Risk is most often seen as something of a negative in cybersecurity but using risk in in our security work can be something positive and help us communicate with the business! First, I would like to use a few sentences to give you a formal definition of risk. The ISO 31000:218 defines risk as:
- effect of uncertainty on objectives
- An effect is a deviation from the expected – positive or negative.
- Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
- Risk is often characterized by reference to potential events and consequences or a combination of these.
- Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.
- Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
Note the wording of some of the above sentences. The are using word like, likelihood, potential, deficiency of information and uncertainty. So, risk in this context is all about not being sure of the consequences of an event, something any cybersecurity worker will be able to recognize from their own experiences. But there is always a but, isn’t there, risk is also a positive, if used right. You can optimize risk! Why would you want to do that? Well, risk is not always a negative, in project management, where I have taken the optimize risk from, there is the concept of risk as something positive, like the risk of us saving money on materials. As cyber security professionals, we would use the term chance in this context, but three is also a risk of us not saving the money, hence the word risk is used within project management, because with risk, it is something we will HAVE to deal with as part of the project.
How does this apply to us as security professionals? Risk is a concept that is understood by any management or C-level member, making risk an excellent avenue for communication between us and the business. This brings me to the proverbial elephant in the room. How do you identify and quantify the risks to the cyber security? Here there are many frameworks and methodologies to chose from, the ones I myself is using with customers is COBIT and the ISO 31000 mentioned earlier in this article. Which one you chose is less important that sticking with it for the organization you are doing risk assessments for. Switching between them, can make identifying any trends in the risks more difficult.
How to assign probabilities and consequences to identified risks is one of those discussions that never ends, but if the risks are to be used as a communication tool to managements, money is the way to go and that is the measure I use with my own customers, to good effect I might add! Identifying all of the risks to an organizations IT system is a massive job, for any single person and it requires significant skill in both assessments and interview techniques. If you are responsible for risk identification, then start small and build from there. Choose a small porting of the infrastructure and use the systems owners to identify the level of impact any downtime for those systems will have on the business. Now you have the consequences nailed down for those systems, now you can move onto identify the threats that can make those systems unavailable for any length of time. Being able to identify all of the threats to a concrete system will take a significant amount of experience, not necessarily with cyber security, but systems maintenance. Without such experience, identifying realistic threats to the systems become difficult. If you yourself does not have such experience, then interview the staff responsible for the maintenance of the systems and ask about prior outages and their causes and go from there. Just be realistic about the risk to the systems when you go about identifying them.
You now have the information you need to go to the businesspeople, to tell them about the risk to the cyber security of the business or organization. But, another of those inevitable buts, the businesspeople will ask what to do about those risks? Here is the chance to shine! Do not ask for x fantasillions from the get-go. If you want to be taken seriously as cyber security staff in your organization, then you must control your instincts! Having spent time with customers that have invested enormous amounts of money on various security products to protect themselves, I can say that most of them are not using all these products to their full potential. If you have spent time identifying all the products in use in your organization, then I can almost promise you that there is already a tool or product available to mitigate some of the risks you have identified! So, when you stand in from of the businesspeople and can tell them that half or more of the risks, can be mitigated with already purchased products, then you will quickly become a trusted partner to the business people and will have a much easier time asking for budget later, simply because you are no longer seen as primarily an expense to the business. An excellent position to be in!
Now, I realize that all the above information is easier said than done. Most companies do not have a full knowledge of the vendors or products in their infrastructure, making acquiring this information a struggle for most organizations. Skilled staff in risk assessments are few and far between, and can cost a lot of money, making education of staff in risk assessments the way to go for many organizations. Then I hear the argument that if we educate our staff, we will lose them to better paid jobs. True, but what happens if you do not educate the staff?