An Austrian trainer offered me great advice a while back. A client he was training complained about not being “good” at pull-ups. In his thick Austrian accent (think Arnold Schwarzenegger), his guidance was “get lighter, get stronger.” Makes sense. Later, I heard the same trainer in his same economy of words, describe why so many people hold a gym membership and never use it. “People wait to get fit before they work out. Fit never happens, they never work out.”
This same phenomena may be at work in cyber, too. While cyber risk quantification is topping the New Year’s resolution list for enterprises around the globe, our recent survey of nearly 200 cyber leaders revealed that only 33% are measuring their cyber risk in financial terms. Dozens of conversations with security leaders provide further explanation for the gap between resolution and execution:
- We don’t have the resources to get started
- If we implement a risk quantification program, we would not be prepared to use it
- The last thing we need is an exclamation point on how big our cyber risk is
For the companies with their heads stuck in the sand on #3, all I can say is: spoiler alert, the problem is not going away. Fortunately, these companies are few and getting fewer. Companies in the remaining buckets, allow me to provide an antidote to #1 and #2 using an ancient Chinese proverb, “If you want big arms, the best time to start hoisting dumbbells was 5 years ago. The second best time is today.” (Ok, yes, that proverb was modified from its original subject line of planting a tree.)
Simple starting points for cyber risk quantification. It requires good data, mathematical models riddled with Greek letters, and collaboration across the enterprise. For those now embarking on the risk journey, do not underestimate the significance or difficulty gathering any of these. But also, don’t be so intimidated that you get paralyzed. I have observed numerous companies start this process and gain traction in just a few quarters by nailing these basics:
- Good data: You need it, and you have it. The key is to keep it fresh and relevant. For relevance, consider the three determinants of cyber risk: 1) the Business, 2) the IT environment and 3) the Attacker. There’s plenty of information on your business. Identify one or two key business processes along with their assets (revenue number and data records are an easy place to start). For the IT environment, leverage your SIEM, vulnerability scans, CMDB, or an SNMP scan. These data sources can reveal a lot about your environment. Finally, recognize that the attacker is constantly advancing and there will always be unknowns. The key here is to filter through the morass of attack intel and pinpoint the relevant information. Analyze attacks against your own environment and verify the susceptibility of your environment. Then, step back, use your expertise, and ask yourself, “are these results reasonable, and can I explain them?” If not, you may need to continue to refine your approach to the data you are using.
- Greek-letter mathematics and models: Most companies don’t have teams of data scientists dedicated to perfecting their risk models. The good news is that this is not required for success, at least you don’t have to do it yourself. I encourage companies to lean on the vendor community to help build these models into their program. See this Cyber Risk Analytics Buyer’s Guide to learn more about what to look for when investing in a risk analytics platform.
- Collaboration across the enterprise: We have heard a lot recently about establishing a risk-aware culture. Usually, this is in the context of phishing attacks and insider threats. When cranking up a cyber risk management program, demands for collaboration are taken to the next level. Collaboration is required in a two areas: 1) when deciding which areas of the organization to assess for risk first, since not all business processes are as important to the companies’ operations; 2) when deciding HOW to address risks that are revealed, since there are often multiple reasonable approaches. This point could be an entire blog of its own, and deserves an extended discussion. In a nutshell, one option when risk is revealed is to ‘do nothing.’ In fact, that is precisely what many companies have been doing for some time. However, doing nothing ignites a new level of scrutiny when the cyber risk is known and financially quantified.
As an industry, we are all beginning this workout so it will benefit us to share notes. I can assure you that this workout will NOT go the way of the ThighMaster or the NordicTrack. We will be talking about cyber risk for generations to come. This overview provides a simple starting point for your cyber risk regimen. Yes, you will feel awkward and weak in the beginning. Yes, you will get sore. But think of this as a journey, and don’t wait to get fit before starting.