Managing cyber risk: It’s the context, stupid

Risk can mean different things to different people across the business

Context is essential to making good decisions. Telling you that there are 100 security issues in your organisation is alarming but unhelpful; telling you that there are 99 issues that are unlikely to be problems and one really big issue that needs immediate attention is far more helpful to you, and to the other teams that you might have to work with. The challenge here is that companies have so much data available to them, making it hard to see where the real threats are.

At the same time, you are under more pressure to innovate. This impetus to implement new projects or get ahead of competitors overcomes the risks that might come up. According to research by LevelBlue , 74% of global respondents confirmed that the opportunity of computing innovation outweighs the corresponding increase in cybersecurity risk. So how can we overcome this problem around risk, while still supporting the business?

Going up the DIKW pyramid

The big problem around data is not having too much. Instead, it is that we find it hard to use it in interesting and relevant ways. To improve the situation, we have to move from raw data into processed information, that then provides better knowledge of a situation. Once we have this knowledge, we can then choose what to do, establishing wisdom. This Data / Information / Knowledge / Wisdom (DIKW) approach has existed for many years in knowledge management, but it can be applied to improve other areas that have to handle large amounts of data efficiently and influence decision making.

As part of this approach, security leaders have to work with other areas of the business around risk. Risk can mean different things to different people across the business - for example, your Chief Financial Officer will care about financial impact and business decisions, while your compliance and governance team will have regulations to follow. Each of these areas is a different view on risk, but they all have one thing in common - they attempt to put a financial value around interruptions to the business. For security leaders, providing that same level of detail around cyber issues provides essential context. Using that data to provide knowledge and then wisdom on what to do is essential to reduce risk over time.

To make this work in practice, companies need a central point for managing risk and context information, which then provides operational directions for what to do next. This model is similar to a security operations centre, which processes security alerts coming in and then assigns actions to teams based on how much impact the issue or a new variant of malware may have. However, a risk operations centre, or ROC, would provide more business impact and financial insight to the whole business should the organisation ever get hit by the piece of malware mentioned previously. In short, proactively targeting areas of business risk prioritised by potential impact, likelihood, and cost.

There are challenges in implementing a ROC. While we have lots of data, many companies still don’t have accurate lists of all the assets they have for IT security purposes, let alone for financial planning and risk assessment. In essence, they don’t have all the data they need, so it is more difficult to extract knowledge and wisdom around the risk situation. Putting together an accurate risk register and keeping it up to date across your organisation provides that insight, while the financial data offers both context and impetus to get those risks mitigated or fixed.

Alongside getting data in place, there is also the issue of aggregating so much data that it becomes too much to sort through. This is the opposite problem, where teams can’t get the right information that they need to know where to focus their efforts. To solve this, security teams can use their expertise around threat intelligence to collaborate with the finance team on what to prioritise and how much risk is acceptable to the business.

The biggest challenge is how to work with data across functions. Different teams need different insights into data as it comes through, so they can plan ahead or know which problem to focus on. While a ROC can provide that central point for managing data, it should also make it easier to manage communication around risk in the first place. This should also provide the necessary financial insight into what risks are coming up and what to plan for, so the whole company can work ahead and budget for this effort.

For the CFO, this level of information around risk should demonstrate where investment is needed in people, processes, and tools; or how much Cyber insurance they should use to mitigate risk not protected by their investments. For compliance, it should make it easier to get support for work around new regulations like NIS2 or DORA where extra work on business resilience is needed. And for the CISO, it can then point out where additional resources are needed to manage security and risk within the parameters that the business has set out.

To be effective around security, companies need to address risk across all their operations, not just in silos of technology, finance, and compliance. By working together and using a ROC, these departments can be more efficient and improve resilience. However, we need the right information and knowledge to make that happen, and the wisdom to follow that path over time.

Matt Middleton-Leal is managing director Northern Europe at Qualys.

Computing 's Cybersecurity Festival returns to London in May, where senior IT decision makers can learn about modern challenges, compare strategies with peers, and source solutions. Click here to register for free.