[BreachExchange] How to Create Smarter Risk Assessments

Destry Winant destry at riskbasedsecurity.com
Fri Aug 9 10:23:59 EDT 2019


Executives and directors need quantitative measurements - such as
likelihood of loss and hard-dollar financial impact - to make more
informed decisions about security risks.

You wouldn't set foot in Sweden and start speaking Swahili — so why
would you use the language of bits and bytes in a boardroom full of
executives to discuss cyber-risk?

Like anywhere, CISOs and security professionals have to learn (and
master) the language of the C-suite. And where risk is concerned, just
presenting directors with a qualitative tool like a heat map to depict
the organization's current cyber-risk isn't going to cut it anymore.
The nature of digital business, not to mention unrelenting headlines
of hacks, ransomware, and phishing incidents, has sensitized
executives beyond the security basics of malware and firewalls.

"It used to be, 'Tell us how bad it is,' but now it's more a case of,
'We're giving you money ... we need to know what we're getting in
return,'" says Nick Sanna, CEO of RiskLens, a risk management software

Sanna adds that directors and executives face more requests to assess
risk in financial terms, including from the Securities and Exchange

Because qualitative measures won't cut it like they used to (so long,
traffic signal graphics!), organizations are either embracing or being
pushed toward measuring risk along two axes: likelihood and potential
impact. These are the two essential metrics for any risk calculation,
cyber or otherwise.

By moving from qualitative to quantitative risk assessment, the
organization also helps itself create a guide for action. "How much
risk do we have? Are we doing too much or too little? What does it
take for us to stay out of trouble? These are basic questions, but
they are the things you want to know as a business owner," Sanna

Risk management that relies on likelihood and financial impact should
lead organizations and their stewards to better decision-making, Sanna

And for large organizations and Fortune 500 companies, it's likely
they're also tracking other types of risk (strategic, reputational,
legal) within the organization. So tying in other risk measurements
with cyber-risk makes good sense, if only to have everyone using
similar models, methods, and/or lexicon for risk management, according
to Fred Kwong, CISO for Delta Dental Plans Association.

Kwong looks at risk management through a slightly different filter,
using three categories to help measure the organization's cyber-risk:
operational risk (availability of systems), risk to the organization's
data, and reputation risk, also known as risk to the brand.

Kwong points to other risk criteria that peers and colleagues use.
Perhaps best known among these are the NIST risk management resources,
cited by many as a basic compliance checklist. There's also the Center
for Internet Security's Risk Assessment Methodology (RAM), created by
Halock Security Labs. And generating consistent buzz is the risk
framework from the Factor Analysis of Information Risk Institute
(FAIR), which, by most accounts, comes closest to delivering on the
quantitative risk approach advocated by Kwong and Sanna (who's also
president of the FAIR Institute).

"All these models boil down to what the risk is to the organization,"
Kwong says. "They also help us with how to track and measure that risk
so our leaders have the data points they need to make the best
decisions" about managing that risk, he adds.

Kwong cautions against equating compliance with risk mitigation –
think Payment Card Industry Data Security Standard (PCI DSS), Health
Insurance Portability and Accountability Act (HIPAA), or the Federal
Information Security Management Act (FISMA), for example.

"Many risk mitigation plans are built against HIPAA standards, but
that's not an answer to the risk question," he explains. These
frameworks may help mitigate risk, but they don't really manage risk
or measure impact and likelihood."

As most security professionals know, raising the spectre of
noncompliance has been a great way to get funding for a pet project.

"No one wants to hear they're going to get fined by regulators or not
considered trustworthy," Kwong says. But there's more work involved in
risk management than simply being PCI-compliant, he adds.

More information about the BreachExchange mailing list