Posted on
by Richard Seiersen
The shared objective for most CISOs and boardrooms defaults to some variation of “being secure against all possible threats.” It’s a common, ill-focused approach. Defending against all possible threats and vulnerabilities is impossible. Instead, CISO success should be measured against a different objective: Being resilient to material loss.
Avoiding Wrong Objectives
Many have likely heard the story involving WWII bombers often used to illustrate survivorship bias. Each time a bomber lifted off, there was a five percent chance it wouldn’t return. Hoping to better secure their planes and improve return rate, officers (aka executives) suggested reinforcing returned planes with armor wherever bullet holes were – often on the wings, body, or tail. However, statistician Abraham Wald turned their attention instead to those planes that didn’t return, the majority of which had bullet damage to the cockpit and engine.
The officers lost track of the “value-at-risk” – the extent of possible losses, or the stuff they were supposed to protect. When value is compromised, it leads to material loss. On an airplane, that means getting shot down. In an enterprise, that can mean data loss, a disruption to operations, or worse. Instead of working backward from plausible material loss, the officers instead focused on patching apparent vulnerabilities.
This classic story illustrates how easy it is to ignore value-at-risk and ensuing material losses. That’s why being explicit in connecting across silos in the organization and defining a shared, value-focused objective matters. Thankfully, extrinsic forces are helping CISOs and boards focus on protecting value-at-risk – or as the SEC calls it, “Material Risk.”
Understanding Emerging “Material” Requirements
The word “material” appears 355 times in the Security and Exchange Commission’s (SEC) cyber rule. Material risk is, in part, composed of value-at-risk that threatens compromise. According to the SEC, material risk can impact competitive advantage, which in turn impacts investor decision-making. Because of this, the SEC expects organizations to, “describe their processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats.”
While the SEC isn’t overly prescriptive on specific metrics, quantifying material risks is a necessary way to understand investor impact from potential cybersecurity incidents. They emphasize that material disclosures are for informing investor decision-making, yet organizations can’t properly inform investment decisions without providing (quantified) financial inputs. To that end, the National Association of Corporate Directors (NACD) takes a much stronger stance on quantification, saying, “Board-management discussions about cyber risk should include identification and quantification of financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through INSURANCE, as well as specific plans associated with each approach.”
Director’s Handbook on Cyber-Risk Oversight
Given the looming threat of non-compliance and the lack of prescription from the SEC, it's not unreasonable for CISOs to look to the NACD for guidance on quantifying materiality. Their recommendations would likely be acceptable in boardrooms very soon, if not already.
Focusing On Materiality – Monitoring Risk Surface
Once material risk has been quantified, reducing that risk should be the primary focus for organizations. When CISOs take their eye off the material ball, they risk investing in the wrong controls, endangering their insurance and capital reserves strategy. However, they can avoid these unforced errors by shifting their strategy to one built around a new concept: risk surface.
Risk surface has a number of unique dimensions. Consider how it handles the concept of controls. Controls are things that mitigate the likelihood and extent of plausible losses. From a risk surface perspective, controls are valued in relation to their ability to reduce material risk. When the cost of implementing a control is less than the material risk it mitigates, it’s considered a positive return.
Mitigating controls can then be prioritized and implemented based on their returns. This provides a much more efficient use of resources than strategies based on traditional concepts such as attack surface.
But not all risk can be mitigated by controls. In that case, a CISO operating with risk surface in mind can transfer this excess risk away from the business via insurance policies. Any material risk that is not mitigated and goes beyond an insurance policy is then backstopped by an organization’s capital reserves, also known as a form of acceptance.
When risk surface is properly quantified and accounted for, organizations can address and recover from threats with minimal material loss or disruption to the business. And while that may not be as flashy as being secure against every possible threat, it is a far more realistic barometer of success for CISOs that find themselves in an increasingly hostile digital landscape.
Contributors
Richard Seiersen
Chief Risk Officer, Resilience
Risk Management & Governance
cyber insurance government regulations risk & vulnerability assessment risk management
Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.
Share With Your Community
Related Blogs