CISO Says... Risk? Not a problem

Chris van den Hooven

Chris van den Hooven

Senior Security Consultant

May 6, 2020 at 09:47

During a crisis, people tend to criticize the ones that were supposed to prepare for it. Whatever has been done, it’s not good enough: There was too little preparation, the response was too late. But before the crisis existed the same people often were criticized too: Their proposed measures were too expensive and too restrictive. The difference is that we prepare for a risk, but we have to deal with a problem.

Risk is commonly defined as threat multiplied by vulnerability and consequence. It is difficult to predict and, sometimes, fear of a specific risk is completely unfounded. But once the risk becomes a reality, it is only really a problem if you are unprepared. According to Martin van Staveren, lecturer Master Risk Management University of Twente, risk is most troublesome if you close your eyes and ears [1].

Risk

In 2008 a (Influenza) pandemic was considered a risk in the UK. Based on "historical information, scientific evidence and modelling" the government predicted that between 50,000 and 750,000 people could die. "You might want to ask the question, for example, what happens if many of our heavy goods vehicle drivers fell victim to that influenza and weren't able to perform their jobs? Do we have enough back-up to be able, for example, to deliver food to the supermarkets?" Ian Kearns, of think tank IPPR's security commission said on BBC Radio 4's Today programme [2]. The UK and many other countries knew there was a risk a pandemic would occur.

Looking at the diagram below it should be clear that when dealing with risks, we have to prepare for all of them- regardless of the fact that it is impossible to predict them. Maintaining and replenishing a stock of 10.000 ventilators every 5 years is costly, and after some time - people will think it’s a waste of money.

CISO Says Risk No Problem

Problems

Once the risk materializes, we have a problem that needs to be fixed. Of course, the reaction to this problem is different from the reaction to the initial risk. At this very moment, we are having discussions about the lack of preparation: not enough intensive care units, insufficient ventilators, a persistent lack of face masks, etc. There is however, much more consensus on the need to act. There is less discussion about the funding.

Problems and risks are often mixed. Van Staveren used AON’s Global Risk Management Survey 2017 as an example. AON is one of the largest service providers in the field of risk management. The company employs 50,000 people and operates in 120 countries. AON conducts a Global Risk Management Survey every two years. In the 2019 edition the following risks were listed:

Current Top 15 Risks

  1. Economic slowdown / slow recovery
  2. Damage to reputation / brand
  3. Accelerated rates of change in market factors
  4. Business interruption
  5. Increasing competition
  6. Cyber-attacks / data breach
  7. Commodity price risk
  8. Cash flow / liquidity risk
  9. Failure to innovate / meet customer needs
  10. Regulatory / legislative changes
  11. Failure to attract or retain top talent
  12. Distribution or supply chain failure
  13. Capital availability / credit risk
  14. Disruptive technologies
  15. Political risk / uncertainties

Many of these risks are (or can be) an effect of another risk that materialized. A pandemic (not in the list above!), has now resulted in economic slowdown. Cyber-attacks are so common it’s not an uncertain event at all. Some risks materialize with a bang, some risks take a while to materialize and slowly change from risk into problem.

Preparing for IT problems

Unfortunately, we see companies often only act on IT problems, not on IT risks. In a recent case, a company didn’t want to invest in end point protection. After they got hacked it was implemented within a week.

It’s a missed opportunity, because many risks can be mitigated. As a CISO I facilitate risk sessions and keep risk registers. Together with the management team I identify unwanted evens that can happen. Although we cannot make predictions on every single risk, we can predict the effects of all the risks combined fairly well. You could compare it to the way a car insurer cannot predict if you will be claiming some damage next year, but they know the figure of all their clients combined. The method used is called quantitative risk analysis [3].

We also know that mitigating risk is just not always feasible because it will cost too much, or it will be inhibiting the organization otherwise. Society cannot accept being on eternal lockdown, in order to prevent a once-in-a-decade pandemic.

The pandemic-size information security risks can only be accepted. However, we can prepare for them by creating incident response plans or business continuity plans and by regularly performing simulations and exercises.

If your plans are good enough, your response to a materializing risk may be better than expected. Viewed in this way, risk is not a problem, according to Van Staveren. Given the current circumstances and the way the COVID19 crisis continues to unfold – I wholeheartedly agree with him.

Sources:
[1] https://executivefinance.nl/2019/02/risico-is-geen-probleem-risicogestuurd-werken-als-oplossing/ (Dutch)
[2] http://news.bbc.co.uk/2/hi/uk_news/politics/7548593.stm
[3] https://www.nixu.com/blog/ciso-says-lies-damn-lies-statistics

Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.

Related blogs