Cyber security governance and risk management are top of mind for many organisations in 2023. Until now, the cyber insurance sector has largely driven this thinking as, faced with growing loss ratios, insurers have sought to improve the quality of cyber security risk information and better manage their risk. Their requirements for more rigorous underwriting methodologies and security controls have yielded greater accuracy in risk understanding and pricing, and regulators and the courts are now catching up.
This in turn has made risk management and oversight a key concern for senior executives and directors – whose responsibilities are significantly more onerous than any insurance underwriter. Yet these executives need guidance: in its absence, nightmarish stories of cyber attacks, hefty fines, and hectoring articles that rehash directors’ responsibilities will only drive cyber anxiety and worsen decision making.
Executives must not fear. Instead, they need an approach to cyber security that lets them take control of a vital strategic asset and focus on their other responsibilities. After all, the spice must flow.
The intelligence lesson from insurance
A significant issue preventing effective management and decision making has been the lack of adequate data-driven information. Subjective questionnaires and efforts that amount to “marking your own homework” can’t replace data-driven metrics for informing a formal process or framework. It might not be apparent to some relying on it, but a considerable amount of operational risk assessment information isn’t evidence based. This lack of evidence can prejudice security decisions, while much of this arbitrary and unverifiable information won’t meet senior executives’ and directors’ regulatory and governance oversight obligations.
Little wonder executives and directors feel under pressure; many quietly acknowledge they don’t even know what they don’t know.
The cyber insurance industry has already overcome a similar problem. Solving it involved more rigorous risk assessment and verification of controls, and insurance contracts that allocated clear risk responsibilities between parties. Just like insurers, 2023’s senior executives and directors need a clear understanding of, and accountability for, the quality of the risk information they receive – and how much they can rely on it to inform cyber security oversight.
Ultimately, insurers understood the bottom line: quantitative measurement enables evidence-based comparative risk appraisal. Qualitative judgements are inevitably prone to human bias and will result in lower confidence decision making.
Frameworks: The atlas of risk management
At its heart, cyber security is no different to any other form of operating risk, such as credit or FX. The risks may be more complex and the resources and risk management models still evolving, but the broad principles remain the same. Businesses that rely on systematic frameworks alongside risk management instruments and quantitative processes will find it much easier to understand and effectively manage risk. Selecting the right cyber security risk framework will be a good starting point.
When choosing an appropriate framework – such as the ACSC Essential Eight, NCSC Cyber Essentials or NIST Cybersecurity Framework – organisations should look for relevance. As well as meeting industry and jurisdictional needs, the framework should support an easy to use, systematic and incremental risk assessment capability. For instance, providing an “industrialised” means to automatically measure core risk mitigation controls’ presence, effectiveness, and maturity. A quantitative control measurement and reporting capability to support risk prevention, containment and recovery efforts is foundational for cyber security risk management and governance.
Organisations can build on this basis to increase the reach of their risk management, but the core framework aim for simplicity – focusing on security controls that will have the greatest effect and make it easy to establish a baseline of security resilience. Used correctly, the right framework will give users an actively maintained, easy to use, systematic cyber security risk framework and maturity model that’s ideally suited to empirical measurement of control effectiveness, evidence-based risk management and quality improvement; and – like a diagnostic imaging tool – provides a clear, accurate and reliable depiction of cyber resilience.
Betting the house on cyber security resilience
Qualitative, anecdotal risk information is not enough – and never was. Cyber security resilience and oversight is no longer a bonus – it’s an essential function, and even a competitive advantage.
The cyber security risk environment is highly dynamic, demanding never-ending mitigation of vulnerability gaps. In this domain, detail matters. Risk measurement has to be accurate, objective, and assist prioritisation of risks and proposed mitigation strategies. Quantitative “risk accounting” and auditable assessment processes that measure against appropriate security risk frameworks are critical to effective cyber security risk management and oversight
Over time, new risk management processes and technologies will evolve to support a broader cyber security governance framework and near real-time empirical risk measurement system. Right now, however, choosing the right framework will remove a huge burden from security teams and executives.
Peter Woollacott is CEO of Huntsman Security, an Australia-based SIEM and cyber analytics platform specialist.