As I have described before in earlier blog postings, COVID19 has a done thing to all of us on this plan that were completely unforeseen or not even planned. No need to go through all of this again, as I have described this before in a lot of detail.
But believe it or not, there has been some good that has actually come out of this, especially from the standpoint of Cybersecurity. For example, CIOs and CISOs are no becoming much more aware of the need to have a Business Continuity (BC) Plan in place as well as others, which include the Incident Response (IR) and the Disaster Recovery (DR) Plan.
It is probably fair to surmise that many businesses all across Corporate America probably do not have one as of yet, or if they do, it is more than likely probably outdated and not rehearsed at all.
Another key area that is receiving a lot of attention (and as I have also written before) is that of using a Cloud based platform, such as that of Azure in which a Remote Workforce can easily access the shared resources that they need in order to do their daily job tasks.
In this regard, both the CIOs and the CISOs are now coming to grips with yet another reality: Understanding what Cyber Risk is all about. Defining this can be sort of tricky, as risk can be defined in so many ways, and when it is applied to a business setting, a lot of other variables can come into play as well, which will further impact the definition.
But for the purposes of this blog, it is still quite important to have some sort of definition, so here we go:
“Cyber risk is commonly defined as exposure to harm or loss resulting from breaches of or attacks on information systems. However, this definition must be broadened. A better, more encompassing definition is the potential of loss or harm related to technical infrastructure or the use of technology within an organization.”
So long story short, one can, in a very broad sense, say that Cybersecurity Risk is that particular level of loss that could occur to anything in your company. It is important to keep in mind that that is not just the digital assets which can be impacted (which is the common perception), but it can also include the physical assets as well, which could include for example, your servers that are housed in your data center.
But also keep in mind that while risk can be defined this way, there is yet another component to it as well: How much loss is your company willing to tolerate. In the end, we all experience some sort of loss, whether it is on a personal level or on a business level.
The key is how much of that you can actually stomach and take. Also, I just mentioned a little earlier about the variables that come into play when further defining risk. In a broad sense, they are as follows:
These are such metrics which reflect the dollar amount of loss you will experience in the case of downtime and bringing up mission critical processes back up again in case you are breached. These are hard numbers. For example, in this instance you would conduct an assessment to see how prone all of your assets are to a security breach. You would rank them on a categorization scale that you establish, so a database that houses all of the Personal Identifiable Information (PII) would probably have a ranking of 10, because this is a much sought-after target by the Cyberattacker.
These are variables that are much harder to quantify, and these include such as loss of brand, reputation, and customers, and the time and expense that it takes to bring back a new customer.
Now that we have a provided a definition of what Cybersecurity Risk, just how exactly is Corporate America embracing it? Well, this has been answered to a certain degree according to a study that was conducted by Forrester and Tenable. Their report is entitled “The Rise Of The Business Aligned Security Executive”. It can be downloaded at this link:
Here are some of the key findings of this survey:
*Less than 50% of the CIOs and CISOs across Corporate America have a firm grasp as to understanding what Cybersecurity Risk and how it relates to their business;
*Only 51% of them actually work hand in hand with their IT Security team and other key stakeholders in order to fully address the overall Cybersecurity Risks that their company is actually exposed to;
*Only 43% of the CIOs and CISOs actually use hard core metrics in which to see how their particular business is faring against their own definition of Cybersecurity Risk.
My Thoughts On This
Yes, in an absolute sense, these are numbers just described don’t look to good, but believe it or not, I am actually surprised to see where they are at. Hey at least 50% of the CIOs and the CISOs have some kind or type of understanding as to what Cybersecurity Risk, but the problem is that they need to broaden their mindset to see how it full impacts their business.
Because of this, many organizations are now resorting to hiring a contracted individual known as the “Business information Security Officer”, or “BISO” for short.
Their main purpose is to help bridge that gap between the CIO/CISO and the IT Security team (as well as the other relevant departments in the business) into what understanding, defining, and implementing what risk really means to the organization.
In other words, not only do they have a keen eye for security, but they also have a great business understanding as well in order to explain effectively to the C-Suite what the impacts of risk are to their company.
In other words, they are the conduit for the “language barrier between security and business” (SOURCE: https://www.darkreading.com/risk/less-than-half-of-security-pros-can-identify-their-organizations-level-of-risk-/d/d-id/1338577).
I actually think that hiring this kind of particular individual can be good to a company. For example, the C-Suite is often accused of living in their ivory castles, with a huge disconnect to the common people, which are of course all of the employees that are below them.
The BISO can actually communicate in real terms that the C-Suite can understand as to what the needs are of the company, especially that of the IT Security team. The members here often cite that their respective CIO and/or CISO are not on the same page with them, they don’t listen to new ideas, or that they have a hard time getting budgets approved through them.
To be honest, this is one of the first times that I have heard of this new job title. Now the question comes about is if the individual that fits the bill for this role needs to be hired on a full-time basis? Given just how things are right now, probably not.
I am sure that a company can find a good enough BISO on a contract basis. But even better, if an organization makes use of what is known as a “vCISO” (don’t you just love all of these acronyms???), it is quite possible that he or she could also bring along a BISO with them, probably at not too much of an extra charge.
But most importantly, in my view, a good BISO will also understand and convey to the C-Suite also the meaning of what is known as “Cyber Resiliency”. This is yet another huge and broad topic just like Cyber Risk, and it will be explored in future blogs. But it simply refers to how well your business can bounce back after it has been impacted by a security breach.