Black Swans and Coconuts: Managing Digital Risk in Today’s Enterprises
In October 2019 Forcepoint hosted a Digital Risk workshop at the recently-opened US Embassy in London, gathering together a strong group of presenters and audience of customers to debate the issues facing security leadership today.
Tom Langford, a former CISO and security advisor to many enterprises, kicked things off, challenging us with the question of whether humans really can detect and measure risk accurately. He cited many cases where the perception of risk is at odds with actual risk, and used some humorous examples to illustrate his point: did you realise that you are more likely to be killed by a falling coconut than attacked by a shark? Tom proposed an approach that considers the likelihood and impact of a risk, as well as the ease of exploitation of that risk in a cyber security context. He also noted that risk appetite is a key concept that will differ for each organisation based on its culture, industry, company size and other external factors (such as the economy).
Tom then introduced the concept of “black swans”, unexpected events that cannot be planned for. Such events test the resilience of any organisation, despite seeming obvious in retrospect. The key point here is to expect the unexpected, and to learn from other unexpected events that happened to close neighbours. Critically, risk identification and mitigation need to need to be tied closely with incident preparation and response.
Michelle Griffey, the Chief Risk Officer at Communisis, a brand deployment and customer experience firm outlined how the world has changed, and proposed that risk management must change accordingly. She noted that risk is constantly changing, and that regulation is likely to be behind current practice. A common feature of digital transformation is increased interaction with third parties, such as customers, partners and suppliers. But these interactions create new risks, and so discussions on risk with these external organisations are helpful: Michelle advocated a joint risk register with key customers and suppliers. This begins to approach the broader concept of Unified Thinking around risk. For example, business continuity and information security typically have separate processes and standards. But they are also inextricably linked, and so perhaps should best be considered together.
Venkat Ramakrishnan brought his experience in gaming, travel and financial services industries to the table. Currently at Harman, an expert in digital transformation program delivery, he noted that data capture is non-linear: as our customers and sales grow the information that we gather about customers increases exponentially. So understanding these new sources of data, and any risks associated with that data, is critical.
Venkat stressed that communication between the relevant stakeholder bodies is essential. Typically the primary stakeholders are the business, IT, and InfoSec. A useful analogy is a manual transmission vehicle: consider the business as the accelerator, IT as the clutch, and InfoSec as the brake. Brakes are less about slowing a vehicle down and more about allowing it to drive quickly and safely, and negotiate bends in the road.
My own contribution to the proceedings focused on three sources of risk that have surfaced in my discussions with customers. Firstly, most organisations have a hodgepodge of security capability, typically from a multitude of different vendors, that is not integrated. This tangle of tools creates risk because it obfuscates gaps in security coverage, as well as being inefficient to manage and costly to procure. The second risk involves the gathering of security data. Many organisations seem obsessed with collecting security data and recording it in a SIEM tool. They may have good visibility into their security estate and the risk is that they regard visibility as an end goal. but little insight is gained from the data, and so it acts more like a comfort blanket than a foundation for security insight.
The third observed risk may seem controversial: it is that organisations may be prioritising privacy over security. While privacy is a fundamental human right in Europe it does not mean that organisations cannot or should not gather personal data in order to protect to protect the business. Many businesses are ignoring information that can be used to increase security because they are worried about privacy implications. But GDPR allows the collection of personal data specifically for information security purposes. Customers ignoring this are exposing their businesses to unnecessary security risks.
Listen to the speakers discuss the topic with Duncan Brown in the following webinars: