No more Department of No

As organisations come to terms with the impact of digital transformation, there have been louder calls for security teams to stop being the Department of No. In general terms, this is a positive trend but there is a danger for security teams as the ‘shift left’  of digital transformation exposes more and more that security teams haven’t been living the much-espoused business enablement or business partnership calls that we’ve heard so often in the past. 

Security teams need to take this as a wake-up call for to rethink what actual value they are delivering and how a change in their approach could increase the value they provide.

Read the rest of this entry »

Long tails and poverty lines; cyber risk in the supply chain

This week I’ve been attending the third cybersecurity roundtable hosted by the Institute of International Finance (IIF) at their 2018 IIF G20 Conference. The roundtable itself included a good discussion with regulators and firms as well as a summary of the IIF paper on cyber regulatory fragmentation. This paper is not yet published but will be available here.

Some of the side meetings I have had with regulators and other firms have highlighted some interesting issues; the Deutsche Bundesbank described some work they had undertaken from a macro-financial stability perspective on modelling cyber risk across the German financial services sector. What was interesting was that they had started to extend their view beyond the financial services firms to include the ‘cyber network’ of suppliers and outsourcers that underpin the sector.

The value of supply chains in cybersecurity risk management is something I have written about before. In my opinion, the third party assurance ‘industry’ that we have all created doesn’t wash its face regarding risk management outcomes versus the cost and effort required to send and complete all these interminable questionnaires. One of my concerns was that we are hugely exposed to aggregation of cyber risk in the supply chain, and this crystalised when the APT 10 / Cloud Hopper campaign was identified in 2017.
Read the rest of this entry »

Writing a good risk statement

I often review documents describing risks that fail to either make an impression as to the seriousness of the risks or fail to explain the cause and impact of those risks, both results leading to a less well informed risk decision by a non-specialist executive.

It is vital when stating a risk to be clear in communicating the various characteristics and components of the risk without assuming previous knowledge on the part of the reader. Here is the guidance that I often offer as part of my feedback.

Read the rest of this entry »

Don’t over think cyber risk

I have been overthinking cyber risk. I’ve been trying to build a reliable model that I could rely on to mechanism my risk assessments. I’ll continue to refine my ideas because I enjoy the intellectual challenge. However, I am of the opinion that until we have the cybersecurity equivalent of Fischer Black, we need to accept the inherent inaccuracy of cyber risk modelling and use it to support quick decision-making rather than build grand unifying frameworks that ultimately only serve to mislead us further. It’s vital to start scouring the vast quantities of data we create for feedback on our decisions rather than try to base them on a level of knowledge that is not achievable.

At this point in state of the art, cybersecurity risks may be too hard to model reliably due to many factors. That is not to say that cyber risk assessment shouldn’t happen, as Jack Jones says “You can’t avoid measurement“, but the limitations of cyber risk management should be recognised, and any strategic response to cyber risk should account for that.
Read the rest of this entry »

A change to the cyber risk landscape

On June 27th 2017 a cyber-attack called ‘NotPetya’ was launched against a large number of firms. The attack was notable for three reasons;

  • it used a third-party software update mechanism to spread,
  • it was a geopolitically motivated destructive attack that caused extensive damage to uninvolved bystanders
  • it used automated techniques that previously were only associated with sophisticated manual attackers that reduced the time the attack took to spread across networks from days to minutes.

This has crystallised a potential cyber risk that has been a concern for some time such that untargeted and destructive attacks would become as sophisticated as manual attacks by highly capable threat actors.
Read the rest of this entry »

Twitter RSS