Cyber Risk is no board game – you need to know when to accept, mitigate, or transfer risk to a 3rd party

The risk landscape continues to evolve with each and every passing day. Yesterday’s secure platform has now become today’s weakest link. Every moment, your organization faces some degree of security risk. The boardroom is ultimately responsible for having an inherent understanding of the various risks to the organization, and therefore is challenged with determining the ideal strategies to address the risk. Once a threat or vulnerability becomes publicly known*, the fuse is lit; and business leaders need to be prepared to make prudent decisions to protect their organizations.

* You can’t always protect your organization against unknown threats, but the game changes once they’re known.

Is this just someone else’s problem, or could we be next?
Once a vulnerability is known, due diligence should be practiced to understand the risk and potential impact to the organization. Not all vulnerabilities are necessarily viable threats to your organization which means you need to ask some important questions:

• Could this logically happen or is it not applicable?
• If an attacker were able to capitalize on the threat, what is the worst-case scenario?
• What is the likelihood of that vulnerability being exploited?
• What is the ease of the exploit?
• What can be done to remediate this?
• Has it been used as a means to attack someone else?
• How critical is this threat and what is the optimal timeline to address it?

The CISO’s role (or whomever is responsible for security)
It is not your Information Security leader’s (InfoSec) responsibility to remediate risk, but to inform all applicable stakeholders so that they can make smart decisions. In addition to the questions above, your InfoSec leader should provide the business with the information it needs to make an educated risk-based decision to address the threat. From there, a strategy should be created to best remediate that risk.

An effective CISO or security leader will be able to explain cyber risk to the business in a way they understand (in business terms), not in technical or security terms; though they should be able to do this as well if the need arises or when it is time to address a technical audience. This is critical because the business is the ultimate decision maker as it pertains to addressing risk. 

The buck stops here – the board’s role
Executive boards can no longer bury their heads in the sand and claim that they were unaware of known risks. The stockholders, partners, clients, and general public expect that a reasonable amount of due diligence is applied towards analyzing and understanding risk. The board must review the information provided by the CISO/security lead to make sound mitigation decisions within a reasonable time frame.  Time frames to address risk will vary, based on risk level, complexity, and remediation/mitigation level of difficulty and cost.

Which path to take?
Assuming that a risk has been defined and vetted, the organization needs to determine the best course of action (or inaction) to remediate it. There are three paths to take: accept, mitigate, or transfer.

How do you determine which is the best course of action for your organization? To begin with, you should perform a cost-benefit analysis to measure the ‘cost’ associated with the perceived risk and compare it with the ‘cost’ of remediation.

Accept risk: This is known as the ‘do nothing alternative.’ Before taking this route, you must do your homework. While it is perfectly acceptable to accept risk, a diligent organization will perform an analysis to back their reasoning. For example, it doesn’t make sense to spend a million dollars to protect information that is worth $5.

Sometimes risk acceptance comes with a related time window. For example, many retailers go into their holiday freeze (meaning they don’t touch any systems or applications) for two to three months specifically to avoid any risk associated with changes, including patching. Therefore, if a vulnerability is introduced during this window, the retailer must review the risk and make a business decision about whether or not to remediate it. Sometimes the threat of applying the fix/patch, especially during peak season, may offset the risk associated with the actual vulnerability. Again, there is absolutely nothing wrong with accepting risk, but this process should include:

• Analyzing and documenting the risk
• Creating an audit trail that demonstrates due diligence
• Sign-off - This is a key point because it is the responsibility of the board and the organization to accept the risk

Mitigate the risk: The most straightforward means of addressing risk is to remediate or mitigate the actual vulnerability or risk. This may include implementing compensating controls to reduce the overall risk. Oftentimes, risk mitigation requires that an organization make changes to their ecosystems (patching, code fixes, etc.). However, there is a certain degree of risk associated with implementing those changes. Risk remediation should include the following:

• Cost-benefit analysis – determine if the perceived cost of implementing the solution offsets the perceived risk of accepting the risk.
• Change management controls – the organization should be prepared to address the risks associated with taking remediation actions and follow established change control procedures.
• Test changes/controls – all fixes should be vetted to ensure they are effective.

Transfer the risk: Sometimes it makes the most sense for an organization to transfer the risk to a third-party. This may involve the third-party taking on ‘mundane’ tasks such as security event monitoring or it could have them take on a more operational role such as managing and maintaining networks, systems, or applications. This option may be attractive to organizations that do not have the in-house expertise to address a particular risk or set of risks. However, in all cases, you have not completely absolved yourself of the risks in question when transferring to a third-party. In the end, its your organization and your risk.

Another option to consider is cyber risk insurance, which may reduce some costs associated with a breach (Note: you should be acutely aware of any fine-print in the policy, and you should be aware that insurance may not necessarily cover brand damage).

Due diligence would dictate that:

• You have a complete understanding of the third-party’s services and the lines of demarcation between your responsibilities and theirs.
• You vet the third-party before doing business with them to ensure you are confident that they will uphold their responsibilities to protect your enterprise.
• You periodically review your business model and relationship with the third-party to ensure that your risk management strategy is current and effective.
• You periodically vet your third-party provider to ensure they are maintaining their security posture/business for allowing you to transfer your risk.

It’s your move
You have several choices when it comes to managing risk. In order to choose the right one, you must analyze the risk, understand your business model, your technologies, and your employees’ skill sets. As a security leader, you must be able to articulate the potential impact of risk to your executive team in business terms. Matters of cyber risk can impact the sustainability of the business, and must be addressed at the board level. Accepting risk should be a choice, not an accident – are you confident that your organization has all the information necessary to make the right decisions about risk? Drop me a line and we can continue the conversation.

Learn more about Online Business Systems’ Risk, Security and Privacy practice by clicking here.