cybersecurity risk management

Part 1: Focus on Business Risk, Not Threat, For Cyber Success

As boards become more involved in oversight of their organizations’ cybersecurity, it’s important for directors to hear that everything they think they know . . . is probably wrong.

Most—if not all—of the information coming at board members tends to focus their attention on cyber threats. The attacker often is the focus of mainstream news stories every time a new breach makes headlines, along with the assets that were stolen and their value. What’s more, even an organization’s own security professionals typically focus on the threats they defend against, since that’s the nature of their technology-oriented jobs.

But focusing on threats can lead an organization down a bad path. It usually results in a reactive, ad-hoc collection of individual (point) products, that are mostly “after the fact.” Such point products don’t usually integrate with other standalone products and typically are not automated—both of which are significant impediments to strong cybersecurity.

Instead, board oversight should lead organizations to a holistic, integrated cybersecurity approach by focusing “inside out”: first on the company’s business strategy; then on the primary risks to that strategy; and, finally, on the assets and processes that are most essential to that strategy.

In this way are identified the organization’s “crown jewels”—the assets and processes that are most important to business success—and only then consider the internal and external threats that might put those business-critical assets at risk. This approach enables a business to focus its finite cyber-protection resources where they will do the most good, instead of spreading cyber investment across the infinite number of cybersecurity measures in they could invest.

Much more vulnerable

To understand why holistic cybersecurity planning needs to start all the way back at business strategy, it’s critical for boards to understand how and why their organizations are so much more vulnerable to cyber-attack than they were only five or so years ago. Two overarching trends are responsible:

  • The digital transformation sweeping through virtually all industries. Businesses are “digitizing” all aspects of their operations—from customer interaction to every partner relationship in their supply chains—and, as they do, so those operations become more vulnerable to attack.
  • The interconnectedness of all things (also known as the Internet of Things, or IoT). Everything that has a processor—from mobile phones to cars, refrigerators, utility meters, and electrical substations, just to name a few—has become “instrumented,” connected to the Internet, and capable of at least some automated functions.

One of the most dangerous, and often overlooked, ways in which the IoT trend is changing the nature of cyber vulnerability is by establishing direct connections between IT networks and the real world. Even companies that consider themselves proactive in terms of cybersecurity generally focus only on an IT perspective, which becomes mainly about protecting data assets. But, nowadays, cyber-threat actors can use all that interconnectedness to wreak havoc in manufacturing and other operational processes.

Consider the hospitals that were extorted via ransomware attacks last year; their IT network outages put patients’ lives in jeopardy. Or think about the many homeowners who now have smart meters, which they can connect to from their mobile phones. Someone who hacks that mobile phone app can gain access to the smart meter, perhaps “pivot” to the solar panels on the home’s roof, and use their processing power to drive a distributed denial-of-service (DDOS) attack. And worse, the bad guys could enter into the power company’s system and disrupt a generating plant.

Avenues of attack

These trends, multiplied together, essentially mean that threat actors now have a limitless number of potential avenues of attack—what security professionals call an organization’s “attack surface.” And once threat actors manage to get a foot in the door, the interconnectedness of everything allows them to create widespread damage. This explains why a holistic, integrated cybersecurity strategy is so important, and also why focusing on threats is such a lost cause: there are just too many, and too many ways in—not to mention that they are continuously, and rapidly, evolving. If you focus on the threats, you’ll need to plug every hole to be safe, while the bad guys only need to find one opening.

In part two of this article, we will examine how the board should consider building a holistic cybersecurity approach, and how to prioritize what to protect.