Operational resilience | Risk Management & Reporting

September 27, 2023

The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing status of your security controls. These changing threats mean gaps can quickly erode your cyber resilience. Mitigating those gaps without delay requires empirical, systematic and timely information to review and potentially reset your controls. Anecdotal surveys or infrequent assessments that are unsubstantiated or obsolete, however, won’t provide the information necessary to inform the active management of your operational resilience.

A rapidly changing threat environment

National cyber security agencies, legislators and regulators regularly talk about the hostility of the cyber security threat environment. It’s a driver for the relentless growth in cyber attacks. These same officials are becoming increasingly strident that organisations improve their cyber security performance in the face of this hostile threat environment.

Technology and its dark shadow, cyber security, is very much a business problem. It touches every part of your business and the scope and scale of cyber attacks can compromise your operations quickly. Disruption to a business and its supply chain from an attack can be debilitating and costly; damaging the reputations of all concerned. Directors and senior executives are increasingly being reminded of their obligations when it comes to operational resilience and oversight.

Failing to manage a hostile threat environment will leave you behind

The rules of engagement are clear. In this increasingly hostile threat environment, organisations must continue to improve their cyber security performance just to stand still. Like navigating a fast-running river, you need to be careful you don’t get swept down-stream in the choppy current. Active management is needed to steer your organisation through this threat environment. A role of a business is to manage all types of risky environments to financially benefit its shareholders. That means actively taking steps to inform security decisions to deliver an ROI that exceeds investors’ cost of capital.

Charting a course through the white water

Several years ago, an acronym – VUCA – emerged from the US military to describe a highly complicated operating environment. The term made its way into management literature to describe the interrelated environmental factors – volatility, uncertainty, complexity and ambiguity – that compound to make successful risk management and effective decision making more challenging. It truly is “… crazy out there”. In terms of the cyber security threat environment, businesses must maintain their ongoing operations in the face of these volatile, uncertain, complex and ambiguous threat conditions. Failure of directors or senior managers to effectively manage these adverse conditions is tantamount to being swept down-stream – out of control and, potentially, culpable. Inattention to your cyber threat environment is not an option for today’s enterprise.

What information is required to manage cyber security in this environment?

The attack surface of your enterprise is the IT systems and assets that enable it. Your enterprise is constantly at risk from shifting attack vectors that morph with every new vulnerability and potential exploit. In 2022 alone, more than 25,000 new vulnerabilities and exposures (CVEs) were reported. Not every endpoint is affected by every CVE; but, with sometimes tens of thousands of end-points to protect, security teams need to be able to assess this multiplicity of potential attack vectors – to determine the level of threat to the business. Attack vectors are constantly changing with adversaries endlessly seeking to target just a single gap in your defences.

Relevant information from your risk assessment

No wonder cyber security is difficult – with its volatility, uncertainty, and complexity. We’ll leave ambiguity for later, except to say that management processes that rely on anecdotal or subjective inputs to inform decisions will always remain ambiguous. As a result, security and executive teams are left with some tricky questions – (i) how to assess the effectiveness of protective security controls against a changing threat-scape; and (ii) what is the information necessary to reliably inform any changes to the control settings necessary to maintain operational resilience more generally?

The frequency and quality of this environmental information will determine its usefulness in managing your cyber resilience. If the results are subjective – gathered by sampling techniques, questionnaires or unsupported by evidence – their value in guiding future security decision-making is limited. So too if the results are not reflective of the current state of the operating environment. When the threat landscape is so dynamic it’s important that your risk management activities match the cadence of your assessments. Obsolete information about the state of your control settings in the face of a changing threat environment is not suitable to guide your current risk management practices nor is it an adequate foundation for your operational governance.

What is an effective cyber risk management process?

To be a quality process, an effective cyber risk management process needs to empirically measure the nature and effectiveness of your controls; and determine their ability to mitigate any vulnerabilities or misconfigurations that might emerge from the threat environment.

This assessment needs to be completed reliably and often so that the ongoing effectiveness of the security controls can be maintained against the latest vulnerabilities.

What your risk assessment needs to tell you

  • Purpose of risk assessment
    • For active performance management; or
    • Historical reporting.
  • Currency and relevance of information being reported
  • Is it part of a quantitative systematic process or a random qualitative report?
    • Measured against a recognized security framework; or
    • Eminence without evidence.
  • What is the confidence level of supporting evidence?
    • Verified by artefacts
    • Untested assumption; or
    • Reliability and Accuracy
      • Survey, questionnaire and risk heatmap;
      • Attestation or assurance processes; or
      • Systematic data-driven analysis and reporting.

Management inputs in a dynamic environment

Collecting and analysing relevant data from a dynamic threat environment is absolutely challenging. With its randomness, it is important to shrink the measurement intervals to limit the range and variability of the data being captured. More frequent collection of evidence-based observations, reduces the quantum of information and unpredictability of events and so dials down the uncertainty. Complexity too, whether it’s the multiplicity of potential threat vectors or simply the complication and scale of current network architecture, will be reduced with more frequent measurement. The benefit of this methodology, however, does bring into question whether this scale of data collection and analysis can be achieved without some level of automation. That is particularly pertinent when you consider that the more reliable and current the assessment information is, the more suitable it is for actively managing control settings and ultimately improving your cyber resilience.

Data-driven, evidence-based cyber resilience

Getting timely information about the adequacy of your controls, requires significant amounts of data. As a consequence, big data collection and analysis techniques are desirable to ensure their relevance to the the cyber security decision-making process. The speed and reliability of data-driven analysis enables pro-active cyber security decision making – by identifying any particular controls needing to be reset or security policies to be adjusted to better align with operational resilience objectives.

Being able to quickly determine the adequacy of current security control settings means the CISO and the security team have visibility of their key IT assets, evidence of the state of the controls that protect them and ultimately a measure of their cyber resilience. It also empowers the team with prompt and actionable intelligence about any new or emerging security gaps that might put the organisation at risk.

Why is your risk assessment important?

Obviously, threats can come from multiple sources but focusing on those that threaten an organisation’s security hygiene or resilience is a smart place to start. So too is identifying your critical IT systems and assets and selecting a security framework to measure the effectiveness of your security controls – even as the threat environment changes. Establishing your operational resilience using base level cyber hygeine controls will significantly reduce your risk of attack; you can easily add more controls later.

The important thing for now is to understand the purpose of the risk assessment information. Is it for active management of the cyber resilience process or simply historical reporting? Is the information frequent and accurate enough to meet your risk management and performance management needs? And then, is it evidence-based and sufficiently reliable to meet the statutory reporting and operational resilience obligations of you and the board?

Conclusion

The reason for all the questions is simple. To manage your cyber security posture in a dynamic threat environment, organisations need regular risk assessments, or actionable performance information, to guide their management efforts. They need absolute information to inform them of their control settings and their effectiveness in the current threat environment. Cyber security management is the ultimate in active management; so much so that the old-fashioned risk management practices battle to keep up. It’s too fast and complex and the consequences of failure too great.

Security control settings need to be frequently adjusted to address any changes in the underlying threat environment – otherwise you run the risk of going backwards, in a security sense. Anything less than timely evidence-based information is unsuitable for an active risk management process. Worse, relying on obsolete information to inform your management efforts and guide your risk management decisions is like using yesterday’s information to address tomorrow’s security problems.

To learn more about how data-driven risk assessment can inform your decision making and improve your operational resilience please contact us here for a chat.

Cyber Security Reporting for Directors and Executives

BLOG POSTS

Related Cybersecurity Content

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.