The Greatest Risk Is Not Doing a Risk Assessment
Recently, I had an interesting discussion with the Dutch members of Parliament about cybersecurity. The politicians wanted to know my views on 5G security and what I thought about a cybersecurity tender put out by an association of 380 government municipalities.
The tender aimed to acquire security products such as firewalls, endpoint protection systems, and CASB (Cloud Access Security Broker) products, possibly from three different security vendors.
I told them that this would be the wrong way to approach a cybersecurity tender. Protection from cyber threats is not just about buying siloed point products which provide discreet solutions to single problems. Nor does it depend on simply replacing one set of products with a slightly cheaper version.
Effective cybersecurity requires a holistic strategy that begins with creating a risk assessment.
The first task of a risk assessment is to identify the crown jewels of the business — the key assets and data that must be best protected. This could be customers’ intellectual property, credit card details, or personally identifiable information. It could be confidential medical information or sensitive industrial data.
The next step is to assess the risks of cyberattacks that threaten those important assets. A pragmatic approach to creating a risk assessment is to gather 10 to 15 employees from departments across your organization into a room and brainstorm the cybersecurity risks in the business. At the same time, the employees should consider how likely these risks are to materialize.
When I was chief information security officer (CISO) at a hosting company, we created a useful risk assessment plan through a series of brainstorms where we assigned a value to each risk. The likelihood of a risk was categorised from one to five, one being low risk and five being the highest. Then we evaluated the impact of the risk occurring, again from one to five. The risk value was calculated by simply multiplying the two numbers together.
Over the course of several workshops, we came up with a total of 225 cybersecurity risks. Some of them had a risk value of over 20 — they were likely to happen and could badly affect the company. There were also less urgent risks.
The threats we identified included things such as an employee leaving the company and taking their username and password with them so they could access the network at will. Or the possibility of a loss of power in a data centre that restricted the availability of data. Another risk could be a misconfiguration of the system leading to data being left unprotected.
Once those risk values have been calculated, it is up to the board of directors to decide what resources they are prepared to dedicate to protecting against these threats.That might mean taking measures against the top 15 threats, with less attention paid to less harmful threats.
The beauty of creating risk values is that it allows the company’s board to take decisions rather than CISO. Managing risk is, after all, one of the board’s core responsibilities.
We judged that the chance of an employee leaving with login details to be quite high, so we put in place a measure to ensure that any departing staff member had to visit the IT department first to have their username and password cancelled. They could not be signed off by HR without producing a document from IT showing they had done this. While this introduces bureaucracy into the system, it helps reduce the threat of hacking. This is the kind of trade-off that each company’s board of directors must make.
Another risk-reducing solution could be enforcing two-factor authentication for sensitive data. This has a cost and can slow things down. Again, it is the job of the board of directors to evaluate the risks and see whether the solutions are warranted.
Unfortunately, in today’s fast-moving world, there are still too few organizations that carry out a decent risk assessment for their cybersecurity. Though, to be fair, the idea is gradually catching on.
The way cybersecurity has evolved is by taking piecemeal steps to tackle specific problems as they arose. Over the past 10 years, this has ballooned so much that each organization has an average of 34 security point products in place, each one creating its own little silo. As a result, CISOs seek individual replacements for their firewall or anti-virus software. But this just threatens to further complicate their cybersecurity framework.
Only a well worked out risk assessment will allow all concerned — from CISO and IT staff to the board of directors — gain a clear vision of what’s at stake when it comes to protecting their organization from a world of evolving threats.
Hopefully, the municipalities of the Netherlands – and every other organization — will understand that the greatest risk they face is failing to do a risk assessment.
Fred Streefland is Chief Security Officer for North and Eastern Europe at Palo Alto Networks.