foundation for identifying, assessing, and treating risk. Aligning your cybersecurity risk management program in the same manner helps you align cyber risk tolerance to organizational risk tolerance. It also allows your ERM group to more easily evaluate cyber risk within the context of the overall risks that the organization faces. The case study in the Application section of Chapter 4 – Value Creation walks you through how to identify cyber risks and to use those risks to align security strategy and objectives for a fictional beverage manufacturer with competing priorities. The four COSO principles for building governance and culture are:
1. Analyzes business context
2. Defines risk appetite
3. Evaluates alternative strategies
4. Formulates business objectives
Analyzes Business Context
Things change. Constantly. As we've discussed in previous chapters, market dynamics can change the way you approach developing a business case, and market dynamics can certainly change business valuation. Since its publication in 1979, the Porter's Five Forces model has become one of the world's most highly regarded and widely utilized business strategy tools, and we are going to use the model to dive into industry dynamics below. The model was created to analyze likelihood of profit when entering an industry. Over many years, it has been adapted to analyze how an organization is positioned in the current market and how an organization can adjust its strategy to adapt. The five forces are listed below, and each sub-bullet lists a cybersecurity analogy that you can employ to strengthen your organization's position in the model:13
1. The industry (competitive rivalry – Trend Micro vs. McAfee)
1. Standardization can lead to agility. Do certifications, such as ISO 27001, SOC2, or FedRAMP, differentiate your organization in the market?
2. If not careful, standardization can also lead to bureaucracy and a lack of agility. How do McAfee vs. Symantec differentiate themselves from each other? That's right, they don't.
2. Threat of new entrants (SentinelOne and Crowdstrike)
1. New entrants such as SentinelOne and Crowdstrike have leveraged the unsatisfaction of “traditional antivirus” to create new solutions with better automation to enter the anti-malware market. In fact, they have created a new endpoint detection and response market that has surpassed the capabilities of the de facto stalwarts in the industry.
2. Can you use cybersecurity to become a new entrant in a market that is adjacent to your organization's current market? Can you use your organization's current investment in cybersecurity to drive down costs and increase speed to market?
3. Bargaining power of customers
1. Demand from customers may require your organization to focus more on the cybersecurity program. Again, do any frameworks or certifications allow you to provide a solid attestation of your security program to customers?
2. As customers, can we raise the cybersecurity bar by refusing to purchase insecure commercial-off-the-shelf software, or rejecting proposals to leverage insecure third parties and subcontractors?
4. Bargaining power of suppliers
1. Same as 3a, but from a supplier/partner perspective. Take for example Amazon Web Services. They are large enough where they dictate business associate agreement terms, and they refuse to participate in third-party diligence questionnaires. They are careful to even avoid disclosure of the locations of their data centers.
5. Threat of substitutes
1. Can an increased focus on the cybersecurity program incentivize customers to stay with your organization's product or service? Can the standardization of security policies and procedures allow your organization to bring a new product or service to market quickly in order to better compete with the substitute?
2. As customers, you may evaluate Orca Side Scanning as an alternative to traditional vulnerability scanners, or you may consider developing your own SOAR solution using AWS Lamda functions vs. purchasing a traditional SOAR solution.
Each of the examples above highlight the impact of industry dynamics on our evolving role as stewards of value. In short, strategy changes. ERM, and by extension, cyber risk management, need to keep up. As strategies and business objectives change, they should also take into consideration the IT applications, networks, systems, data, and so on that are required to accomplish current and future objectives. Is your organization in crunch mode where its primary goal is to survive a downturn in the market or is your organization in a high-growth phase during a booming economy? The business objectives to deliver on these strategies may require different technologies and information to be successful. As such, different technologies and information will likely introduce other vulnerabilities. That, in conjunction with the changing cyber threat landscape, means that new and changing cyber risks are introduced to your organization.
Staying ahead, or at least alongside of the changing industry dynamics and business objectives listed above is much easier said than done. We probably would not be writing this book if it were easy. As companies become increasingly reliant upon software, there is an “emerging” concept termed Security by Design (SbD). In truth, SbD is not emerging at all. We have been screaming it since at least 2006 as evidenced by various OWASP projects, Building Security in Maturity Model (www.BSIMM.com), and the like. Nonetheless, SbD features more prominently as organizational practices become more agile. At its core, SbD is applied from the heights of strategic planning to the implementation tactical security controls. The value and the benefits are apparent and mirror the lessons we learned about the costs associated with fixing defects in software. SbD allows you to find ways to use cybersecurity as a market differentiator for your organization.
Since SbD sounds like such a no-brainer (oh, but it's not), let's examine five key activities you can undertake to start implementing the concept at your organization.
· Project managers should engage a cybersecurity representative at the beginning of every project. A cybersecurity champions program allows you to scale to meet this demand. Early engagement provides defined security requirements and controls at the beginning of development to most effectively reduce risk. Include cybersecurity validation during designated phases of development. Validation could come in various forms, such as manual architecture reviews or automated lightweight pre-commit code scans that are performed before code is ever checked into the code repository.
· Awareness (there is that word, again). Create an awareness campaign, or even specialized training, for developers around the types of threats and common vulnerabilities for software they develop. The Open Web Application Security Project (OWASP.org) is a great place to start and has a ton of free resources available. One example may be creating a series of lunch-and-learns around the OWASP Top 10 (https://owasp.org/www-project-top-ten/) and the OWASP Mobile Top 10 (https://owasp.org/www-project-mobile-top-10/).
· Automation. The more you can automate code checks, the better. Provide instant feedback to the developer, and do not allow the code to be committed until it passes the required security checks. These scans can use static application security testing (SAST), dynamic application security testing (DAST), or a hybrid of both using interactive application security testing (IAST), depending on your needs and circumstances. It is important to note that manual checks are still necessary because humans are better at detecting flaws in the application logic that can be exploited.
· SbD also enables “Privacy by Design.” Privacy concerns have become increasingly front of mind over the past several years, with lawmakers passing regulations such as the Global Data Protection Regulation (European Union) and the California Consumer Privacy Act. Consider adding Privacy by Design to your overall program, depending on the type of data the system will be handling.
· Continuous improvement. Take an inventory of the applications your organization has developed and prioritize them from a risk perspective. If you have not already implemented SbD in those applications, go back and evaluate them for vulnerabilities. If you have already implemented SbD, fantastic; however, keep in mind that the security posture is only good until the next code release. Make sure to consistently execute on your Security by Design practices and continuously strive to improve them and make them more efficient.
Defines Risk Appetite
COSO defines risk appetite as “The types and amount of risk, on a board level, an organization is willing to accept in pursuit of value.”14 Sounds simple enough, but I cannot begin to tell you how many times I have been asked about how an organization goes about defining their risk appetite and, more importantly, their cyber risk appetite. It seems to be an elusive magical purple unicorn because most organizations do not actually codify their risk appetite. Defining a risk appetite is fundamental to risk management and how organizations communicate and react to risk. Managing risk within the boundaries of risk appetite should be consistently shared and addressed throughout the organization as it provides the guardrails against which to manage risk.
We often interchange the terms risk appetite and risk tolerance, but they are distinctly different. Risk appetite is only part of the overall approach to managing risk. Risk appetite needs to cascade throughout the business as risk decisions must be made at different levels or business units. Each individual level or unit may have different risk tolerances around the risk appetite. While risk appetite refers to how much risk an organization is willing to accept, risk tolerance refers to the boundaries of acceptable variation in performance relative to the business objective. Risk tolerance is a performance metric. Figure 6.1 outlines some of the differences.
You may think of indicators and triggers in this context as the individual risks themselves, and the metrics used to measure them (e.g., key risk indicators). A key risk indicator (KRI) is a measurement of how risky an activity is. It differs from a key performance indicator (KPI) because a KPI is a leading metric while a KRI is a lagging metric. For instance, a KPI may be expressed as “We have patch coverage of 86%,” while a KRI may be expressed as “When patch coverage falls below 80%, confirmed incidents rise by 60% month-over-month.”
FIGURE 6.1 Risk Appetite, Risk Tolerance, Limits, and Triggers
Source: COSO (2017). Enterprise Risk Management – Integrating with Strategy and Performance. Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved.
An organization may express its risk appetite as:
Brand is critical for our organization. As such, we have a low-risk appetite for negatively impacting our brand and brand loyalty. We will not make decisions that factor cost above our core beliefs, quality, or component choice. We value sustainability above revenue and growth. We will innovate within these parameters to develop products that meet market demands and have a moderate risk appetite to attain this goal.
The same organization may express one risk tolerance metric as:
We will not procure more than 10% of the critical components required for manufacturing widget “X” from outside of the United States.
So, what does this mean from a cybersecurity risk standpoint? It means do not get lost in the weeds. Providing metrics without the appropriate context is meaningless and will further distance you from being viewed as a strategic partner. You can help set that context by defining a cyber risk tolerance. Defining a cyber risk appetite is not just technical, and it requires discussions across the organization. The CEO, CFO, and the cybersecurity steering committee should all be involved so that cyber risk is tied into enterprise risk and reflects your organization's mission and values. These discussions need to consider how the organizational risk appetite is defined and the types of controls included to prioritize cyber risk management. The cyber risk appetite statement may look like the following when taking into account the example of organizational risk appetite:
It is essential that the cybersecurity risk management program is aligned with the enterprise risk management program and allows the organization to achieve its business goals in a method that complies with applicable laws and regulations. Our organization has defined that it has a low-risk appetite relating to impacts to brand and brand loyalty and moderate risk in sustainably achieving business objectives.
In support of the above, the organization has a low-risk appetite for the loss or breach of its intellectual property and consumer data. Information assets will be classified and protected with the commensurate security controls outlined in the Data Classification and Protection Policy (e.g., restricted, confidential, internal, or public). The organization has a low-risk appetite for a failure of access controls. All access to systems storing or processing data classified as “internal” or above will be controlled via multifactor authentication as outlined in the organization's Access Control policy.
While risk appetite is strategic and broad, risk tolerance is tactical and focused; however, they are closely linked. Per COSO, risk tolerance is the acceptable variation in performance.15 It describes the range of acceptable risk outcomes related to achieving a specific business objective to ensure the organization continues to operate within its defined risk appetite (depicted by the dotted lines in Figure 6.2). In other words, it helps management determine if a risk is acceptable or unacceptable. A specific risk target does not typically exceed where risk profile intersects risk appetite (“A” in Figure 6.2).
Risk tolerance does not focus on specific risks. Instead, risk tolerance focuses on business objectives and performance. As such, risk tolerance should be aligned, measured, and communicated in terms of business objectives. For example, risk tolerance may be lower for business objectives that are critical to achieving the organization's strategy and higher or less critical business objectives. The organization's existing risk profile is the current level and distribution of risks across the organization.
Risk capacity is the total amount of risk that the organization can absorb in pursuit of its objectives. Risk profile, risk capacity, and risk tolerance all inform an organization's risk appetite determination.
FIGURE 6.2 Risk Profile Showing Tolerance
Source: COSO (2017). Enterprise Risk Management – Integrating with Strategy and Performance. Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved.
Evaluates Alternative Strategies
In COSO, an organization must evaluate alternative strategies as part of defining strategy and assess each option's risk and opportunities in conjunction with the organization's resources and ability to create, preserve, and realize value. ERM involves evaluating strategy from two perspectives:16
1. The possibility that the strategy does not align with the mission, vision, and core values of the organization
2. The implication from the chosen strategy
In cybersecurity, this translates to defining a set of frameworks to oversee the cybersecurity risk management program. Several cybersecurity frameworks such as the NIST Cybersecurity Framework, the International Organization for Standardization (ISO) 27001, and the Payment Card Industry Data Security Standard (PCI DSS) have been developed to help organizations establish and report on the effectiveness of their cybersecurity program. This selection and mapping of these frameworks to technical security controls and risk management processes are often also referred to as the organization's information security management system (ISMS). Organizations must determine which cybersecurity framework to build their ISMS by considering which is the best fit based on their business operations, current control structure, and various factors, such as capital, technologies, and resources.
Formulates Business Objectives
Just as an organization must develop business objectives that are specific, measurable, attainable, relevant, and timely (SMART), so must a cybersecurity risk management program. Defining business objectives makes business strategy actionable. Determining risk tolerance makes risk appetite actionable. You must define metrics against which to measure your cybersecurity program to ensure the organization is working within its specified risk tolerances. Techniques such as The Open Group's FAIR (Factor Analysis of Information Risk) can help quantify risk and derive values for risk tolerance; however, cybersecurity is not an exact science. You will most likely use a combination of quantitative and qualitative metrics. Metrics provide three primary benefits:17
1. Measurement provides visibility.
2. Measurement educates and provides a common language for understanding the cybersecurity program.
3. Measurement allows for improvement by enabling efficient management, investment planning, and decision-making and by driving necessary change throughout the organization.
Your organization will likely have a different risk appetite for various business units or systems (e.g., mission-critical vs. non-mission-critical or storing sensitive information vs. publicly accessible information). This means that risk tolerances may differ for different systems or assets; therefore, metrics may change or have different meanings depending on the context.
Application
I believe that failure is the greatest teacher. So, I am going to discuss a time where I failed to apply the principles outlined in this chapter. Don't worry; I will indulge in the successful application of the principles in the following chapter.
Case Study – A Failure to Govern
For this case study, let me set the stage. I had recently started a new role at a publicly traded company, and I was responsible for building a cybersecurity program. At the time, it was all the rage for public companies to initiate formalized investments in cybersecurity. As some readers may be experiencing today, my organization did not have a formal security function before my arrival. There was no decomposition of IT Risk. Instead, cybersecurity risk was buried deep in the annals of IT Risk. So, there it stood, a solitary item on the company's enterprise risk register.
It was my job to establish the program's framework. I was entrusted to determine how to best measure and prioritize risk, and how to work with the other business units to drive change. The good news was that the board sponsored my role, so inherently some board risk oversight was established. Check. Naturally, I sought to establish an Information Security Steering Committee, but to my surprise I was strongly discouraged from doing so. The rationale was that the organization was so agile and dynamic, it allegedly did not support committees (although I later learned that project steering committees were commonplace). In either case, I had failed to secure the support of my leadership structure. I decided that without the executive support required, the committee would be an exercise in futility.
In hindsight, I should have pushed hard. I want to advocate that this is so important, if faced with the same decision again I would advise myself to hold firm on establishing the committee, even if it meant getting fired because of insubordination. Regrettably, in my first few days on the job, hoping to build relationships and assimilate into the company culture, I did not recognize the strategic importance of the committee. I did not hold the crucial conversation that was required. I underestimated the importance of this governance lynchpin. This is where I fundamentally failed. I accepted a position that limited my ability to engage the business. At that time, I felt it was possible to change the organizational security culture from the ground up. I was wrong. As a result, I failed to Establish the Operating Structure, I contradicted COSO, and I began a painful lesson. I hope you will learn from my mistake.
Before my arrival, a big, expensive consulting firm conducted a cyber risk assessment and delivered a report. More than half of the report dealt with physical security. While it's true that physical security is a critical aspect of an overall cybersecurity program, there are plenty of other things to consider in concert. Disappointingly, many recommendations were disconnected from the reality of our business. In the end, the report mainly sat on a shelf collecting dust.
Fortunately, one of the suggestions was to hire someone to lead the cybersecurity function. That recommendation was accompanied by guidance to staff an entire team. I eventually learned that our business didn't have an appetite to carry that full cost burden. Hoping to serve as an agent of change, I swiftly encountered the cultural norm “if it isn't broke, don't fix it.” With no major incidents at the organization and, at that time, no major incidents across the industry, I quickly fell into a compliance-driven checker of boxes.
Without the support of a steering committee, we were relegated to “fire stompers.” We subsumed ourselves with issues-of-the-day rather than strategically assessing and treating risk. Frequently, my team was summoned to advise a broader project team “how to secure ‘it'” days before the project go-live.
Although we adopted the NIST Cybersecurity Framework as a guiding document, we simply lacked business context. Without the context, we struggled to develop security champions. You can imagine, constrained by resources and devoid of the champions I needed, cybersecurity was not optimized throughout the organization. We lacked the executive sponsorship needed to lend credibility to our security culture efforts. In a self-perpetuating death spiral, the lack of interaction with the business meant we lacked business context, which then limited the relevance of our cyber risk analysis. Unsurprisingly, these factors led to a misalignment with the organization's ERM program.
Take it from me, and save yourself the trouble by learning these few lessons:
1. Recognize the lack of an information security steering committee as a canary in the coal mine. If you face this prickly challenge, persist with your desire to establish a committee. Don't fall for the fool's choice; instead proceed tactfully using the tools we've covered in other parts of this book. I could have researched case studies of information security program failures, or I could have engaged an external partner (in this case, Gartner) to further push for my cause. Ultimately, I did form a “circle of trust” that I informally used as my security champions, but because it was an informal network, many efforts failed to garner the priority they likely deserved.
2. Perform sufficient due diligence during the interview process. I recommend drafting specific questions to reveal the true state of security culture. Take the time to ensure you understand what the expected investment in your program will look like. Prepare to navigate around the standard “We don't know yet, that's why we're hiring you” reply. Get clear about who controls your budget dollars, and be certain that you understand if your funding is independent or beholden to IT's budget. All this information can be used to ensure aligned expectations, and may also influence other things like how you negotiate your compensation, and what strategy you take in your new role.
Key Insights
· Work with your organization to implement the COSO principle of Establish Board Risk Oversight by first picking a framework. It can be any framework that aligns with your organizational requirements and risk appetite. It will serve as the baseline that you use to evaluate program maturity. Corporate directors want to know that you aligned the security program to established best practices.
· Don't be “Chicken Little.” Fear, uncertainty, and doubt (FUD) will get you nowhere. Security operations metrics like “our firewall blocked 1,596,742 attacks last month” or “we have 100,854 critical vulnerabilities on the network” will put the board to sleep in less time than it took to type this sentence. It will also damage your credibility and qualify the need to have you in the room. Don't pigeonhole yourself as the stereotype against which we struggle: that paranoid, antisocial being that still lives in their parents' dark, cold basement hopped up on Mountain Dew and Red Bull (no offense if you do still live in your parents' basement). Use “above the line” metrics (metrics that drive gross profit) or other metrics that matter to your organization.
· Strong security cultures exist when there is strong trust across the organization. Remember that security can be fun, rewarding, and distributed across the organization via an innovative security champions program.
· Attract and retain capable individuals by thinking outside the box and by investing in your people.
· The only constant is change. Internal and external factors are constantly changing. You cannot ensure your cybersecurity strategy aligns with your organization's strategy if you do not ensure you are in sync with the current context of your organization.
· Draw a line in the sand: establish a cybersecurity steering committee. The cybersecurity steering committee is an excellent place to facilitate collaboration across organizational stakeholders.
· Consider how your cyber risk appetite statement cascades throughout the organization. Do you have to create multiple risk statements for various levels within the organization? Will your cyber risk appetite statement require fundamental changes, such as implementing a new multifactor authentication requirement?
· Understand the environment and industry dynamics your organization operates in by referencing the Porter's Five Forces model. For instance, ISO 27001 is costly and resource-intensive to implement, but it is optional for most organizations. PCI DSS may be expensive and resource-intensive to implement but is required for organizations that store, transmit, or process credit card information. Rationalizing your compliance frameworks is a must. The last thing you want to do is measure your program effectiveness differently based on the framework. That is called “compliance-based security,” which quickly turns into “checkbox security,” which turns into a data breach. Target had just passed a PCI audit when it had its significant breach back in December 2013. Let the security program produce artifacts that demonstrate compliance to a framework, not the other way around.
· Formulate your cybersecurity business objectives by understanding measurement and reporting resources that are available to allow you to define and gather metrics. This enables you to define metrics that integrate your cyber risk appetite and risk tolerance (derived from your organization's risk appetite and risk tolerance). These should come in the form of lagging indicators (key performance indicators) or leading indicators (key risk indicators). Remember your audience. Different metrics are intended for varying levels of the organization. Operational metrics focus more on data that allows you to manage day-to-day operations and are intended for individual contributors and front-line managers. Executive and board-level metrics concentrate more on information and provide leadership with insight into how the cybersecurity program is performing to allow them to make informed business decisions over time.
Notes
1. 1 Resilient Governance for Boards of Directors, 2019. https://cltc.berkeley.edu/resilient-governance/.
2. 2 Clinton, L., Cyber-Risk: Director's Handbook Series, National Association of Corporate Directors, 2020.
3. 3 Gartner, “What Your Board Wants to Know in 2020” (Issue G00716265), 2019.
4. 4 “Powerball,” Multi-state Lottery Association. https://www.powerball.com/games/home.
5. 5 COSO, Enterprise Risk Management – Integrating with Strategy and Performance, Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2017. All rights reserved. Used with permission.
6. 6 Harvard Law School Forum on Corporate Governance, “U.S. Board Diversity Trends in 2019,” 2019. https://Corpgov.Law.Harvard.Edu/. https://corpgov.law.harvard.edu/2019/06/18/u-s-board-diversity-trends-in-2019/.
7. 7 Horowitz, B., What You Do Is Who You Are: How to Create Your Business Culture, HarperCollins Publishers, 2019.
8. 8 Covey, S.M.R., The SPEED of Trust: The One Thing That Changes Everything, Free Press, 2018.
9. 9 (ISC)2, Strategies for Building and Growing Strong Cybersecurity Teams: (ISC)2 Cybersecurity Workforce Study, 2019, 1–37.
10. 10 “Cybersecurity Talent Crunch to Create 3.5 Million Unfilled Jobs Globally by 2021 (n.d.), Cybercrime Magazine. Accessed August 31, 2020. https://cybersecurityventures.com/jobs/.
11. 11 Oltsik, J., “The Life and Times of Cybersecurity Professionals,” 2019. https://www.esg-global.com/research/esg-research-report-the-life-and-times-of-cybersecurity-professionals-2020.
12. 12 Pink, D.H., Drive: The Surprising Truth About What Motivates Us, Penguin Group, 2011.
13. 13 Porter, M.E., “How Competitive Forces Shape Strategy,” Readings in Strategic Management, March 1979. https://doi.org/10.1007/978-1-349-20317-8_10.
14. 14 COSO, Enterprise Risk Management – Integrating with Strategy and Performance.
15. 15 COSO, Enterprise Risk Management – Integrating with Strategy and Performance.
16. 16 COSO, Enterprise Risk Management – Integrating with Strategy and Performance.
17. 17 Wong, C., Security Metrics: A Beginner's Guide, The McGraw-Hill Companies, 2012.