[BreachExchange] Expectations for CISOs Have Changed

[Destry Winant]

https://www.securityweek.com/expectations-cisos-have-changed

There was a time once when CISOs could dazzle or dominate every
conversation with the board or senior management – they were the high
priests of a technology that no one outside the cubicles of the IT
group could understand. The inside joke was that all it took was FUD –
Fear, Uncertainty and Doubt – to win budget.  A heat map with some
angry red zones was a good visual aid.

Enter the Standards Compliance era – CISOs had industry-accepted, and
even government-approved standards like the National Institute of
Standards and Technology Cybersecurity Framework (NIST CSF), to
justify spend toward a goal of “maturity” -- filling out your
compliance checklist.  More recently, vendors have begun offering
CISOs security “scorecards” that count maturity ratings,
vulnerabilities, threat issues, patching history, and other indicators
to spin up a numerical security rating.

Now, we’ve entered new era. Recently, we’ve seen malware paralyze
operations and ding profits at major global companies and data
breaches give haircuts to stock valuations. We’ve seen government
regulators—the SEC, the New York Department of Finance, and the EU
through the General Data Protection Regulation (GDPR)—steadily
increasing supervision of cyber activities by private companies,
demanding more, and better, disclosure. We’ve seen large companies in
every industry facing digital disruption—from autonomous vehicles and
the Internet of Things, to Bitcoin– and try to weigh the risks and
rewards of adapting.

These are board room and C-suite concerns, and from their vantage
point, cyber risk has risen to the level of enterprise risk – which
they expect to be measured, managed, and reported in the terms that
the rest of the enterprise understands, namely, in financial terms to
show the likelihood and potential cost of losses. And that’s a problem
for the standard CISO communication toolkit because it doesn’t really
communicate business risk.  At best, it offers implied risk—if our
scorecard number is low we must have more risk, right? And if we spend
more on controls to make the numbers increase we must have less risk,
right?

Just don’t ask us to tell you how much more or less risk, and
certainly not in dollars. And don’t look to us to help you with the
tough questions you face, such as:

• How can I disclose to regulators if our cyber risk hits levels that
materially impact the finances of the company?

• What’s the return on investment for any major cyber project with a
security aspect, like moving operations to the cloud or consolidating
and protecting our critical intellectual property?

Hiding behind techno-babble just won’t work anymore. Expectations have
changed. Welcome, CISOs, to the era of Cyber Risk Economics.

The good news is that your profile in the organization has jumped up
several levels, which is an invitation to up your game, to think more
broadly and in business terms about cyber risk and cybersecurity.

Great, but where to start? Consider the standard Factor Analysis of
Information Risk (FAIR) Model for Quantitative Risk Analysis.

Despite the name, FAIR is more of a change in thinking about risk
rather than another scorecard of numbers. Many infosec teams are using
FAIR - First, to identify and define the organization’s true risks as
possible loss scenarios driven by cyber events. The questions that
need to be answered to describe such a loss event are: What is the
asset at risk? What is the threat that we are facing? What is the
threat effect? What are the forms of loss that we could incur?

Second, infosec teams use FAIR to measure risk as the probable
frequency and probable impact of such loss events, which allows them
to communicate risk to the other business stakeholders in a language
they understand—dollar amount.

So, a “vulnerability” is not a risk. “Ransomware” is not a risk. “The
Cloud” is not a risk. If those sound like the items listed as risks in
your risk register, you’re not alone. These are factors that
contribute to risk but are not a loss event by themselves. Many teams
start implementing FAIR by cleaning up their risk registers and
getting everyone focused on the probable events that could cause their
organization real loss. They move onto prioritizing those risks and
then, with the use of FAIR-powered software, running analyses to see
what controls are most effective in reducing risk. When the board or
senior management want to understand the implications of a new threat
or an audit finding, or the risk associated with a new initiative,
like moving a critical application to the cloud, they have the
analytical skills and the applications to quickly send back a range of
scenarios that make the risk choices clear to the decision makers.

This is a growing movement, and I think it’s the right movement during
this era of heightened expectations for CISOs.