Everyone agrees that risk is essential. They just have different versions of what risk is, Evan Schuman reports.
It’s time to rethink risk – both how to operationalize it and how to define it. With all the incompatible views of risk from different stakeholders through an enterprise, it’s hardly surprising that so many organizations struggle to get beyond checklist security mentality.
At the large enterprise level, the definition of risk varies based on who is answering the question. CISOs and CSOs approach it from a strictly security perspective, CIOs get close to that view but are more focused on internal audiences, compliance executives take a purely regulatory view, other line of business (LOB) execs take it all very personally (“How will complying with this request help me with my budget goals? Will it improve my division’s time to market, efficiency, perhaps brand loyalty? What’s in it for me?”) and senior-level C-levels (CFO, COO, CEO, etc.) and board members view it tactfully and fund it as little as is – in their view – absolutely necessary. Even chief risk officers – assuming the enterprise has one – take the broadest view of risk, but their influence on other parts of the enterprise can be highly limited.
Rethinking risk means incorporating all those perspectives together in a comprehensive strategy.
Let’s start at the top, with CEOs and their boards. Those groups control – with considerable influence from the CFO, usually – the money and that is ultimately what CISOs need to deploy much broader and more extensive risk programs. Doug Barbin, the cybersecurity leader at the Schellman & Co. consulting firm, sees far too many CEOs looking at security tactically (seal the hole, slightly improve authentication, reduce the number of breaches) and ignoring the root causes of those security threats. Until the root causes are meaningfully addressed, everything else is little more than a band-aid and usually a temporary ineffective band-aid at that.
The argument: CEOs and board members think of risk far too narrowly – which is why it’s not given appropriate budget and support. When there’s a breach, the CEO/board cares that there’s been a breach. When they probe for “why did it happen?,” they are satisfied with answers like “a hole in Apache” or “a configuration issue with AWS.” But they don’t ask things like “How did the thieves get two years of customer data, when our data retention policy says we don’t keep anything longer than six months?”
Barbin equates it to a murder investigation about a fatal shooting. Police see the dead guy and they ask “Why is he dead?” Their answer is that he was killed with a .45 pistol. But that’s not the real answer. The answer involves a dispute between these two people. “How did the killer get the gun? Why did the killer shoot? What caused it all to happen?” That’s the same problem with CEOs. If they insist on the team figuring out the real problem behind the breach – such as a woefully outdated datamap and severe understaffing – then they may actually be addressing the risk.
Asked where he sees most enterprise CEO risk mindsets, Barbin says “Today I think it’s between a compliance checkbox and a ‘I’ve been notified.’ I don’t see a lot of instances where the CEO is actively involved” in those big-picture risk discussions, he says.
Barbin also drilled down into some of the most problematic risk elements, such as shadow IT and mobile device management (MDM) – especially in this new world of mandated full telecommuting courtesy of the coronavirus pandemic. On shadow IT, Barbin argues that enterprises generate all the tools that employees need, to enable them to stay within enterprise apps “so they don’t go out and use Dropbox or Google Drive. By giving them enough collaboration tools, they are not necessarily going to go out to get them.” On MDM, Barbin says “MDM has not caught up with today’s BYOD environment.”
That narrow thinking – one that does not sufficiently factor in the whys and potential impacts of a risk strategy – is certainly not limited to CEOs and board members. Malcolm Harkins, the chief security and trust officer at security vendor Cymatic, recalls a conversation he recently had with the CTO of a multi-billion-dollar cement company. The topic was the cement company’s recent deployment of creating smart concrete, by installing sensors into the wet concrete and then monitoring it afterwards.
“The sensors would help them determine road deterioration and they could later sell that information as big data for analytics on open road use,” potentially offering the data to traffic tracking firms that own applications such as Google’s Waze or Apple Maps, Harkins says. Autonmous vehicles – which could access the data about road conditions directly to theoretically navigate around potholes and other road problems – is another area considered by the cement maker.
The problem was the company put almost no sensor security in place, which could create a massive risk problem later, Harkins says he argued to the CTO. “What security implications? We’re just putting sensors in cement,” the CTO says, according to Harkins.
Harkins says that he pointed to terrorist attacks such as the bombings at the Boston Marathon in 2013. What if terrorists wanted to reroute cars toward explosives? With no security, they could theoretically convince sensors that perfectly fine roads were having problems, to reroute traffic into danger. (Note: Tricking mobile traffic apps is not especially difficult, as established this year when a person rerouted traffic by slowly walking a wagon full of phones down an empty street.)
“If I can play with the integrity of your data flow and the mapping software, I can create (the illusion) of a traffic jam and reroute traffic where I want it to go,” Harkins says. A far less viscous implementation could simply be a merchant who relies on street traffic seeing her signage and wants to lure as many cars as possible to drive in front of her storefront.
Harkins says the CTO was surprised and had not considered any such ominous possibilities and hadn’t seen a need to budget for security or to bring security staffers into the planning meetings.
Label this the insufficient creativity problem for risk strategies. This is where senior executives – hopefully outside of the CISO, CRO or CIO – don’t get sufficiently creative in anticipating likely security and risk problems when getting quite creative about new product/service functionality. It can be argued whether those executives are expected and even obligated to think that way. What cannot be argued is the need to bring security and other risk executives into those early meetings as those people are trained and paid to think that way.
One of the other problems with risk strategies is that almost all of the risk players – CISOs and CROs included – tend to be minimalists. These overworked and understaffed executives tend to deal with almost every risk problem in the smallest way possible, as long as it fixes the immediate issue. If a new privacy or security compliance rule changes the requirements for residents of, for example, Kansas, a popular response is to search for IP addresses coming from Kansas and make the changes solely for those customers – as opposed to universally making the privacy changes, to get ahead of the next compliance privacy rule. Or if an IoT device is problematic, removing the device, rather than using a version of continuous authentication to see if IoT devices globally are exhibiting similar behavior.
“Everything is around incrementalism,” Harkins says, adding that enterprise risk is, to borrow a cliché, in the eye of the beholder. “Risk is simply the potential for harm. But who gets harmed? Shareholders? Customers? Employees? Society? The issue is how is risk framed.”
A point that Harkins and other security experts stressed is that the risk case must first be made to every enterprise LOB unit or, at the very least, the most significant ones. The case, often made by the CISO to the heads of those LOBs, needs to be in terms that are most persuasive to those non-security executives. Does the security change fix a manufacturing control that otherwise is highly inefficient? Does it improve operations to the extent that it could improve time-to-market? Does it allow LOB employees to do their jobs much faster – perhaps through behavioral analytics, seamlessly authenticating users and relieving them from repeatedly logging in – and potentially save money?
This requires speaking the language of many different LOBs and that requires first learning that language. Most CISOs work hard and do quite well at learning their boss’ language, often the CFO. But it’s a very different story when talking with the head of manufacturing, marketing, supply chain, operations, the president of the company for a different country, telecom and the like. The CISO must become conversant in the goals, needs, fears and department-centric terminology of as many of them as possible, which is often where embedding a security staffer in key departments becomes important. This is similar to the premise of DevSecOps, but expanded from coding/programming groups to everybody else. This also requires two-way communications. Those embedded security people must do as well as teaching that group about security issues as they do at learning everything they can about that LOB and reporting back to the CISO. They must simultaneously be both the teacher and the student.
“Start with a listening tour: What (those other LOB executives) care about, what their business objectives are,” says J. Wolfgang Goerlich, advisory CISO of Duo Security. “You must interpret and explain security needs as business outcomes. Security can no longer be about avoiding the bad things. It must align to the business direction.”
Tucker Bailey, a partner at consulting firm McKinsey & Company, agrees with the idea of embedding security talent in various business units, but maintains that it is harder to implement because of a shortage of the appropriate security people. He’s not referencing the overall security shortage per se. Bailey says these kind of embedding efforts require security people who are willing to dig deep into and learn another part of the business. Those people willing to learn as well as being security experts, “tend to be a little bit of a unicorn. There is a subset who have no interest in understanding the business.”
Joe Nocera leads the cybersecurity and privacy practice for financial services at accounting consulting firm PwC (formerly known as Price-Waterhouse-Coopers). Nocera argues that a key part of security has to be to guard against not merely the big flashy attacks that are covered by the media, but to protect against the most probable attack.
Part of risk is “understanding which vulnerability is most likely to be exploited. The bad guys use the path of least resistance,” Nocera says. “If they can get in using a more common attack, they will. They don’t want to a burn a zero day if they don’t have to.”
But when communicating with other business unit executives, Nocera agrees with Harkins: CISOs must learn to speak the language of their LOB counterparts. Security must stop being seen as the department in charge of saying “no.”
The answer to other business units “has to be ‘yes’ and here’s how we are going to enable it, rather than ‘no, but…’,” Nocera says.
The biggest risk concern that Nocera discussed, though, were “accepted risks.” Those are the risks that the enterprise has likely endured for a very long time and it’s too difficult, costly or time-consuming to fix. “In almost every case, it was a risk inherently accepted, often because it wasn’t being funded or prioritized,” he says, stressing that it’s a massive issue for boards today. Board members need to discuss “these are the four or five big risks that we are living with today. That’s a very important discussion in the boardroom and that doesn’t happen enough,” Nocera says.
Fred Kneip, CEO of CyberGRX, says one of the biggest accepted risks he sees large enterprises ignoring are third-party partner issues. “Things that aren’t easily understood are delayed. Comprehensive risk is one,” he says, before citing two Fortune 10 client examples. The smallest of the Fortune 10 companies today reported $168 billion in annual revenue.
One of the enterprises referenced had about 30,000 global partner companies whereas the second had about 20,000 global partner companies, Kneip says. Both enterprises opted to do extensive risk reviews on all new partners, but to, in effect, grandfather clause in the existing partners, meaning that they wouldn’t to be subject to a risk review.
“You look at that whole backlog, companies where they have never done a risk assessment. (These Fortune 10 companies) are begrudgingly accepting that risk and choosing to move onto the next thing,” Kneip says.
Kneip argues that CISOs focuses too much on narrow security products and not as much on the overall security posture.
“The majority of what is available to CISOs are point offerings: A SIEM tool, a new firewall, new endpoint protection, etc. They can all be configured to work together, but not really. The current flow of new events, fire drills, etc. is relentless and CISOs rarely have the capacity and time to pull up and build a concerted plan before the next urgent situation takes over. Context switching alone takes up more than 50 percent of team capacity. It is stunning how many times I have had a CISO step out of a meeting to deal with an incident,” Kneip says. “Third party cyber risk is a great example of this. It is one step removed and thus typically not top of mind, until you have a breach at one of your third parties and you don’t even know what kind of data they have. It then becomes a fire drill to lock it down and determine your exposure. Initiating a program at that time is too late. If CISOs continue on the patchwork program, it is like building a boat one panel at a time, in that it will never keep water out. You need to build the shell to start and then bolster and augment it along the way. There may still be some leaks, but the frame will hold and you can patch them appropriately.”
McKinsey’s Bailey also points out another roadblock hindering enterprise risk efforts: meeting industry security standards. Enterprise CISOs and CFOs “will invest to meet the regulatory” rules but beyond, “the CEOs will call all of their peers in that industry and ask what they are doing” and security and risk protections and will try and meet but hardly ever exceed that level. “Counsel says the appropriate level of due care is what the mass of their industry is now doing. They’re going to meet the letter of that requirement.”