Cybersecurity risks are typically met with one of three reactions: 1) Accept, 2) Avoid, 3) Mitigate. An organizations cybersecurity risk strategy, risk appetite and risk threshold along with risk severity are key factors in determining which of these 3 actions will prevail with each identified risk on a risk register.  An organization’s CISO typically maintains the risk register identifying risks and severity along with the reaction to address each risk. The risk register is a dynamic document with new risks being added and some existing risks being changed, based on new information that changes some aspect of the risk. For example, a registered risk that was once determined to be a reaction of “Accept” may change to “Mitigate” due to a change in circumstances.  You cannot control when a new risk will enter your path or an existing risk needs to be reconsidered, but you must be prepared to choose which of the three “reaction” options is the most appropriate when the risk posture changes. The decision on which reaction is chosen comes down to an executive level decision among the people with fiduciary duties to make this risk-based decision. This article provides guidance to BoD and C-Level executives with the responsibility to make these decisions, when reacting to cyber-risks.
What do leftover Lo Mein and Miasma have in common? Answer: Both were identified as dangerous risks that caused severe health problems, when in fact the actual root cause of the health risk was completely different. I can easily imagine risk register entries for these two risks:
Neisseria meningitidis caused by eating leftover Lo Mein: Reaction: Avoid eating leftover Lo Mein
Cholera caused by Miasma: Reaction: Mitigate; wear a mask when outdoors
What is the take-away lesson from these two “risk scenarios” that will help inform BoD and C-Level executives with regard to making wise choices on which of the three reactions is most appropriate when presented with an identified cyber-risk?
The best advice I can offer BoD and C-Level executives is to request the party reporting risks to justify their conclusions by connecting the dots, keeping in mind that causation depends on correlation and correlation depends on variation and variation depends on accurate and complete data. It all begins with high quality data, and that’s good place to start asking questions.  A party presenting risks to BoD and C-Level executives MUST be prepared to connect the dots from data to causation, in order to present a viable risk, demonstrating that comprehensive research was performed that led to the conclusion of risk severity, based on likelihood and impact, using high quality data and proven statistical methods.  Here are a few sample questions that a BoD member or C-Level executive should ask a party reporting on risk severity, likelihood and impact that will help decision makers to determine an appropriate reaction; 1) Accept, 2) Avoid and 3) Mitigate.
Describe the process that led to your conclusion?
Were you able to validate your findings and conclusion with other parties that face the same risk?
What skill level is needed to carry out the attack that will cause this risk to manifest in our environment?
What is the range of impacts this risk could present? Recall the “flat tire” from the previous article.
I could list many more example questions, but I think you get the point – as a BoD member and C-Level executive with fiduciary duties you have the “honor” of deciding which reaction is most appropriate when presented with cyber-risks. Make wise decisions, based on reliable and convincing evidence.
Never trust software, always verify and report! ™