When the consultants start repeating it, it must be true….
Risk management for companies has been around since the creation of insurance in the 18th century, and cyber security has existed since computers were first password-protected in the 1960s. But cyber risk management is a more recent innovation.
It is recently that early adopters have started to apply quantitative methodology to cyber risk management problems with rigour. The approach is starting to catch on, moving beyond a core group of technical innovators towards adoption by the broader business community.
Over the last year several management consultancies have begun advocating for components of cyber risk management. These companies act as a bellwether for contemporary corporate strategy, so it is a reassuring to see them taking steps towards establishing cyber risk management as common practice, even if they still have some way to go. Let’s take a look at some examples:
- BCG recommends that organisations quantify their risk appetite, the first step towards building defences based on measurable risk
- PwC highlights the value of applying a methodology (NIST CSF) focused on risk to security decisions
- Deloitte encourages companies to conduct asset inventories and prioritise investment in protecting “crown jewels”
- EY recommends embedding risk and compliance functions within product and security to improve overall cyber resilience
These are all useful tactics, but in isolation they are still a far cry from cyber risk management. It is almost as if a company would need some consultants to turn these into a coherent strategy.
A promising effort
The latest publication from McKinsey come the closest to offering a playbook for cyber risk management. The firm rejects “maturity-based” approaches to building cyber defences, where every conceivable tool, team and technique is slowly added, hoovering up budget and time while treating every asset as being of equal importance. Investing indiscriminately like this leads to waste and bureaucracy that hamstring even generous security budgets. Companies that prioritise their investment to protect their most valuable assets perform better regardless of the threat landscape or security tactics.
The authors call for companies to prioritise spending allocation based on return on investment, and to map their enterprise risk ecosystem across the organisation. Again, full marks for proposing a rigorous system that allows for a quantitative, risk-based approach. Coupling this with a cyber risk appetite that is defined at board level and rigorously implemented creates a necessary foundation to implement cyber risk management.
From Theory to Implementation
The article presents the case for moving from security by maturity to a risk-based approach, but it does not address some of the necessary steps for this to happen. Fundamental to this is the capability to quantify risks on a continuous basis. Quantifying risks before, during and after cyber investment is the only way to accurately measure ROI, which is at the heart of a risk-based approach to cybersecurity. Anything less than this is just a different variation of the maturity approach.
The article also slips up by recommending the use of a risk grid. While the authors’ cyber expertise is apparent, this was compromised by an approach that simplifies the process to the point of obscuring the data. The grid presents impact and likelihood scores with qualitative factors in a matrix to map against risk appetite.
The result is a semi-quantitative risk analysis, which offers a sense of completeness and correctness that is completely divorced from the underlying factors. David Vose gives a detailed description of why this is a bad idea here, but, in short, the value it offers is more false sense of security than calibrated cyber risk management. More importantly, it prevents us from finding the measurable ROI that is needed by the very executives these consultancy firms are targeting as an audience.
Inflection point for cyber risk management
Like many of our favourite bands, there is a danger that as cyber risk management enters the mainstream it will dilute the values that make it meaningful. This could mean embracing risk scoring based on semi-quantitative metrics, or applying a veneer of risk jargon to maturity-based programmes that ultimately amount to box ticking. Maintaining the status quo is easier than challenging it; overworked and understaffed security teams can more easily reclaim a work-life balance when they must only populate a cyber risk RAG or subjective scale diagram. It takes a lot more thought to build quantitative frameworks and implement a system for communicating these results to senior management, but the extra effort is worth it.
We expect cyber risk management to continue its growth and adoption, but not everything that uses that name will have earned the right.