Updated: Apr 22
(by Christophe Foret & Tom Callaghan)
The current COVID-19 context is putting enormous pressure on companywide budgets including information security. Many of us have already made quick decisions to safeguard our colleagues, keep operations running while preserving cashflow and reducing costs in the short term. Our instinct in this type of situation will be to engage our ‘system 1’(1) fast thinking, about 200.000 year old reptilian mind by default: when in danger, we don't think twice and make rapid decisions.
We now need to address the medium term and consider what actions should be taken to maintain the appropriate level of IT Security while optimising our 2020/2021 budgets. This is when we need our ‘system 2’(1) slow thinking, which is more time consuming but less prone error. This is our capability to put things into perspective and look for hard facts to improve our understanding of a given situation and improve our decisions.
While most of us have been confined to our homes to be safer, IT environments have become more exposed to cyber incidents due to increased remote working combined with an increase in threats. CISO’s must be asking themselves which 2020 activities should be resumed? Which should be accelerated? Which can safely be stopped to contribute to the savings their organisation so badly needs.
How to maintain the appropriate level of IT Security while optimising our 2020/2021 budgets?
The challenge in making these tough calls is finding balance. Balance between relying too heavily on intuition and experience on one hand and over thinking threats, vulnerabilities, and every other aspect of your InfoSec strategy on the other.
To help with these decisions we believe your organisation needs to take a fresh look at the risks it is most exposed to. Information Security impacts the entire business and the CISO/CRO should engage all of the organisation leadership to agree the types of cyber and operational risks it is exposed to and how to treat them.
Ordinal scales and red/amber/green heatmaps are often misleading
Traditional risk assessments using ordinal scales and producing red/amber/green heatmaps are often misleading when having discussions with business leadership. In fact, rather than helping decision making they can introduce confusion and lead to incorrect understanding.
You have more data and statistics require less data than you think
Intuition leads most people to assume that quantifying cyber risk requires lots of data, expertise and time which your organisation lacks in this time of crisis. Think again - scientific research (4) demonstrates that less data is needed than you think, and a little effort from a few key stakeholders can greatly improve risk assessments, and provide a degree of precision which vastly improves decision making. Equipped with an objective list of top cyber risks, an executive team can decide which risk scenarios need to be stopped, treated or transferred. The business leadership can also decide which information security investments are immediately required versus which may be deferred or cancelled altogether.
Not convinced yet? We at C-Risk are confident we can change your mind in less than 2 hours - so confident that our initial cyber risk quantification awareness course is available free of charge.
If you are convinced but unsure how to start, C-Risk will be happy to perform a ‘remote working’ risk scenario analysis and rapid quantification using FAIR framework, also free of charge.
(2) Problems with scoring methods and ordinal scales in risk assessment – 2010 D. Hubbard & D. Evans (IBM J. RES. & DEV. VOL. 54 NO. 3 PAPER 2 – May 2010)
(3) ISO 27005:2018 Section 8.3 and Annex E.2