Translating cyber-threats into business risks to tackle threats effectively
By learning to translate their concerns into the language of business risk, cyber-security professionals will find that their messages are heard - and heeded - more readily, says Piers Wilson.
Piers Wilson, head of product management, Huntsman Security
One of the biggest challenges IT security professionals face in tackling cyber-threats effectively is the lost in translation moments that can occur in communications between them and the rest of the business. The IT security department can jump to “code red” as a result of something as simple as an employee opening a malware-bearing email attachment. Most people in the business, on the other hand, don't make the connection between opening the attachment and the potential cyber response required.
However, well-publicised breaches at the likes of US retail giant Target, and Ashley Madison more recently, show that it's much easier to raise awareness of the risks if you define it in a common lexicon. A $10 million fine, or the potential revelation of information that might compromise someone, is far more impactful than a general reference to non-compliant activities or a data leak.
Worryingly, the magnitude of the impact of these breaches is catapulting cyber-security right up the business risk register. There's still much work to do, however. Research by the Ponemon Institute found disconnects between the board and IT security professionals. It found that while board members are very aware of cyber-security, they lack an understanding of the issues which must limit their ability to evaluate situations and respond appropriately. This must be rectified before cyber-threats can be tackled effectively through combined business effort.
Speaking different languages
A core challenge in bridging this communication gap is that cyber-threats mean different things to different people and invariably it impacts different elements of the business differently. The implications of specific threats or non-compliant activities can be unclear to senior managers and CXOs whose objectives of business deliverables and the bottom line are more to the fore. As a result, if the link between a cyber-threat and its ramifications are not clear the risks to the wider business are lost.
If this is to change, security professionals need to translate cyber-threats into business risks; presenting each part of the business with information in the appropriate lexicon. This means telling them not what the threat is, but rather what assets are at risk and how their business activities could be impacted, what is the likelihood, and what the consequences will be if the worst happens.
For example, if you tell a regional sales manager that the organisation is non-PCI DSS compliant, chances are they'll be unperturbed. If, however, you explain that the business will be unable to accept card payments until the problems are resolved, there is every likelihood you've found a new PCI disciple keen to spread the word.
Similarly, the CXO may not be too concerned when told that hackers have embedded Cryptolocker into the company's web systems. However, if they realise that visitors to the website could have their PC locked and held to ransom by cybercriminals, they'll quickly realise the enormous reputational risk at stake and reprioritise the fixing of the problem as requiring urgent attention!
Becoming fluent in risk
Aside from avoiding the risk of becoming lost in translation, businesses must become more collaborative in the security and compliance processes. The periodic tick box mentality, in a manner often reserved for assessor and applicant must go. This means that security and compliance management must become a continuous process, with an in-built quality improvement element.
Businesses must maintain real-time threat information that shows each part of the business the live security and compliance status of their key systems and business processes. This enables the instant identification of any security or compliance problems and allows them to be dealt with before they become a threat to the business.
Becoming fluent in risk means this information being presented in a common and meaningful lexicon across the business so its importance to the business is clear and not just another meaningless message in another language.
Ultimately, cyber-security is not just an IT concern and for them to deal with. It's a business-critical issue with ramifications for everyone from the CXO to the directors, and the customers they serve.
The only way to tackle threats effectively is to involve everyone in the business, so they understand the risks and have an ability to evaluate situations and respond appropriately. This means continuous security and compliance monitoring to protect the stakeholder value. It also means familiarisation of the security and compliance management processes across the business so that governance outcomes can be continuously improved through the continuous “testing and adjusting” of policy and compliance settings.
Not only will this collaborative approach decrease the risk that a business will be hit by a damaging breach or a costly fine, but it also reduce considerably the risk of cyber threats to the business being lost in translation.
Contributed by Piers Wilson, head of product management, Huntsman Security.