Risk Management

Thinking about risks is not easy, and risks are everything in
cybersecurity. Furthermore, fitting cybersecurity risks with those of
business is challenging. We wanted to discuss a bit about this topic
with Nicolás.

Is it difficult to quantify the risks you manage in monetary terms?

1. “Remarkably difficult, as is usual in other fields. We have a
   traditional approach, and we face the same common issue:
   prioritization. Which risk is redder than the other reds? We still
   rely on probabilities and impact. Broadly speaking, the current
   approach to risks in cybersecurity has three commonalities: we are
   not good translating hazards to money; we are not good creating
   business cases for cybersecurity —that’s why it’s often perceived as
   costly—; finally, we are not good at achieving approvals for what we
   want to do. As a whole, cybersecurity is poorly understood, and we
   are responsible for that. I’m not saying that we still speak in
   terms of IT assets to top management. Nevertheless, in Corona, we
   have started to build a new language to speak directly to the
   business, referring to risks. We have managed to speak in financial
   terms to senior executives by leveraging on the expected loss
   paradigm, something we came across by, among others, exchanging
   ideas with Fluid Attacks. Though, it’s still an enormous
   challenge. The expected loss indicator is not perfect, and it’s
   complicated to understand. Nevertheless, it’s the best approximation
   we have to speak in business terms. (Interested in Expected Loss?
   Take a look at Risk Indicator
   Roundup.)

2. In organizations where security breaches translate quickly into
   money, it’s easier to connect the dots. For instance, the risk of a
   successful hack targeting an online banking user with USD 5,000 in
   his account is easy to quantify. However, a scenario where a hack
   reveals personal information or industrial secrets is not
   straightforward to numbers. In the latter, you have to analyze more.
   How much does it cost that someone steals you a food recipe or an
   industrial design? You just try to take what seems more readily
   available, for example, sales forecasts.”

Setbacks

How companies and cybersecurity teams face struggles are diverse.
Nicolás shared with us some of his setbacks as CISO.

What setback was particularly relevant for you as CISO?

1. “I think of technical and managerial examples:

2. In one occasion, we should have waited to deploy a protection. We
   proceeded, and in doing so, we also hindered major operations by
   taking down some critical systems. That was never the intention, but
   we ultimately caused the whole financial department of one of our
   companies to be halted for half a day.

3. In another time, it was my first presentation to the board of
   directors. I assumed they were aware enough about cybersecurity, but
   that was plainly not the case. During my presentation, they started
   asking whether my topic was worthy of attention. They simply did not
   understand what I was conveying and I should have started by
   sensitizing the audience

4. What I learned in both instances was pretty clear: not to rush when
   a control or protection is missing; chances are that some blind
   spots play a big role in the middle of the rush. Second, that the
   first contact with a board of directors should be focused on
   sensitization, even if they already are cybersecurity aware. Common
   language must be established from the beginning to succeed in the
   difficult task of speaking to the board.”

Truths and falsehoods in cybersecurity

To conclude our conversation, we talked about what Nicolás consider
false in the discipline, as well as what is true. We wondered what a
CISO like Nicolás could tell us.

What do you think is a ‘lie’ in cybersecurity, but most people
seem to believe in?

1. “I sometimes see cybersecurity as a cult. For me, cybersecurity is
   not as severe as the market tries to show; people usually
   overestimate what happens. We are not the most targeted
   organization, although we receive daily attacks. And think about our
   size: we are a team of seven protecting a 10,000-people
   organization.

2. When there is ‘no time’? When are circumstances so urgent that you
   can’t even blink? When are we ‘on fire’? It has happened once in the
   last seven years. In my previous job in a bank, it happened twice in
   about the same period. It’s odd: I see a cult of stress, a cult of
   being relevant by being busy. It seems to me like an inertial thing
   that is just not true. I don’t buy that stressful scenario we
   sometimes see on TV or the movies. Sometimes you do have to worry
   about and to act quickly to contain an incident, for sure, but it’s
   not every day, not even every week. In my experience, cybersecurity
   is not that stressful.

3. In this discipline, you don’t have to do everything. You can
   leave to randomness some things. Take, for example, theft. Every
   day, people are a victim of some theft. Yet, local institutions
   don’t place a policeman in every corner of the city. That’s the
   value of the expected loss approach because it allows you to better
   weight your actions. To do nothing is also a managerial
   decision. Sometimes it’s better to accept that some incidents
   happen, and when they arrive, you deal with them. Not every time you
   get a fever, you go to the doctor. In cybersecurity is the same. We
   need to be sensible about cybersecurity.

4. Fluid Attacks, for instance, I’m certain will always manage to
   breach some of my protections in the projects we work together. How
   much do I have to invest to be immune to them? There is no point on
   that. I just accept that fact, and I protect from more likely
   scenarios. The lie is to go until the end. You have to know when to
   stop. Many professionals should discard the go-until-the-end
   idea”.

And, what is ‘a truth,’ but most people don’t seem to believe in?

1. “People and organizations usually think that nothing will ever
   happen to them. You hear from time to time “It will never happen.”
   The truth is that something will happen eventually. The thing is,
   not as many people are aware of cyber risks. For more than 130
   years, some events seemed to have never happened in our
   organization. It’s better to say: for over 130 years, we’ve
   never known that something has happened. Botnets exist; ransomware
   exists. If I’m not cautious in my digital behaviors, something
   terrible could happen to me. So, It’s vital to have “healthy”
   digital habits. This is a game of balance, a game where you should
   never feel safe enough that controls just stop making sense, but at
   the same time, a game where you have to be mindful about how much
   you really have to do just for the sake of having a reasonable
   cybersecurity posture.”