By Denny Wan, Michael Collins and Wilson Chiu
The “Five Knows of Cyber Security” represents a significant shift in focus – from a technology discussion to one where senior management can engage in and contribute to the effective management of cyber security risk. The challenge and opportunity for the cyber security team is to effectively communicate these important messages to senior management and the board. The objective is to make the Board aware of the cyber risk exposure so they can fulfil their governance obligations and make informed decisions. These communications should focus on strategy to direct execution by implementing cost effective security controls. Our recent article “Building an APRA CPS 234 compliance template” presented a roadmap quantifying risk appetite to endorse a security strategy to enable consumption of “good risks” to deliver growth, profitability and innovation under approved business strategies. This article is the next step of this journey to effectively map cyber security controls into business strategies using the Open Group FAIR cyber risk quantification methodology. It includes practical steps to communicate the business impact and benefits to senior management and the board to secure their support.
In the recent CyBSA 2019 Cyber Breach Simulation Australia event, hosted by the Optus Macquarie University Cyber Security Hub, APRA Member, Geoff Summerhayes, spoke in his keynote how APRA Prudential Standard CPS 234 standard sets the floor on the baseline metrics on cyber resilience with an “assumed breach” mentality. This mindset demands an enterprise wide focus on building cyber resilience against attacks through detection and response capability rather than relying solely on preventative measures. APRA CPS 234 standard on Information Security aims to ensure that an APRA regulated entity takes measures to be resilient against information security incidents (including cyber-attacks), by maintaining an information security capability commensurate with information security vulnerabilities and threats.
The Australian Institute of Company Directors offers guidance on preparing a Board Paper with a sample template. The role of a board paper is to enable senior executives to have the necessary information which facilitate discussion and decision making in board meetings. Corporations Act 2001 s 180 imposes a statutory duty of care on directors to have read the board papers to be able to contribute effectively to board meetings. The sample board paper template describes each issue according to their strategy and financial implications supported by risk analysis. Therefore, having comprehensive and cohesive data on cyber risk is important which will in turn be presented in these Board papers. This paper is also retained as an official record should an organisation come under scrutiny by a regulator due to negligence of failure to protect customers against cyber risk.
Presenting to the board
The art of presenting to the board is to focus on the strategy and governance oversight including cyber risk. Therefore, business strategy should be the overriding factor in determining controls but not blind alignment to a control framework. The communication style should match the board’s maturity in their understanding of cyber risks. The “5 Knows of Security” is powerful conceptual model given its simplicity and hence why it is widely recognised by senior exec as it helps them to understand. It provides a focus for the development of the security strategies. In turn, the statistical measurements in CPG234 Appendix H summarises the effectiveness of the security controls to inform the refinement of the underpinning strategies.
For far too long risks associated with cyber security have been communicated through the use of technical jargon, heavily biased to the downside impacts to the business, and often reliant on the use of fear, uncertainty and doubt as a tactic to create support for a decision. Information Security leaders relying on these tactics to get attention for funding need to realise that despite their best efforts they may still be relegated down the list of priorities until they can more effectively communicate with decision makers.
In today’s dynamic business environment senior management and especially boards of directors are wrestling with several sources of risk that may impact their ability to deliver on strategic objectives. An NACD Public Company Governance Survey showed whilst changing cyber security threats ranked #4 on the list of trends as having the greatest effect on companies over the next 12 months 1 61% of directors reported that they would be willing to compromise on cybersecurity to achieve business objectives, while 28% prioritise cybersecurity above all else 2. What would be interesting to understand is what information are those decisions being based on and if they were presented with information in a more compelling manner would they still make the same decisions?
The challenge for many security leaders is that the boards understanding of cyber security will vary from board to board based on industry and even between individual board members depending on their core expertise. As with any successful engagement strategy your challenge is to meet them where they are. And as with understanding any customer need you may have to take a test and learn approach, experimenting with different formats to find which one resonates the most. Remaining cognisant of the fact that your proposition may not be the most important thing on their minds at that time and will take a lot of convincing to make it amongst the top priorities.
Additional insights from the NACD survey showed that the majority of directors seek to improve core oversight activities over the next year in the areas of strategy execution (63%), strategy development (61%), and cybersecurity (60%). Yet, more than 70% of directors believe they already spend enough meeting time on each of these topics. With time at a premium an opportunity exists for leaders to provide actionable information, supported by quantitative analysis, to allow them to make decisions in an efficient and informed manner without the need to translate technical jargon.
Norman Marks in his book ‘Making Business Sense of Technology Risk’ proposes that “the question of whether technology-related risks are being managed adequately should be answered in business terms. The answers can only be found when technology related risks are discussed in the language of the business”.
Whilst the operational metrics suggested earlier would likely be too technical for a typical board member they can be valuable in providing inputs into a cyber risk quantification model such as FAIR to derive the kinds of information that boards are accustomed to seeing in other functional areas of the business such as Finance. Boards are constantly being made aware of risk to strategic objectives with regards to financial performance and fiduciary responsibilities and so financial concepts such as solvency are well understood. Understanding of a balance sheet, cash flow and profit and loss are fundamental skills required in order to understand what to look for and to know what questions to ask of management regarding the fiscal health of the organisation.
The use of ratios to analyse an organisation’s financial performance is commonplace in many industries. Ratio’s such as liquidity ratios assess an organisations ability to pay its debts. These indicators provide actionable information the Board needs to make informed and intelligent decisions and allows them to decide whether a deeper dive is required and avoids drowning them in unnecessary detail. Providing this summary level information in this form allows the board to spend time reviewing useful information as opposed to individually calculating and assessing ratio’s individually. Additionally, these metrics can be used for trending purposes to demonstrate how the longer-term trends that provide a level of comfort that management is responding appropriately to the changing environment.
Therefore, the opportunity to translate “cybersecurity risk” using similar concepts as financial ratio’s should not be lost on cyber security professionals if they wish to be accepted as a voice of reason in the strategic decision-making process.
Ultimately what is needed is a method by which decision makers can effectively decide what action needs to be taken based on an evaluation of the value to the business of changing this level of risk vs. investing elsewhere. Every dollar spent on security is one less dollar spent on other key strategic initiatives.
Mapping “5 Knows of Cyber Security” to FAIR Factors
The principles in “5 knows of cyber security” recognise that cyber risk as an important business risk issue. It is a human and organisation culture issue and not just a technical problem. It’s not a problem induced and solved by technology alone which demands leadership attention. In an interview on the release of the paper, Mike Burgess (former Telstra CISO) said “..cyber security is not solely an espionage problem. In fact, the espionage piece is a relatively small but significant piece of the cyber landscape.”.
“.. cyber security is not solely an espionage problem.”
The FAIR framework is a powerful method to breakdown a cyber risk scenario into the “5 Knows” depicted below:
The FAIR framework is shown below as a reference:
The Open Group FAIR framework. Source: The FAIR Institute
Know the value of your data
The instruction is to know the value for the organisation and customers but also the value to those who many wish to steal it. While this valuation is important background information on the issue discussed in the board paper, estimation on the Loss Magnitude might be more useful for the purpose of cyber risk disclosure. This number is of most concern to Board and senior management as most are financially savvy and this has been many examples in publicised breaches. The estimation can inform capital management strategy to build a buffer against expected financial loss when the risk has materialised. Insurance policy requirements can be projected from this estimation reflecting the risk appetite for self-insurance. Investment and resources that needs to be invested to minimise the loss magnitude. This strategy is discussed in the paper “A FAIR based cyber insurance claim”.
Know who has access to your data
The instruction is to know who has access both within an organisation and externally, like who has ‘super user’ admin rights in the organisation and within its trusted partners and vendors. Knowing the profile of people and processes with access to the data asset is informs the “Probability of Action” against the asset. As Mike explained, espionage is a relatively small but significant piece of the cyber landscape. But the bias toward extreme form of attack such as espionage can obscure the focus on basic preventative security measures. This is an area unfortunately is not well managed by many organisations due people, process and technology issue. The Board must have good visibility of the exposure and demand tangible action if existing controls are ineffective.
Know where your data is
The instruction is to know where your data is stored. This is also a requirement under CPS234 information asset identification and classification. Is it with a service provider? Have they provided your data to other fourth and fifth parties? Is it onshore, offshore or in a cloud? Knowing where data is stored informs policies on data sovereignty, privacy protection, access control, backup recovery and data resilience. The Contact Frequency analysis in the FAIR methodology can provide some clarity on this complex topic.
Know who is protecting your data
The instruction is to know who is protecting your valuable data. What operational security processes are in place? Where are they? Can you contact them if you need to? The transition of the global economy and cloud computing to complex supply chain adds significant complexity to this analysis. Knowing where the data provides a context and framework for this analysis. But unfortunately, such awareness does not automatically translate to identifying the responsibility for protecting the data due to supply contract and geo-political boundary constraints. The “Threat Capability” modelling process in the FAIR methodology is a useful conceptual tool to identify the custodian of the protected data set and the objective of their defence capabilities.
Know how well your data is protected
The instruction is to know what your security professionals are doing to protect your data 24/7. Is your data being adequately protected by your employees, business partners and third-party vendors who have access to it? The “Resistance Strength” modelling process in the FAIR methodology estimates the cost effectiveness of the proposed security controls against the current state. It enables the calculation of Return of Security Investment (ROSI) to compare between alternative control options. This approach is discussed in the paper “Targeting cyber security investment – the FAIR approach”.
Board Reporting Guidance in CPG234
In APRA CPG234, APRA has reemphasised the importance of generating meaningful stats and reporting to the Board and Management team on a regular basis to enable them to make key decisions. One of APRA’s expectation is for Board to have oversight based on detail data driven statistics in order to demonstrate adequate cyber risk governance.
With FAIR being one of the emerging quantitative value at risk frameworks, below is a sample mapping of the CPG234 Appendix H to the FAIR framework. Bear in mind that this needs to be tailored to the membership of each Board and the context of the organisation. Hopefully this will help you start the journey to support Board and senior management team to align cyber to business goals and key strategic decisions and away from compliance driven security approach.
(1) https://www.nacdonline.org/analytics/survey.cfm?ItemNumber=66753
(2) https://www.nacdonline.org/about/press_detail.cfm?itemnumber=66872
——————–
About the author
Denny Wan is a cyber security expert with over 20 years’ experience in the Australian IT security sector. He is the principal consultant of Security Express and the chair of the Sydney Chapter of the FAIR Institute with deep expertise in Cyber Risk Economics. FAIR is an effective approach for prioritising cyber security investments and explaining its business values. He is a certified PCI QSA and CISSP. He is a postgraduate researcher at the Optus Macquarie University Cyber Security Hub researching into cyber risk management in the supply chains. This research is a useful tool for managing 3rd party supplier risks under compliance frameworks such as APRA CPS 234.
Michael Collins is a Cybersecurity and Digital Risk Management executive passionate about establishing and promoting quantitative methods for analysing information security risk which assists business partners, executives and board members in achieving the right balance between protecting the organisation and achieving business outcomes. Michael is currently leading the Cybersecurity capability at HESTA, Australia’s leading Health and Community sector industry superannuation fund with over 840,000 members and $50Bn funds under management.
Wilson Chiu has nearly 20 years’ experience in the Cyber Security, Information Risk and Compliance area. This includes leading the security function for large corporations to external clients consulting. Specialisations include IT risk management, security strategy and governance, regulatory compliance, security architecture, technical implementation, security operations, security awareness.
Find the original article here: https://www.linkedin.com/pulse/strategy-eats-controls-breakfast-denny-wan/