By Denny Wan and Rizwan Mahmood

Synopsis

The Prudential Standard CPS 234 compels the board of regulated entities to ensure their information security capability commensurate with the size and extent of threats to its information assets. The paper titled “CPS 234: Will you comply?” argues that CPS 234 represents a paradigm shift in regulatory approach from compliance to risk-based. This change makes cyber risk to become a business problem. It is no longer sufficient to simply ensure proper cybersecurity programs are in place in accordance with Prudential Practice Guide CPG 234. CPS 234 demands proportionality in the effort.

The key to success in this effort is in building genuine consensus on the extent of cyber threat and an appropriate protection regime including, where appropriate, insurance coverage. This paper extends from the previous paper to examine the organisation culture change required to support this paradigm shift. The notion of “cyber risk is a business problem” can often be dismissed as a cliché ignoring the fact that cybersecurity is everyone’s responsibility. Adding insult to injury, a technology based approach designed without consideration for cultural fit can actually create resentment and arouse suspicions. Given the current debates across the broader community on mandatory encryption back-doors, surveillance and censorship, a mis-guided cyber security policy framework and implementation program could be mis-interrupted as merely a cover for authoritarian controls or “Big Brothers”. This is where the board needs help from each member in the organisation to contribute and roll up their risk postures to the organisational cyber risk posture. In so doing, each individual has the opportunity and obligation to review their risk processes to improve organisation wide cyber resilience.

In other words, each individual must be educated of their rights to access information required for their job and understand their responsibilities to protect this information entrusted to them. People do make mistakes. There also needs to be organisation wide non-intrusive monitoring system in place, to ensure potential breach of IT security controls are detected and mitigated appropriately. These are the principles of the People-Centric Security model pioneered by Tom Scholtz and presented in his paper “Kill Off Security Controls to Reduce Risk”[1]. The monitoring technology and associated compensation controls such as Digital Rights Management platform (DRM) should be sourced from a vendor with demonstrable track record in delivering full transparency in their technology. The collaboration model is depicted below:

People-Centric Security

The People-Centric Security ( PCS) approach recognises the fact that cyber risk management process, like the Human Resource (HR) management process, must be managed at the front line of the risk processes. HR processes such as performance and personal concern management should be handled between the individual and their immediate supervisor.Guidance and advice can be sought from the HR team where appropriate such as pay range in industry and job classifications. Similarly, cyber risk issue should also be discussed between the individual and the co-workers and their immediate supervisors.

The recent conviction and sentencing of Hal Martin for hoarding 50 terabytes of data which included sensitive NSA policies and cyber operations is a stark reminder of the extent of information security management challenge. Martin’s defence team noted during sentencing that “… it is clear that Mr. Martin had no intention to harm his country or the intelligence agencies he served … His actions were the product of mental illness. Not treason …”. This was a tragic end to Martin’s 20 years career serving these agencies.

The above example highlights the importance of educating the users their rights to access information required for their jobs and their responsibilities to protect the information entrusted to them. It would be safe to assume that these agencies did not skim on their information protection technology or training. Some might, perhaps, argue that Martin have been given too much trust and access. Whatever was the situation, we might never know as the case is now closed and details are scant. While we do not want to trivialise the case, it would be reasonable to expect that a strong decentralised DRM culture where information owners take share responsibility of security of data might have dampened some of the alleged damages. DRM will limit access to the information in the “stolen” files by unauthorised parities.

In summary, achieving the vision of PCS[2] requires strong leadership from the board level down to effect cultural change. An important tenure in the above diagram is the need for monitoring. While education is a key enabler, monitoring is a safety net to pick up security gaps[3] due to human errors and technology limitations. These are important foundation stones for a scalable and sustainable CPS 234 Readiness Program.

Proportionality guided by Risk Appetite

To measure proportionality of effort, to commensurate with the cyber risk exposure requires quantification of the targeted risks. But, according to Jack Jones (author of the Open Group FAIR Cyber Risk Quantification Framework), this journey should begin by examining the organisations’ Risk Appetite statements, to gain an insight to the business expectation from their cyber risk assurance. He spoke on ‘Approach to Risk Appetite – Draw a Line in the Sand”’ in the recent RSA Security Conference. Dan Raywood’s article for Infosecurity Magazine How to Get and Maintain Your Risk Appetite summarised Jack’s arguments for the need to create a risk appetite, and how to identify what you need a risk appetite for.

 Source: Infosecurity Magazine “How to Get and Maintain Your Risk Appetite”

‘Risk Appetite’ is defined in ISO Guide 73:2009 Risk management – Vocabulary. It is the amount and type of risk that an organisation is willing to pursue or retain. The phrase ‘risk appetite’ is used by many organisations and is frequently described in the annual reports and accounts of a wide range of organisations.

Moreover, quantifying cyber risk can be a difficult and frustrating process at the best of time due to the rapidly evolving nature of cyber attacks and the hyper-connectivity nature of the modern IT infrastructure. These challenges are discussed in the paper titled “APRA CPS 234 readiness in the cloud”. Part of the problem is the propensity to express risks measurement as heat map represented in an ordinal scale of high/medium/low risk with, sometimes, sub-categories. Ordinal scales are prone to inconsistent interpretation. In the context of cyber risk measurement, different stakeholders could make a very different interpretation of the same ordinal scale readings depending on their business objectives as depicted below:

In the above diagram, a cyber risk assessment risk expressed in heat map can cause confusion in the prioritisation of the cyber budget to remediate the identified issues. Technical leaders (CISO/IT manager) would be likely to favour a technology solution which could take longer and cost more to implement. Business leaders (CEO/CFO) might not appreciate the significance of these improvements which do not deliver short term relives from regulatory fines, customers dis-satisfaction and reputational damage. This is the common appeal from the magical cloud solutions, effectively outsourcing these cyber risk problems to the cloud providers. No doubt cloud-based solutions offer many benefits, but it should be considered in the context of a consensual process.

Cyber risk quantification as a consensual process

The Open Group Factor Analysis of Information Risk (FAIR) Cyber Risk Quantification framework is a time test community-based effort in developing such a structured approach. The Open Group has published the standard since 2009 and subjected it to scrutiny by the global Open Group community. The main business value of the FAIR approach is enabling cyber risk practitioners to communicate cyber risk measurement using business languages such as Return on Investment (ROI) on the cybersecurity management initiatives. Importantly impacts from cyber incidences are expressed as Loss Exceedance Curves (LE curves). By unifying the communications using a common business language reduces the potential for confusion and creates consensus among stakeholders. This transformation is depicted below:

LE Curves is a natural way to communicate most business risks such as credit or market risk. These classes of enterprise-class have long traditions in modelling using many people risk models focusing on the potential loss based on the expected threats such as economic cycle. However cyber risk analysis tends to focus on the threat such as cyber kill chains and vulnerability assessment. There has so far been very limited effort to dimension the business impact from cyber risk.

FAIR is not a risk assessment framework. It is a language expressed as a taxonomy. It helps practitioners to break down their risk scenarios and empower them to explain their assumptions, data sources and analysis methodology in deriving their loss estimates. The FAIR taxonomy is depicted below:

Unlike other prescriptive risk assessment frameworks such as ISO 27000 and NIST CSF, FAIR does not tell the practitioner the “right answers”. It helps them to develop their own “right answers” and be able to explain it to the others, to create consensus.

It is a team effort

In conclusion, cyber risk management must be a team effort. It is not sufficient to delegate such responsibilities to someone else through organisation structure, job roles or supplier arrangements. CPS 234 has made this expectation clear starting at the board level. Naturally, it would not be reasonable to expect the board to be in a position to answer the question of whether their information security capability commensurate with the size and extent of threats to its information assets. What the board needs is cooperation by each individual in the organisation to take personal responsibilities in their cyber risk management process. It could be as simple as making sure passwords are changed regularly and not reused across systems. This later approach embodies the principles of People-Centric Security. It is a team effort!

[1] Tom Scholtz, GARTNER (2012). Maverick* Research: Kill Off Security Controls to Reduce Risk (https://www.gartner.com/doc/2156018/maverick-research-kill-security-controls) 

[2] https://www.e-safecompliance.com/resources/Whitepapers/TIME%20FOR%20A%20RETHINK%20-%20SECURITY%20HAS%20FAILED%20TO%20EVOLVE%20BASED%20ON%20USER%20ROLES%20AND%20RESPONSIBILITIES%20v%202.0.pdf

[3]Security Gaps Covered By E-Safe Compliance Not Addressed By Other Security Products (https://www.e-safecompliance.com/resources-1/security-gaps-covered-e-safe-compliance/)

Find the original article here: https://www.linkedin.com/pulse/cps-234-ensure-compliance-through-trust-denny-wan/