Risk Journeys with Lisa Young | Part 3

In our previous episode of Risk Journeys with Lisa Young,  Axio’s VP of Cyber Risk Engineering, we discussed her approach to cybersecurity mental models and the CEO’s role. In our final episode, we dive deep into cyber risk quantification and Lisa’s outlook on information security in 2021. 

---

Continued from the previous episode…

Lisa Young

Many organizations today are buying cyber insurance, and I’m putting cyber in quotes. They’re buying a cyber insurance policy, often without doing the financial analysis of the risk exposure to gain a clear understanding of where and how the policies would apply. The value is in the analysis of the entire insurance portfolio, not just stand-alone cyber policies, and whether or not the loss event and the policy coverages are optimized for cost-effective risk reduction.

 And I think that’s what separates Axio from any other organization trying to solve cyber risk. We care about the financial, human, and programmatic elements that make up the problem space. It isn’t just technology. If we could solve the cyber risk problem with technology, we would have solved it already.

 

Axio

How have you seen this play out with clients?

Lisa Young

I’ve worked with many organizations who bought numerous cyber security products. Each of the products, on its own, solved a problem, an individual discrete problem. What was missing however, was the synthesis of the information from each tool into a coherent picture of situational awareness. It’s often the case that when you have too many cybersecurity products their utility may not be fully realized, or the management of the various tools use resources that could be deployed on a more efficient risk-reduction effort.

Cyber risk is a complex problem. But the solution doesn’t have to be. You have to understand the risk landscape in which you operate. You also have to know your own environment and continuously assess and manage the people, information, technology, vendors, partners, and suppliers upon which you are dependent to operate.

Axio

That’s interesting, focusing first on the internal environment as opposed to external cyber-buzz and hype. Is that an accurate way of saying it?

Lisa Young

If I had to suggest an allocation of resources and focus, I would say understanding the threat landscape in which you operate is about 15 to 25%, depending on who you are and in which sector of the economy you operate.

I recommend the other 75%-85% of time and energy is spent on planning, managing, and monitoring the things on which you are most dependent to deliver your products and services. This includes everything in your infrastructure, whether you own it, whether you source it from a cloud, whether you use suppliers, whether you buy materials from different places, all of that is under your control. For example, outsourcing a particular technology function does not transfer accountability for the risk.

One other thing that’s important to note here is the issue of compliance.  While certain types of compliance might be non-negotiable, it seems that many organizations focus on compliance at the expense of cybersecurity or risk management. Generally speaking, the risk of non-compliance would not have the biggest financial or reputational impact on an enterprise.

Axio

The C in GRC, it’s huge. A multi-billion-dollar market right. We can’t ignore it though.

Lisa Young

Being in compliance with a certain framework can mitigate 60-80% of most of the common risks just because these frameworks have done a good job emphasizing cyber hygiene fundamentals. If you pick up any compliance framework, let’s use NIST CSF or any other of the variants of ISO 27000, they’re valuable in making sure you are doing many of the things needed to both comply with the criteria in the framework and mitigate some risk.

Axio

So, what’s the missing in the GRC programs or compliance initiatives many organizations focus on is the actual R, the elephant in the room.

Lisa Young

Yes. I would ask, are you doing your cybersecurity program in the optimal way based on the risk to the organization? Moving from a control-or compliance-based program to a risk-based program helps an organization apply resources to the highest-priority areas. A risk-based view is forward looking and provides an organization with loss scenarios that may or may not materialize.

Typical risk assessments often fill the risk register with statements such as: data breach, insider threat, ransomware, non-compliance with HIPAA, etc.  These are conditions, threats, vulnerabilities, areas of concern that do need to be assessed or investigated to understand whether or not the enterprise may be susceptible to them, but they are not risks. Risks are potential loss events, not audit findings or control deficiencies.

Axio

What’s the difference between a compliance and maturity framework? Are they interchangeable?

Lisa Young

They are not interchangeable and that’s a very important distinction for anyone embarking on improving their cybersecurity posture. A compliance framework means that you have a list of criteria or a set of controls to which you have decided to implement and then assess whether or not they are implemented. It’s a binary process and often uses a checklist. Normally, they’re written in practice or control statements, something like, you need a password policy, and the password policy should have these parameters. Continuing with the password example, you decide to implement it, because you want to be able to check the box that you comply with that particular practice. Very rarely does anyone perform an analysis on whether or not the password policy and parameters address a risk, other than the risk of non-compliance.

Most people use a variety of compliance frameworks as there is no one-size-fits-all. The risk of non-compliance has been a driver for improvement in controls rather than improvement in risk identification and analysis.

A maturity model is different. It asks how well you are doing something. Take the password policy, for example. The maturity model would ask how well I’m implementing the password policy? Do I have full coverage? Is everybody trained on how to do it? And am I monitoring it to make sure that people are really doing it? And is it reducing or mitigating risk?  Is the risk reduction sufficient for the investment in the control implementation?

Axio

What’s your take on compliance frameworks for organizations just starting their cybersecurity journey?

Lisa Young

Compliance frameworks are meant to drive people to have better behavior, basic cyber hygiene, and control practices. In that way a control catalog or cybersecurity framework can be very useful to any organization.

Adding a focus on maturity is what makes the implementation of the framework even more meaningful in the context of performance, quality, and risk management. When you overlay maturity constructs on top of a set of controls or compliance criteria you actually begin to understand  how well am I actually doing the thing I check off in the compliance framework. How effective are my resource allocations to risk reduction? Do I really check my configurations to reduce deviation over time? Do I have many, many controls that require maintenance, testing, and auditing? If so, can I reduce controls under management without increasing my risk exposure.

It’s a very important distinction. Many people use maturity and compliance terms interchangeably. But when you really understand what’s required from a risk perspective, and you pick and choose the maturity models, or the compliance frameworks (maybe the ones important to your regulators are non-negotiable), and those go into a kind of aggregate understanding that says, okay, out of that, I should really be doing these X number of things.

There is so much more insight you can get from stepping back and performing some analysis. For example, am I teaching people how to do the procedures properly? Am I checking to make sure they’re done in an efficient manner? Am I measuring to make sure that I got the effect or the desired outcome?

As time progresses, this is when a maturity framework has immense power. Because if you’re not getting the outcomes you desire you can go back and start thinking about redesigning processes, controls, and allocation of resources. Or perhaps, not doing certain things at all.

Axio

Empowering people to understand the power of thinking about cyber maturity is not always easy. It seems that the consequences of not doing the things right now may take years to be become an unfortunate reality (cyber-attack). Fortunately, boards are caring more and more about cyber-risk. But what’s the best way to present that to them?  Audit reports don’t seem to be enough anymore.

Lisa Young

Early in my career I was an auditor. One thing we did for the organization was focus on optimization of resources. We would actually look at conformance to a set of criteria. And then we analyzed to determine if we were actually getting the value that we said we were supposed to.

Audit now has become a hammer. It’s looking at conformance to a set of criteria. It doesn’t matter whether that’s compliance criteria, control catalogs or frameworks, value chain criteria, KPIs, or operational.  If you’re an auditor, you’re looking at what was done during a time period that’s already elapsed.

The difference between audit and risk is that risk is always looking forward towards the identification of loss events that may or may not occur. Risk is about managing uncertainty. This is why some people believe that risk, especially cyber risk cannot be quantified, because it has not materialized yet.

I am uncertain about whether or not that risk is important to me. So, I need to do some analysis and some quantification to better understand how well I’m doing the high-value things to reduce the most risk.

Axio

This brings up a good point about how Axio thinks about quantification. What do you say to those security professionals that they want to quantify risk in real time?

Lisa Young

I’d say that this is a fundamental disconnect in mental models.  CISOs are trained to do things to satisfy auditors. For example, if I have a breach, or if a bad event happens, am I going to get raked over the coals? So, in their mind it’s more of a detection and response mindset. That’s not risk the value of management.

Cyber risk management, in particular, is about looking forward. You’re trying to understand uncertainty at its essence. And many security leaders have not made that leap yet.  There is no such thing as real time risk. There is real time threat detection and monitoring and risk that’s already been realized. There’s also real time control monitoring, or practice monitoring, or real time compliance monitoring, because you’re monitoring the thing that is being done to prevent or detect conditions that would indicate a loss event is about to occur or has occurred.

Risk that has already materialized has no more uncertainty – it is a fact, an issue, a problem, an incident.

Axio

What’s your opinion on this type of real-time monitoring?

Lisa Young

Monitoring takes time, and money, resources and should be prioritized to monitor the highest-value, or key risk indicators. The why is very important to understand when deciding what to monitor.  So, if I’m monitoring for things that occur frequently but may not be key indicators of risk, it can feel like playing a game of whack a mole. Organizations often spend a good deal of time and money monitoring a variety of items.  I would want to ask “Why am I spending time on monitoring the whole universe? It’s like, looking at the stars in the sky and saying, oh, they’re beautiful. Which one’s going to fall down on my house tonight?  You can’t watch them all.

Axio

And my last question is what do you think is the most important thing or the biggest concern you feel for 2021?

Lisa Young

It’s the same that I would say almost every year. Every organization needs to understand its risk scenarios in the context of achieving the business strategy and objectives. For example, the organizations who did a robust ‘what-if’ scenario analysis and response planning earlier in 2020 or late 2019 using possibly using scenarios related to an increase in ransomware, an economic downturn, pandemic scenario, or unavailability of key supplier, may be having an easier time navigating 2020 circumstances.  Many of the ones who thought that a low-probability event “would never happen to me” are struggling to catch up and flex their business models. They completely ignored the impact. Organizations cannot control many of the external conditions in the cyber risk landscape in which they operate, but they can control how they plan, manage, and direct resources to adapt, overcome, and improvise.

The best thing an organization can do, whether it’s profit, nonprofit, government, or military is understanding the emerging risks in their specific environment. They have to take a hard look at the scenarios that that would have a significant impact, regardless of the probability of occurrence, and make sure they’re okay with living that uncertainty.

Axio

Thank you, Lisa! This was very insightful and educational!

---

This concludes our Risk Journeys interview with Lisa Young.

If you’d like to learn more about how the Axio360 works you can book a quick demo here and receive instant access to the platform as a single-user license.