I went to this year’s RSA Conference in San Francisco with the intention of learning more about risk management, which led me to select sessions called “Advancing Information Risk Practices,” “How Infosec Maturity Models are Missing the Point,” and “How to Measure Anything in Cybersecurity Risk.” While I was intrigued by all of the presenters, it was Jack Jones that drew me in. All three of the sessions, even if not presented by him, centered on his body of work and/or examples that supported his thinking.
Knowing Jack About Security
Jack Jones has 30 years of experience in technology with 25 years in the information security and risk management arena. He provided the kind of presentation in “How Infosec Maturity Models are Missing the Point” that I was hoping to experience, discussing what risk management is really all about and some key considerations for assessing and managing risk. He also provided that “missing” element that is essential to addressing your company’s risk.
The consistent theme of the three presentations focused on taking a deep look at how you are managing and addressing risk and determining if you are spending money intelligently. Having bad risk management practices is actually worse than doing nothing. It comes down to the fact that some organizations aren’t asking the right questions and therefore aren’t allocating security resources appropriately.
How to Measure Anything in Cybersecurity Risk
Richard Seiersen’s (GM Cyber Security & Privacy, GE Healthcare) and Douglas Hubbard’s (CEO, Hubbard Decision Research) seminar – “How to Measure Anything in Cybersecurity Risk” – supported Jack Jones’ thoughts on how to assess and manage risk. They mirrored the point that if you don't get risk management right, you are missing your opportunity to be effective. Seiersen and Hubbard addressed the unanswered questions from Jones’ presentation by providing thoughts and tools for approaches and assessing risk and managing risk. Instead of using a risk score, they suggested that a bell curve should be used to articulate risk.
Death by 800 Questions
The seminar “Advancing Information Risk Practice” addressed how risk is assessed and articulated universally in companies with the breakout session titled, “Third Party Risk Assessment: Death by 800 Questions.” This session suggested that perhaps 16 good questions could be just as effective as the 1,600 questions that are sometimes asked to assess the risk of their company’s third party suppliers. The onerous nature of completing the assessment questionnaires burn up precious resource cycles and distract from their mission – namely, cybersecurity.
A cheetah doesn't need to do DNA analysis to determine what wilder beast they are going to go after next. It doesn't need to go and take blood samples to attack to find the weakest of the bunch. Ideally, organizations would first consider how a particular third party fits into their ecosystem and then look for a few good and targeted key indicators to determine if they need more information to assess the risk. That said, the question on some people’s minds was why more companies aren’t taking a closer look and getting smarter with how they assess risk of their third party providers.
What’s your biggest Cybersecurity Risk?
Your biggest risk is how you’re assessing and managing risk. Each seminar addressed risk and dealing with how to gauge and assess obstacles in the way – some of which were necessary, but in many instances were excessive. Risk professionals should take a closer look at how they assess and manage risk within their own organization and in working with their partners and supply chain. Honing risk management practices will help ensure the best use of resources, time, money, and energy.