Communicating cyber risk: Keep it simple says MHR CISO
Will North assessed many expensive GRC tools, then went back to Excel
Will North, CISO at HR and payroll software company MHR, was having a hard time getting through to his fellow board members on the topic of cyber risk, particularly with respect to the relationship between frequency and impact.
"I'd go to board meetings and say we've got 30 moderate risks, and they'd say, 'Okay, is that good or is that bad?'" North recalled during a presentation at Computing's Cybersecurity festival last week, entitled Cyber risk quantification (without a degree in maths).
"I didn't really feel I was going to get engagement. I didn't really feel like they understood the potential impacts of [the less likely but highly consequential risks] that could be hundreds of millions of pounds."
So, North dived head first into cyber risk quantification, seeking to unearth every risk and put a value on it.
"I was completely wowed and amazed by the fancy graphs and diagrams and the types of things that you could get out of it," he admitted.
However, after spending many months and numerous lengthy meetings with governance, risk and compliance (GRC) tools vendors, North didn't feel he was getting any closer to his goal of being able to put the main risks into context. The tools were expensive - between £20,000 and £100,000 per year - and also something of a black box in terms of the treatment of variables and the way the controls impacted the results.
North said he felt uncomfortable investing those amounts in something he didn't fully understand.
"£100,000 pounds is several members of staff. I'm going to invest in that rather than a tool that I don't know how good it's going to be."
Then he had a discussion with a former colleague in the finance sector, and decided to change track.
"He said, 'Don't try and quantify all your risks. We tried that a few years ago and it doesn't work. What you need to do is just pick your biggest risks; what are the catastrophic events that could happen? Just try and quantify those'."
So North went back to basics. Starting with a spreadsheet, he began documenting the top threats. As an HR and payroll solution provider, a breach of customers' data would be hugely, perhaps fatally, consequential. Failure of the cloud platform or web application, likewise.
He studied data breach investigation reports, evidence of phishing attempts and exploitation of external vulnerabilities. He looked at the email gateway to check the incidence of phishing emails getting through, and at training data as to the likelihood these would be clicked.
Rather than trying to come up with a precise figure for each risk, he narrowed it down to those that could have an impact of more than £1 million. He then talked to colleagues in departments such as Payments, a pen tester, and staff engaged in red team-type analyses.
Some information was easier to find than others - precise actuarial data of the type used by GRC tools tends to be expensively guarded - but after a while North felt his figures were good enough for his purposes.
He plugged this data into a home-grown attack path model - a simplified version of what he'd seen in commercial risk management solutions. While it wasn't as flashy as those offerings, his model helped him put reasonable figures on the frequency of a phishing email getting through, someone clicking the link, an attacker successfully bypassing MFA, an attack on a web application, a supplier breach, an insider attack, and so on; and to attach potential losses to combinations of those outcomes.
For example, he found that in the absence of MFA, each year a phishing attack has a 50% likelihood of getting through with a substantial risk of going on to create a catastrophic incident, whereas with MFA that risk is less than 1%, easily justifying its introduction
"So I can go to the board of directors with a clear statement, saying that this year I think our organisation has a less than 1% chance of a million-pound loss. And quite simply, I've been able to communicate the language that can really understand, and they can go 'it's less than 1%, I'm happy to accept that risk'."
There is a tendency among non-technical management to suspect they are being manipulated by cyber professionals seeking budget, and to be wary of being blinded by science. By communicating the main risks in a clear way, attaching financial figures and explaining his workings, North believes he has increased his credibility on the board, making them more open to release security funding where it's needed.
"Keep it simple," North advised by way of a conclusion: "Don't try and boil the ocean."