Managing cyber risk
If you’re a leader in the cybersecurity field, then you’ve likely been here…
It’s your moment to shine. You only get a handful of opportunities to have the Board’s full attention each year, so you’ve spent the past few days labouring over every part of your presentation. It succinctly lays out a cybersecurity strategy that you and your peers have devised for the 24 months ahead, a strategy that takes into account the organisation’s broader business strategy, any emergent issues you’ve seen over the past 12 months, and the changing threat landscape – damn cyber-criminals, did they not get the memo that they need to slow down and let industry catch up!
You step into the board room having rehearsed your presentation over and over – every detail is seared into your retinas. You lay down the plan and walk them through how the organisation is going to address its biggest hurdles – generative AI, a tightening regulatory regime, and changing societal expectations around information privacy. The Board seems impressed, you’re seeing thoughtful nods, and the questions are simply an extension of the conversation you’ve already had – it looks like you’ve nailed this!
Your job is done, you start to rise from your chair… “One last question Ryan… given some of the cyber attacks that have made news headlines recently, security is top of mind for the Board at the moment. Before you leave, can you breifly share how you are managing risk?”
The mind reels… there are many facets to this question, each with multiple layers and each with more nuance than one can distil in a minute. This dear reader – articulating how an organisation manages risk – is a question that is a cause for unease.
This post is a waypoint in my lifes journey – in a couple of years time I will be interested to see how my thinking has changed.
All roads lead to one
Along with wanting to know ‘what are our risks, what are we doing about them, and how do we know that’s enough’ in asking this question what I think the board is trying to get a feel for is; a) do you have a sustainable risk management practice, and b) are we confident that you can oversee it?
I once thought that managing cyber risk was all about technology. On its surface, it seems intuitive that it would be. An organisation’s technology is the thing that is usually being attacked, so it stands to reason that by throwing more security-orientated technology at the problem we can tip the scales in our favour right? Something about fighting fire with fire.
That process – as much as vendors will tell you otherwise – will not get you very far.
Manage risk by managing culture
Experience has taught me that if you want to manage risk, then you need to manage culture. It’s not an easy answer – an organisation’s culture is bigger than any one person, takes time to change, and never settles – it needs the constant attention of every single employee.
However, what is clear to me is that culture is the single biggest precursor for whether an organisation will remain resilient in the face of change. Get the culture right, and almost everything else will fall into place. In my view, this means the best cybersecurity strategy sucks if no one is going to put their back into it. With the right culture settings, a highly engaged employee does more of the little things, more of the time, and when you multiply by an entire organisation, you create a place where people will do work they are proud of, be curious about things that could be done better, and go beyond what their role would typically call for.
Culture first, then people, policy, and technology
It’s commonly said that people, process, and technology – in that order – are how you manage cyber risk. And they’re right, it’s just that culture is the flower bed in which these aspects can grow. As any gardener will tell you; if your soil isn’t right, then cultivating a world-class flower garden is going to be a walk down struggle street.
People
A feedback loop exists between people and culture, and it can be either positive or negative. A great culture will attract great people – people who are highly motivated – but great people are what’s needed for an organisation to have a great culture. Additionally, culture isn’t something you focus on for a short period of time and then move on. Like balancing a broom upside down in the palm of your hand, it takes constant effort to keep your organisation’s culture moving in the right direction so that your colleagues can thrive.
As a security professional, it’s not just about securing technology. The way you act, your interactions with folk, and the way you lead are what feeds into this culture, so be the kind of person that your colleagues, your executive team, and your Board need – a superhero who can bridge that world between the technical and non-technical worlds! Technology is a great enabler in an artizans hands.
Process
Processes, standards, frameworks, and policies – there are a tonne of examples in the cybersecurity field. But the one thing that each of these examples will miss is the thing that makes your organisation unique – its culture. Your organisation’s culture defines how your people work and the guardrails you put in place. Don’t underestimate how much influence policies and standards have in setting the culture.
As a security professional, you want your colleagues to succeed and for your organisation to be (cyber) resilient. I’ll be blunt, you won’t succeed by doing this with heavy-handed, dry, and long-winded policies. No amount of culture can get folks to buy into such extremes – yet we see them all the time! People want autonomy, they want flexibility, they want to be able to work safely and efficiently.
Your policies should reflect this. Go the extra mile to understand your business and strike the right balance between usability, security, and accountability.
Technology
Forewarning, over your career you are going to be bombarded by vendors and their (very) slick sales presentations. Security vendors are going to sing praises about their product and how your organisation is in great peril without it. In short, you’re going to be made to feel inadequate that your chequebook cannot accommodate it all.
And it’s alright to feel inadequate – technology is inherently a people-centric thing. People build technology to solve other people’s problems. People will buy that technology, some people will configure it for our people to use, and finally, some people will support that technology over its lifetime.
Just don’t forget to ask yourself, what’s the problem being solved, and is that problem one best solved by technology?
Technology is a great enabler and with the sheer volume of cloud services 1-click of the mouse away, too often I see it being presented as the first and “best” solution to an organisation’s problems. Your job as a security professional is to cut through the FUD and ask whether this technology meaningfully reduces risk to help our business move forward, or are we just jumping to band-aid a bigger problem?
Remember, everything comes at a cost. It’s about making the right tradeoffs.
Wrapping it up
Managing organisational cybersecurity risk is a multi-faceted, multi-layered challenge that much like balancing a broomstick, needs buy-in from across the entire business.
It’s not good enough to title someone a CISO and believe the job is done, it needs motivated people who lean into embedding this practice into every facet of their job until it’s second nature.
Call it what you will, but to me, this requires getting the organisations culture right – something we all play a part in.