You’re the Boss. The CEO. The Mayor. An Agency Head. The Executive Director of Nonprofit, or the Chair of a Board of Directors. You’re expected to have answers. Lots of them. So do you have an answer for this? How does your organization assess cybersecurity risks?
Before you send me down to the IT department in my quest for the answer, let me give you an overview of some typical “methodologies” that I am certain to see in action. How do I know? With over a decade consulting, advising and evaluating technology operations, I’ve seen many flavors of cybersecurity risk management. Some good, some… well, you decide.
The truth is, you do nothing to identify or assess security risks. You’ve certainly never tested anything. You don’t have the knowledge or the resources in your organization and you’re pretty much just trying to keep your IT “stuff” working.
Pros: Your systems must be running because people are actively pedaling the wheels, right?
Cons: In the end, you just don’t care enough to prioritize information security. You won’t know what you don’t know (which is a lot) without help.
What IT Says: Scared to admit that they don’t know what they’re doing, and even more scared to ask for resources again, IT tells you that everything’s fine. The evidence, of course, is the lack of any known problem.
The Auditor Knows Best
It’s the classic close-your-audit-findings approach. You defer to the auditor. If your auditor points it out, it’s a risk. Otherwise, there’s no problem.
Pros: If you close the findings, you won’t have any open ones next year.
Cons: The Auditors will definitely find something different next year. Also, they probably aren’t doing the type of work you think they are. You got a management letter that pointed out a few things related to security, not a widespread acknowledgement of your robust security posture.
What IT Says: Either: Those findings are nitpicky and we should fight them! OR Wow, that auditor painted a picture that is much prettier than it really is.
The User Awareness Training…2.0!
The auditor told you to do periodic security awareness training, so you revamped your Power Point slides from seven years ago, slapped “annual” on the title slide and included more references to the cloud, iPhones and Drop Box. Conveniently, you just finished training everyone last month.
Pros: You understand it’s everybody’s responsibility to be aware of information security risk.
Cons: Except…your leadership team didn’t find the time to attend the training, and they are in the process of simultaneously clicking on a link in a phishing email RIGHT NOW!
What IT Says: Education and awareness are pillars of a sound information security program (and they’re not incorrect).
The You Got (list)serv’d!
Your leadership team makes it a practice to subscribe to cybersecurity newsletters and listservs. Everyone forwards them to IT, asking "we do this, right?"
Pros: That user awareness training is working, and now everybody is concerned. Congratulations, you even got your leadership team to attend the training!
Cons: When IT informs you that they don’t in fact “do this”, you suggest they put together a budget request…it never survives the first round of budget revisions.
What IT Says: We need more resources. Seriously.
The New Guy
IT hired a new employee, because, ya know, resources. He’s working on it. He’s a Millennial. Right out of an MBA program. You’re hoping that he’ll monitor the Twitter and the #DarkWebs to find all of the newest in hackers and botnets to fight against.
Pros: Dedicated resources: the solution to every resource shortage!
Cons: The new guy is like a sponge and his eagerness and desire to succeed is on steroids. This is his priority number 1! BUT…the technology he learned about in college is light-years ahead of yours and this is not your highest priority. Afraid that learning about all of your old creaky stuff will make him forget all he learned in college, he bolts within six months if not, a year.
What IT Says: We fought hard during budget season to get that new position, and we wouldn’t have hired him if he didn’t know what he was doing. Back to campus!
The David Letterman
Your IT department reviews the latest SANS Top 10 cybersecurity threats (if you don’t know what it is, Google it and sign up for the listserv). They analyze the list and bring forward IT initiatives to mitigate all of these risks, then apply patches and updates accordingly.
Pros: You have patch management so nailed down, you dream of quilting during lunch.
Cons: If it’s not on someone’s top 10 list, it’s not on yours.
What IT Says: We have patch management so nailed down, we dream of quilting during lunch.
You meet monthly in a committee to discuss various security related things. You certainly talk about the Top 10 list. You even talk about making your own. There’s definitely a portion of the time that is dedicated to summarizing how many attacks were blocked by your firewall. You (may) spend some time talking about that information security incident where the leadership team all clicked on the wrong email.
Pros: You are meeting to discuss risks and exposures; an excellent practice.
Cons: The meeting lacks direction and likely goes stale over time because you forgot to create a committee charter. Soon delegates are sent instead of regular attendees and attendance dwindles.
What IT Says: To date, our firewalls have blocked 1,742,823 intrusion attempts. Anyone?
The Gaping Holes
You conduct (or perhaps hire a contractor to perform) vulnerability assessments or penetration testing using automated tools. You are determined to close all of the holes identified.
Pros: State-of-the-art tools, fancy reports, and a kudos for integrating a definite “best practice” into your organization. Bonus - You find out if you’re exposed to any of the Top 10!
Cons: OMG there’s a lot in that report! False positives, false negatives, and a lack of a true threat path analysis so you might have to trial-and-error test all of your devices. You spend a lot of time opening and closing holes.
What IT Says: There’s too much stuff to know. We think we need help.
You hire professional consultants to conduct cybersecurity risk assessments. You do it regularly.
Pros: You hire people who know what they’re doing to do the job for you. You value an outsider’s perspective.
Cons: You can’t completely outsource it. I’ve worked with clients small and large, and overwhelmingly the most success comes when I teach the client to fish rather than to fish for them. I love my job and appreciate the business, but I like it best when everyone wins. Without a balanced approach to both perform the work and transfer the knowledge, it is not a true win-win.
What IT Says: One of three things: What do those high-priced suits know that I don’t? We’re scared for job security! Glad we finally get help!
So in closing, recognize that many of these activities can evolve into sound cybersecurity practices. Start by giving direction and purpose to your efforts. Provide resources and authority where it’s needed. Hold people accountable. Think for yourself, but seek independent perspective when you get stuck. No one can do this alone. In time, your IT stuff will be more secure. Best of luck.