Today’s post contrasts two recent pieces.

PwC shared some very traditional thinking in Overseeing cyber risk: the board’s role.

It says volumes when their web page that links to the report has this:

Questions for directors and management about embedding cyber risk

• Does the company employ multi-factor authentication on all accounts (including VPN access) to control access?
• Who has responsibility for the company’s third-party risk management program?
• Does the company engage in robust patching and vulnerability management?

These are hardly the first questions that should be asked!!

I prefer:

• Where’s the risk to the business?
• Is it acceptable?
• What should we be doing about it?

While they say that we should “ensure cyber risk is embedded in strategic decisions – and the company’s culture”, they don’t explain how that should occur. How do you see the big picture, all the risks (including and not limited to cyber) and opportunities, to make an informed and intelligent decision?

They don’t even ask that management perform and then maintain a business impact analysis so they can start to answer my three questions.

Let’s toss that to one side, agree not to hire them, and consider the other piece.

Brian Barnier is one of the smartest people I know and a good friend^[1]. Recently, he has been promoting design thinking as an approach for cybersecurity. You can see more at https://www.thinkdesigncyber.com/. He also stresses that instead of considering cyber in a silo, you need to see it as part of a system. Critical thinking is the third part of his message. I recommend exploring his website fully. In December, Brian sat down with former Canadian Security Intelligence Service senior executive manager Dan Faughan to discuss cyber. But I want to focus instead on an interview in January.

Spotting Cybersecurity Gaps, Becoming More Systems-Focused is worth 30 minutes of your time.

I loved to hear what Lisa Young has to say. After 11 years with the CERT division of the Software Engineering Institute of Carnegie Mellon University, where she worked on cyber security and related risk, she has been active with ISACA, an executive with a cyber risk consulting firm, and a board member. She works as part of the Cybersecurity and Infrastructure Security Agency’s COVID Task Force as a risk management subject matter expert and is a board member of ISC(2), a global association of nearly 200,000 cybersecurity professionals. Young is also immediate past president of the Society of Information Risk Analysts. Early in her career, she worked as an internal auditor – and I think some of that experience had a lasting influence on her approach to cyber risk.

You should, as I said, take the time to hear the discussion. While Brian talks about system, design, and critical thinking, Lisa talks in my language.

She talks about understanding the risk to the business that would be created by a breach. Towards the end of the video, she shares some high-level advice. In my words, since I don’t have a transcript:

• What are you trying to achieve?
• What technology are you depending on to achieve those objectives?
• How would a breach affect you? How likely is an effect that would inhibit your success?

At one point, she even talks about the need sometimes to take more risk! Its only one sentence, but it indicates a deep understanding that cyber has to be considered within the context of running the business, not just for its own sake. Sometimes, the risk of a breach should be taken because the alternative is worse. For example, waiting for defenses to be hardened can mean missing a massive market opportunity because your competitors have moved faster.

Its not about risk to information assets; its about the effect a breach might have on the business and its success.

The ‘system’ that Brian talks about I see as the entire business. To understand, assess, and determine what to do (if anything) about cyber-related risk requires understanding:

• The nature of the business and its purpose, including how it is changing
• Its objectives
• How a breach might affect the business and its achievement of objectives: the range of potential effects and their likelihoods (including the effect on other sources of risk, such as compliance)
• Whether that is acceptable
• The options for addressing the risk and whether any investment would have an acceptable return, especially given the changing nature of threats
• How cyber is not the only risk that needs to be considered in weighing opportunities and making an informed and intelligent decision.
• The competition for scarce resources, given that any investment in cyber is at the cost of investing in other business risks and opportunities

But this is not about my thoughts, which I have expressed many times here and in my books, such as Making Business Sense of Technology Risk and Risk Management for Success. In “Making Sense”, I cover how decisions need to factor in all the risks and weigh them against the opportunities. Cyber is just one of the risks to consider.

This is about Lisa and Brian. I hope you are able to watch the entire video.

What do you think about their two views? Do they see the world the same way but use different languages, or is there a real difference? Are either or both right?

---

[1] I met Brian when he, Michael Rasmussen, and I were honored as the first three OCEG Fellows.