Understand, Manage, and Measure Cyber Risk: Practical Solutions for Creating a Sustainable Cyber Program

Introduction

Part 1: The Problem

 

Chapter 1: The situation

Chapter 2: The complication

Information Technology or "IT" became pervasive near 1995, and after a quarter-century of IT in organizations, managers, engineers, and board-level oversight still speak different languages. The language divide creates a disconnect in the strategy-to-management-to-tactical thread that is critical for overall organizational risk management, not to mention overall business management. This complicates the ability for these functions to align on one language for managing cyber risk.

 

Chapter 3: The resolution

One unified approach to cybersecurity:

 

- Be clear on identifying the risk

- Understand the risk

- Categorize the critical data at risk

- Determine the causes, consequences, and accountability of a data breach

- Identify the business impact of a breach

- Simplify how you manage the risk

- Apply a framework

- Structure the organization (i.e., staff and management)

- Prepare to respond (... and recover)

- Build feedback mechanisms to measure the risk

- Choose risk-informative metrics, Key Performance Indicators (KPI's), and Key Risk Indicators (KPI's

- Apply appropriate resources (e.g., measuring projects, overseeing initiatives)

 

Part 2: The Solution

Chapter 4: Understand the problem

Knowing what "problem" you are solving is the most critical part of problem solving. It is important to spend time exploring the main issue. This typically means asking others what they see as the problem, gathering facts and opinions (and knowing the difference between them), and then establishing a recommended problem to solve that categorically encompasses all the facts you have gathered. For example, the audit team will likely talk about the problem of fines and resources to remain in compliance. The contracts team will likely talk about the risks brought about by outside companies (aka Third Parties), and the tech teams will likely talk about the immediate risks to the network, applications, or endpoints. Each team is looking at their part of the enterprise risk, but are they all looking to one specific problem that aligns them all? Typically not. So, the solution becomes the one problem everyone is solving for and helps them focus on that. In this case, that might be: critical data and systems at risk. Communicating as one problem everyone is solving for has the benefit of pulling everyone together, instead of trying to manage everyone from within their view of the problem -- risk to critical data or systems. The solution here is to get them all focused on one problem so that managing the problem is much easier -- with everyone understanding that the problem is (i.e., keeping critical data and systems secure), the management of that becomes an easier tactical activity.

 

 

Chapter 5: Manage the problem

- Guidelines up front: Settle on one approach (i.e., Framework) that best fits the business

- Complication is that no one framework fits any one organization's risk profile perfectly

- Key is to pick a framework as a starting point and modify it to the org