The DCRO (Directors and Chief Risk Officers group) recently published their Guiding Principles for Cyber Risk Governance. Their goal is to help assess the practices boards and C-level leaders use to manage cybersecurity. The article in PRWeb represents a valiant and important start to advance the commentary about this critical topic, one that is near and dear to our hearts. We found plenty of great things in the DCRO’s guidance—as well as a few things that are likely to be amended over time.
3 Things the DCRO Got Right
- Identification of key assets (defense in depth is dead). DCRO shines a bright light on a key part of managing cyber risk—understanding how well the crown jewels are protected. This identification of key assets is a business-driven exercise, not a technical one. The implications of this approach require a shift in how security practitioners think and operate. Old school security practitioners cling to a “defense in depth” model. This layered approach (think of a castle with a moat, large walls, and inner courtyards for defense), doesn’t work anymore. The threat landscape has risen due to a number of factors (mobile, IoT, and others) and security can’t build enough walls fast enough to protect the realm. The DCRO calls for a shift to an inside out focus where security begins with understanding the key business assets and creates protections around those assets first.
- Cyber is a strategic business issue, not just a technical one. The only companies that exist to make money on security are security companies. For all others, security is a cost that companies pay to ensure they can execute the business functions they were formed to execute. Cybersecurity, like any cost center, is best optimized in the context of the business. DCRO compels companies to treat cyber as a strategic business issue. When this happens, companies will start to better understand why they spend money on security, how it empowers the business, and in some cases, how they can ensure spend is right-sized and prioritized correctly.
- Culture is king. DCRO tags cyber as a Board-level issue, and that makes me happy. What also makes me happy is that the DCRO also calls for a culture change with respect to managing cyber risk. Too often security is viewed as a “blocking” group in a company. By driving a cyber-aware culture from the top down, the DCRO’s guidance helps organizations to see that what security professionals are doing is valuable and necessary for the business.
2 Things Likely To Change Over Time
- Intelligence Driven Approach. The assumption that you have already been compromised is a good one to make. Thinking “it won’t happen to me” is an easy way to end up out of a job. Yet while the author’s proposal of an adaptive security architecture is a good one, it falls short of where companies need to be. Cyber risks change and evolve continuously. Organizations need to shift to a “continuously predicative model” for cyber defense that quantifies (in financial terms) risk against the key business assets and the technical components that attackers exploit. Attackers adapt continuously and in an asymmetric manner (i.e. non-linear). Companies can’t measure cyber risk annually, quarterly, or even monthly – cyber risk needs to be measured continuously so that the business can adapt when the cyber risk they’re facing changes. Adopting a “continuously predictive model” will help companies view cyber security risk as they view other risks – changing markets, changing competitor tactics, or other key business risk.
- Three separate lines of defense. The three lines of defense is a standard and solid setup for managing cybersecurity risks. But with the speed of change in cyber – both on the technology and attacker fronts – this model needs to be updated. These three lines should be integrated into a risk function that incorporates managing day-to-day risks in the context of the strategic business needs and goals. Separation of these lines of defense creates communication chasms which, with the speed attacks propagate today, can mean the difference between a risk managed and a risk realized.