We need a new approach to cyber risk assessment

September 21, 2018

“Garbage in, garbage out.” For years, cyber risk assessments have often revolved around checklists of standards and practices that IT professionals can use to check off what they’ve done, but that model is insufficient, producing results that are hindering cybersecurity.

ISA President Larry Clinton, at the Command and Control conference on Friday, September 21, called for a new model for cybersecurity risk assessments – one that is more effective at addressing the growing and ever-changing cyber threat, and one that requires engagement of corporate and government leadership.

“If your risk assessment method is overly simplistic or inadequate, it may generate the wrong conclusions,” Clinton said in his speech. “As a result, you may develop a false sense of confidence in your security methods, which might not only waste scarce cybersecurity resources, but could be counter-productive to your security efforts. A sloppy cyber risk assessment method can actually make you less secure.”

The more effective model, Clinton said, is one similar to how organizations assess financial risk – one that is truly empirical, prioritized, and cost-based.

“Cyber risk management needs to evolve to a more systematic process that weaves in more than just technical compliance but includes critical thinking, understanding of probability theory, training in calibrated estimation, familiarity with decision models, and knowledge of the business contexts of security decisions,” Clinton said.

Moreover, they need to be cost-justified based on unique business and culture parameters.

To begin shifting to this model, engagement with leadership at the corporate and government levels is needed, Clinton said.

“We need to have our corporate boards of directors and our most senior government officials evolve a true understanding of cybersecurity and how to manage it,” Clinton said. “We are not going to prevent cyber-attacks any more than we can stop tornadoes or hurricanes – but we can learn to manage the cyber risk more effectively.”

The ISA has worked with industry and government partners to develop cyber-risk oversight handbooks for corporate boards. Initially developed for the United States in partnership with the National Association of Corporate Directors – and endorsed by the Department of Homeland Security – the handbooks have since been expanded to the United Kingdom and German markets. In the coming months, ISA will produce additional handbooks on cyber risk management for corporate boards for the Latin America market.

The German handbook was developed in partnership with the German government’s Federal Office of Information Security – known as BSI – and has been promoted through outreach events such as the Command and Control conference and engagement with the British Embassy and the U.S. Department of State, among others.

“We need to secure the cyber systems for industry and government,” Clinton said. “But we need to provide cybersecurity while also continuing to support our economy, facilitate innovation, provide job growth, and protect our citizens. In short, we need to evolve a cyber system that is not just secure but is also economically and practically functional in the 21st Century.”

To build this more secure model, cybersecurity needs to be pursued through partnerships between government and industry to better educate public and private sector leadership and incentivize better cybersecurity.

“In the cybersecurity world, we are all on the same team,” Clinton said. “We would suggest the need to evolve a model that looks more like a successful marriage – where government and industry are co-equal partners in securing the common networks we share.”

And thankfully, those partnerships have already started to produce results – through the release of cyber-risk handbooks that have been independently assessed by PricewaterhouseCoopers as producing positive cybersecurity outcomes among corporate boards.

The handbooks are available to download, free of charge, here:

U.S.:  https://isalliance.org/isa-publications/cyber-risk-oversight-handbook/

UK and Germany: https://isalliance.org/isa-publications/international-cyber-risk-management-handbooks/