[BreachExchange] Avoiding The Blame Game For A Cyberattack

Audrey McNeil audrey at riskbasedsecurity.com
Thu Sep 8 19:19:11 EDT 2016


http://www.darkreading.com/attacks-breaches/avoiding-the-
blame-game-for-a-cyberattack-/a/d-id/1326850


CISO’s crave it, senior executives need it, and boards of directors demand
it. What is it? Exculpability – being held free from blame. Why do they
need it? Because in a world where perfection is impossible to achieve,
exculpability is what will ultimately protect reputations in the wake of a
serious cyber attack.

In legal terms, cybersecurity exculpability means that within an
organization, management and security operation teams took responsible
actions, despite the occurrence of an unfortunate event. These responsible
actions, in turn, provide assurances to security leaders that their careers
can sustain the test of a breach and provide a convincing argument to
senior executives and boards that despite the potential peril,
understanding, and active management of cyber risk is a far better course
of action than pretending that risk does not exist.

The challenge becomes defining the duty of care that will absolve security
managers and execs after a serious breach. Today, where the risk climate is
rapidly and constantly evolving, technology and traditional controls alone
will always be an imperfect defense. So how can an organization develop a
framework of acceptable care for cyber? Let’s start by looking to other
areas of society and business where duties of care are already recognized.

Everyday life: the reasonable person standard
The most logical place to start is everyday life where the concept is
fairly straightforward: Individuals acting as reasonable persons should not
be held liable for harm suffered by others. In effect, accidents can always
happen but only when a person violates his or her duty to act reasonably
should liability attach.

Unfortunately, there will always be legal nuance to consider when defining
reasonable actions --including defining a standard of care for the
situation in question. Worse, the sad reality is that lawsuits are usually
inevitable regardless of perceived fault. Still, the entire concept is one
of the longest standing responsibility barometers in society. Simply put,
the reasonable person standard gives people the ability to avoid black
marks when they did not do anything wrong.

Regulations, certifications & standards
The next place to look -- and one that often serves as a default duty of
care -- is the arena of regulations, certifications, and standards. To be
certain there are already plenty that impact the cyber world such as
PCI-DSS, ISO 27001, HIPAA, SANS 20 and many more. Some, like PCI-DSS for
credit and debit card processing entities, are mandatory, at least with
respect to avoiding fines and penalties. Others are voluntary and show that
an organization is following a known methodology to manage cyber risk.

The bad news is that by relying on this approach exclusively (including the
reality that compliance often merely establishes a minimum threshold) such
methods can be easily learned by adversaries. Even more important, the
majority of standards and requirements are mere snapshots in time,
therefore none can be an exclusive remedy to the problem.

Financial reporting
The last area to consider is very well known to senior executives and
boards of directors of public and private companies of all industries and
sizes: financial reporting. It’s the most trusted means of providing
shareholders and stakeholders with a snapshot of how an organization is
performing at any point in time. Yes, it’s an imperfect methodology and
from time to time firms will commit fraud in producing balance sheets,
income statements and statements of cash flows.

On the other hand, it’s tough to argue that modern financial reporting is
not only what has given rise to functioning markets but it has allowed the
system to stand the test of time for nearly a century. Simply put,
financial reporting provides a constant barometer on responsibility and
externally verifiable insight on how an organization’s leadership is
continually managing affairs.

Defining a duty of care for cyber risk.
Borrowing most heavily from the three-part schema for financial reporting,
let’s propose that a cyber duty of care has been met by security and
organizational leaders who can confidently, continuously, and affirmatively
answer the three most critical cyber-risk questions:

Do we understand our cyber exposure?
Are we managing our cyber risk as effectively as possible?
Do we have the ability and financial resources to fully recover from a
cyber event?

The first question can be answered by conducting and at least annually
refreshing an impact or quantification analysis that contemplates the
entire range of first- and third-party financial and tangible exposures.

The second question can be answered by utilizing and frequently refreshing
an appropriate cyber program maturity framework, and by ensuring that the
firm’s insurance portfolio is tuned to its cyber exposure.

The answer to the third question is a function of the first two in that it
reflects both the maturity of the firm’s incident response capabilities and
the sufficiency of financial reserves and insurance to cover the impact of
an event.

Ultimately, these are the three most critical questions that shareholders
should ask of their boards, boards of their executives, and executives of
their security leaders. In turn, all of those organizational leaders should
be at the ready with answers, especially in the aftermath of a cyber event,
when the proof will be in the determination of whether security leaders
took their cyber-risk management responsibilities seriously.

If in fact, the organization executes its ability to recover and has the
resources and insurance to minimize the financial impact, exculpability
should be rightly achieved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160908/6329b811/attachment.html>


More information about the BreachExchange mailing list