Rightsourcing Cyber Risk Management
Author:Andrew Powerll, CSC General Manager Cybersecurity
Life does not have to be complicated. Within 2 or 3 days, by applying this framework you can have in place the outline of an effective rightsourced risk management approach. The exercise has other benefits in that the Table Top phase helps you develop business continuity/disaster recovery ideas and process and at the same time identify your main threats and understand business impact. It is the understanding of how the most likely cyber threats impact your business that gives you a narrative for appropriate investment. The main part of this investment is a rightsourced risk management structure. The main mistakes to avoid are delving into too much detail, becoming a slave to risk identification rather than mitigation, and being far too technical. The focus must be top level, business output focused and realistic with a healthy dose of pragmatism.
Landscape or 'Why Do I Need to be Concerned?'
How do we do digital business effectively and efficiently, accepting a degree of risk that we feel is appropriate? This is the question that many Boards wrestle with as they operate in a world that now demands instantaneous, accurate and intuitive digital interaction. Scare stories in the media and countless vendors beating a path to the door offering a portfolio of solutions to provide a panacea to complex security ills, naturally causes concern, confusion and often the wrong choice that ties the Board into an approach that is too restrictive, expensive or that they feel they cannot control or modify. Worse still, the supplier does not understand their business.
The natural counter to this is to go ‘DIY’ and recruit your own team and buy in your own products. Advice from CPNI (Centre for the Protection of National Infrastructure), CISP (Cybersecurity Information Sharing Partnership) and others available openly on websites, updated regularly and shared gives a step by step approach and increasingly makes the Board feel as if they can stay on top of things.
The reality is that today’s tactics, techniques and procedures in the cyber domain are evolving at an enormous rate and that sheer scope and complexity of the cyber domain we operate in has never been greater. This has increased demand for a small pool of expertise and driven up costs for a ‘service’ that is really about ‘people v people’. There are arguments put forward that a pure 'outsource’ approach can work where strong accountability is put in place and decisions are made only by business owners. Also the ‘insource’ approach can be argued to work if you recruit the right people and stay tied in to as many sources of help and advice as possible. All is also dependent on business size. However, if you accept the conclusion that what you really need is a fusion of both approaches ‘the best of both worlds, then the next question is ‘HOW’ do we get an appropriate balance and ensure this is adjusted regularly and audited for effect and value?