Should we stop doing cybersecurity risk analysis?

Information security should be managed as a business risk. Is systematic cyber risk analysis still useful?

Security threats and vulnerabilities are constantly evolving. In addition, cybercriminal groups adapt quickly: their procedures, techniques and tools evolve quickly and catch businesses off guard.

For example, in response to strong authentication measures, new forms of social engineering attacks have emerged. Organizations have to deal with not only sophisticated vulnerabilities, but also cybercriminal groups such as LAPSUS$. Their modus operandi is simply based on recruiting employees who have privileged access (technical support, developers, etc.).

In short, information security is a set of scenarios that are difficult to quantify and whose occurrence is highly uncertain. That’s why we manage these are a risk.

Systematic risk assessment

Systematic security risk analysis is ambitious. They aim to list the risk scenarios of an organization starting from a high-level approach. For example, with the EBIOS, MEHARI or OCTAVE methods, you will identify several strategic scenarios, then break them down into numerous operational scenarios. In short, we bring everyone together (CISO, CIO, senior leadership team) for many hours. We ask ourselves questions such as: who and what could undermine the company’s mission, and why?

Listing security risks systematically, is it really effective?

From my perspective, all of this is a waste of valuable time for the majority of organizations.

I facilitated numerous risks workshops. My experience suggests that these approaches to enumerate, detail, formalize, and obtain a shared vision of the security risk become endless discussions. Do you know what happens while you gather all the brainpower of your business for days? Answer: Cybercriminal groups made up of young adults are progressing very quickly. They use simple and agile methods. Cybercriminals have no time to waste. They reason through small offensive iterations and specific objectives. And you might be the next target!

Objective-centric risk management

First, cybersecurity risk analysis should be a practice that is integrated into your projects early on. Rather than operating in a silo, it should be part of your business: developments, new solutions, infrastructure changes, acquisitions, product launches or digital transformation.

Understand the context of information

In order to identify organization’s cyber risks, I recommend starting with a clear understanding of the objectives, rather than imagining all the threat-based scenarios. The first step is to identify the company’s value chain (or the objectives of a project). To do this, hold short, concise workshops with key people in charge of the company’s functions (finance, human resources, production, etc.). In these workshops, listen to the owners of the company’s critical processes and data. How do they work? What data do they use and why? However, avoid generating too much anxiety by imagining all the worst-case scenarios of cyber attacks.

As soon as you have an inventory of the data and applications being used, you can understand their strategic importance. Ask the following questions: What do you do if your data is publicly disclosed, made inaccessible, or changed without permission? Listening to the responses will give you an idea of the data classification.

Targeted risk analysis

The next step is to ask the IT teams where this data is stored and processed. Ask a simple question: what security measures are in place to protect them? Are there controls (preventive, detective, corrective) or safeguards (physical, human, organizational and technological)?

On the one hand, you understand the applications that support strategic processes or manipulate critical data for the company. On the other hand, you know their current level of protection. This way, you can easily define security risk scenarios. How? It’s very simple: focus on the data or applications that seem the least protected. In reality, what could happen to them?

In summary, objective-centric security risk management is common sense. Consider first the teams who are responsible for the critical functions of your organization, rather than picturing the worst in a world filled with cyber risks and threats. Reducing risks must first serve the value chain and the organization’s objectives. Multiplying scenarios with infinite combinations is not helpful in this context.

Better yet, by listening and educating, you will naturally formalize risk appetite, another essential component of risk management. After all, risk is not just something bad to avoid.

Is risk something negative?

According to the ISO 31000 standard, risk is defined as “the effect of uncertainty on objectives”. Uncertainty, generated by doubt and complexity, is intrinsic to information security.

However, cybersecurity risk management is not a long list of tragic scenarios that could befall your organization. On the contrary, it is a sound practice that integrates the management of uncertainty into the culture of the company, from the operational teams to the executive committee. Managing risk means learning to seize opportunities that would not exist in a totally safe and predictable world.

What to remember

So, yes, we must continue to conduct security risk analysis! But never losing sight of the objectives of what we want to protect.

Comments are closed.