Don’t over think cyber risk

I have been overthinking cyber risk. I’ve been trying to build a reliable model that I could rely on. I’ll continue to refine my ideas because I enjoy the intellectual challenge but I am increasingly of the opinion that until we have the cyber security equivalent of Fischer Black we need to accept the inherent inaccuracy of cyber risk modelling and use it to support quick decision-making rather than build grand unifying frameworks that ultimately only serve to mislead us further. It’s important to start scouring the vast quantities of data we create for feedback on our decisions rather than try to base them on a level of knowledge that is not achievable.

At this point in state of the art cyber security risks may be too hard to model reliably due to a number of factors. That is not to say that cyber risk assessment shouldn’t be performed, as Jack Jones says “You can’t avoid measurement“, but the limitations of cyber risk management should be recognised and any strategic response to cyber risk should account for that.
Read the rest of this entry »

A change to the cyber risk landscape

On June 27th 2017 a cyber-attack called ‘NotPetya’ was launched against a large number of firms. The attack was notable for three reasons;

  • it used a third-party software update mechanism to spread,
  • it was a geopolitically motivated destructive attack that caused extensive damage to uninvolved bystanders
  • it used automated techniques that previously were only associated with sophisticated manual attackers that reduced the time the attack took to spread across networks from days to minutes.

This has crystallised a potential cyber risk that has been a concern for some time such that untargeted and destructive attacks would become as sophisticated as manual attacks by highly capable threat actors.
Read the rest of this entry »

Do CISOs have a higher calling?

I believe the security profession is coming close to an inflection point. The growing dependence on technology in our increasingly digital societies, the systemic and personal harm that data breaches can cause and the real world consequences of failures in an IoT-driven physical environment mean that security failures are no longer just an interesting news item or a regulatory concern. They matter.

WannaCry and it’s impact on the NHS is a strong example of how lives can be harmed and disrupted as an unintended outcome of digital criminality.
Read the rest of this entry »

Stifling, Suffocating, Security?

Security risk management requires balancing a number of stakeholders needs. The risk owners, ultimately a board of directors of an institution, set a risk appetite (whether implicitly or explicitly) , the business managers and leaders then seek to operate within that appetite to drive growth or deliver their mission. There is commonly a tension between the hunger for growth versus the desire for safety which tends to be very easily handled at an executive level but becomes increasingly more contentious the further down an organisation a disagreement occurs.
Read the rest of this entry »

Portfolios of Risk

I’ve been thinking, and worrying, about portfolio risk and especially cross-portfolio risk in federated environments. In federated environments or extended enterprises it is not unheard of for strong programme management to have a good clear view of the risks in their scope of activity and in some more effective enterprises the dependencies that different activities within their scope have on each other but it is rare to have a coherent and complete view of external dependencies between portfolios and as the pace and variety of change increases this could be a problem.

Read the rest of this entry »

Twitter RSS