The future of security risk management
Can a typical corporate board member recognise a DNS record? Patch a device? How about spell Kubernetes?
It is fair to say that the board won’t be configuring company firewalls any time soon, but security is an increasing concern for them. Government research found that the number of FTSE350 board members who consider cyber risk to be of high importance tripled between 2013 and 2018. This change is far more likely to have increased stress and blood pressure than improved technical expertise at board level. The next wave of security technology should address the need for executive input by focusing on describing security as a business risk and providing Return on Investment (ROI) metrics to beleaguered board members.
So says the latest Forrester report, “The Top Security Technology Trends to Watch, 2019”, and we wholeheartedly agree with them. The report is well worth a read, particularly their prediction that tailored security dashboards will be developed to “transform budgeting from an art to a science.” As boards take a firmer grip on security, they will rightly expect their CISOs to provide quantitative data to justify their budgets. And these same CISOs will be eager to present their own achievements back in terms that the board can understand, the language of business risk.
What is security risk?
Security risk is the risk of financial loss, disruption or reputational damage to an organisation resulting from a failure in its data or physical security measures. It is different from other operational risks due to the volume, velocity and variety (3Vs) of data processed by the modern enterprise, as well as the complexity of the IT systems.
Until recently, security risk was addressed by organisations through the application of Governance, Risk and Compliance (GRC) software tools. These products introduced security teams to the concept of security as a form of business risk, rather than individual threats and vulnerabilities. They continue to provide capabilities relevant to security, but they are built for a world of qualitative risks and lack the analytical firepower to offer a comprehensive and continuous view of security risk for today’s data volumes and variety.
The arrival of security ratings services has familiarised the concept of security risk. They offer a view of security risk using data external to an organisation, shining the light on vendors and dramatically improving supply chain security. They added a necessary outside-in perspective, but they only focus on external data. Security ratings, like GRC software, are a crucial input into a single view of security risk, but they are not enough. More data sources are needed, and they need to be automated.
The risk partnership
The Forrester research argues that companies need a solution with customised inputs and a tailored dashboard to capture the wide range of security risks facing the modern enterprise.
As a prediction, we think this is too conservative.
It is not possible to accurately measure a company’s security risk just by modifying inputs and tweaking the visualisation. No two companies are alike, no matter how similar they seem. Business risks vary between companies, and this applies particularly to security risk.
Configuring a platform to measure a company’s unique security risk and gauge ROI requires a deep partnership between a vendor and customer. Vendors need to walk in their shoes, get a feel for their culture and work environment, align it to their stated risk appetite. Accurate risk also requires a continuous view of security data: it’s no longer acceptable to show the board the company’s exposure from last week.
Boards can add real value when they are presented with security decisions framed in business risk, based on up to date data and adjusted for company specific risk appetite. Getting there is a lot easier than waiting for board members to become security experts, but it will take more than tailored dashboards. We can do better.