Ahead of RiskMinds Insurance, we asked a number of global CROs what their major concerns are for risk management in 2018. The vast majority of risk professionals stated advances in technology and the cyber threats that go with it as primary concern. Norman Marks, retired CRO and CCO and thought leader in internal audit, risk management and governance, discusses where the industry is in terms of preparing for cyber attacks, and why the concern is warranted.
What does the data say?
A number of recent publications talk to this topic, and all are worth reading:
- Cisco’s annual cybersecurity report
- The FAIR Institute’s risk management maturity benchmark survey
- EY’s global information security survey
- PwC’s global state of information security survey
The Cisco report reads at times more like a marketing pitch, inferring that too many companies use multiple security vendors’ solutions and would do better with one (from Cisco). But they do make some interesting points:
1. The Cisco 2017 Security Capabilities Benchmark Study found that, due to various constraints, organizations can investigate only 56 percent of the security alerts they receive on a given day. Half of the investigated alerts (28 percent) are deemed legitimate; less than half (46 percent) of legitimate alerts are remediated. In addition, 44 percent of security operations managers see more than 5000 security alerts per day.
2. Twenty-seven percent of connected third-party cloud applications introduced by employees into enterprise environments in 2016 posed a high security risk. Open authentication (OAuth) connections touch the corporate infrastructure and can communicate freely with corporate cloud and software-as-a-service (SaaS) platforms after users grant access.
3. An investigation by Cisco that included 130 organizations across verticals found that 75 percent of those companies are affected by adware infections. Adversaries can potentially use these infections to facilitate other malware attacks.
4. Increasingly, the operators behind malvertising campaigns are using brokers (also referred to as “gates”). Brokers enable them to move with greater speed, maintain their operational space, and evade detection. These intermediary links allow adversaries to switch quickly from one malicious server to another without changing the initial redirection.
5. Adversaries work nonstop to evolve their threats, move with even more speed, and find ways to widen their operational space. The explosive growth in Internet traffic—driven largely by faster mobile speeds and the proliferation of online devices—works in their favor by helping to expand the attack surface. As that happens, the stakes grow higher for enterprises. The Cisco 2017 Security Capabilities Benchmark Study found that more than one-third of organizations that have been subject to an attack lost 20 percent of revenue or more. Forty-nine percent of the respondents said their business had faced public scrutiny due to a security breach.
We should all be concerned with these survey findings.
It’s not sufficient to have the best tools if you are unable to respond to alerts.
Even if you outsource (as I suggest) your security infrastructure, company personnel need to be able to react promptly. As we all know, the threats and the capabilities of our adversaries are expanding, not diminishing.
The FAIR Institute’s findings also give cause for concern. It is important to recognize that the respondents to the FAIR survey were already involved, if not using, that organization’s cyber risk methodologies. You would expect them to be far advanced compared to the general population. FAIR uses a maturity model (see the paper) which is reasonable – except I wish it related what could go wrong in technology to business risk.
The principal finding is this:
"Only 5% of respondents rated their organizations as “Strong” across ten or more of the fourteen factors."
In addition, they said:
"On average, risk management maturity levels were low, regardless of industry or organization size. Interestingly, the four highest-scoring organizations came from different industries, which suggests that maturity isn’t the exclusive domain of any one industry."
If you don’t know what the risk is, you cannot know what to do about it.
Their conclusion is:
"… cyber and technology risk management programs may be focusing on the trappings of risk management (putting policies, processes, and technologies in place) rather than the fundamentals of well-informed decision-making and reliable execution."
EY also sounds a number of alarm bells. Their key findings include:
- 87% say they need up to 50% more cybersecurity budget. However, only 12% expect to receive an increase of over 25%
- Only 12% feel it is likely they would detect a sophisticated cyber attack!
- 89% say their cybersecurity function does not fully meet their organization’s needs
PwC talks mostly about the Internet of Things and robotics, but doesn’t, unfortunately, seem to add much to the discussion.
So what are we to do?
EY makes a fair point (no pun intended).
Cyber practitioners do not believe they are getting the budget they need to be effective.
But, why is that?
I would suggest it’s because they are unable to explain to senior management, the ones who hold the purse strings, why cyber matters to the success of the organization.
Too often, as is in the case of these surveys, all the language is technical cyber and the risks are expressed in terms of technology assets instead of in business terms.
It is essential for senior management to understand how a cyber breach could affect enterprise objectives and the delivery of value to customers and other stakeholders.
That remains my issue with the FAIR methodology.
Why can’t we take each of the enterprise objectives (such as earnings per share) and explain how it could be affected by a cyber breach?
Management needs to weigh the value of an investment in cyber against the value of an investment in a new marketing program, the acquisition of a company that will extend its product range, and so on.
- Understand how a cyber breach could affect the enterprise in business terms
- Consider how much risk we are willing to take, considering the cost (and opportunity cost) of additional investment in cyber
- Evaluate the alternatives, including outsourcing cyber
- Act but continue to monitor, learn, and adapt
This (cyber) is not a problem that is going to away any time soon. (My hope is that AI will provide a solution in time.)
So it is essential for us to have a disciplined process for determining what to do about it.
This article was originally published on Marks's blog: Norman Marks on Governance, Risk Management and Audit >>
You can connect with Norman on his Twitter: @normanmarks