Navigating Cyber Risks: Frameworks & Strategies
We are excited to share our Associate interview with Cyber SME, Simon Clayton-Mitchell. An associate for 2 and a half years Simon specialises in risk management and third-party assurance. In this interview, Hollie catches up with Simon about some of the most effective ways organisations can manage their risk frameworks, stay up to date on risk management trends and more…
HB: How do organisations manage their risk frameworks and what would you say is the most effective way of doing so? Also, what are the key components of a risk management framework? Do you find that one size fits all or do some sort of different sectors and organisations have different standards?
SCM: Let me start with the frameworks. There are a number of frameworks out there. One of the most common is Cyber Essentials (you could argue it’s not really a framework – but for many organisations, it is what they will use to think about security and keep themselves secure – so in that sense, it's a framework). Cyber Essentials is really useful because it's very practical in nature, asking questions like Is your software up to date? Are you implementing technical-level security procedures and policies? Have you got MFA turned on? Do you have backups? Are you patching regularly? All very operational-level hands-on questions about how secure you really are. I think for any organisation, Cyber Essentials, and Cyber Essentials Plus (assuming that you've answered their questions honestly) are a very good starting point.
Interestingly, I've seen organisations that will avoid Cyber Essentials (even though it’s considered a basic accreditation), because they cannot meet the CE requirements due to issues such as legacy IT, or lack of control over endpoint devices such as mobile phones or laptops (especially BYOD).
Asking an organisation “How close are you to achieving CE” can help identify a lot of issues. Things that will often come up are “Well we actually don't have MFA across all of our estates” or “We know we don't really have backups” or “Actually not all of our systems are up to date”.
ISO 27001 is popular, but the problem is ISO 27001 is actually an Information Security Management System. You could be completely insecure and have ISO 27001, you just have a really good process to identify how you are insecure and this is fully documented. That said, for larger organisations, you do need a formal system for managing security and risk on a day-to-day basis and if properly implemented then ISO27001 is a good choice.
In answering your first question “How do organisations manage their risk frameworks and what would you say is the most effective way of doing so?” I will use NIST (National Institute of Standards and Technology) Cyber Security Framework (CSF) as an example. NIST has six categories to help align an organisation’s security posture:
· Are you able to identify threats and risks to the organisation?
· How do you protect the organisation?
· How would you detect a cyber incident?
· How would you respond to a cyber incident?
· How would you recover from a cyber incident?
The sixth category asks how is governance for the security function implemented. It provides a good way of thinking about what's involved within each of those categories.
NIST can be used to provide a maturity score – from 1 to 5. 1 means you have little or no security capability. 5 is aspirational. Most organisations try to get between 3 and 4. However, you can get overly focused on trying to achieve a higher score.
Unless an organisation is required to obtain a high, independently verified score (for example, a bank may need it for insurance purposes), NIST is better utilised as a ‘north star’ – helping to guide an organisation’s security posture.
For example, around respond and recover, the organisation would ask itself “Okay, do we have an incident response capability? Have we tested it recently, and how did we do?” That can then lead to more detailed questions: “Do we have adequate backups in place? Could the backup be affected – how safe is it?”
For identify, the questions that arise are “Do we have a full understanding of our IT estate– all the systems - that we work with? What does our attack surface look like? Are we vulnerable? How are we vulnerable? Who could attack us? How might they attack us?”
In this way, a company can take each of the NIST categories at a very high level and start to ask some really intelligent questions about what the organisation is doing across its security assurance capability.
There's another, similar, framework, which I haven't used as much: the National Cyber Security Centre’s Cyber Assessment Framework (CAF). It is quite similar to the NIST CSF and includes specific topics such as supply chain security; something that is increasingly important yet complex to properly address.
As with NIST CSF, I would recommend using it as a guiding star in developing a security assurance posture.
As an aside – the NCSC has a lot of very helpful material on its website for organisations of all sizes (and the NCSC created Cyber Essentials).
However, what I’ve described is a best-case scenario. One of the issues that companies can face is ownership and responsibility for risk. They identify risk areas, but finding someone to own that risk and do something about it can be a challenge.
HB: In your experience, how do different companies and sectors view their risk appetite? You've been in many different sectors and industries. Do they all sort of do things differently and how does that work?
SCM: I am always hesitant about the phrase risk appetite: it implies that it can be measured accurately in the same way that Financial Risk is measured (I think the term probably comes from financial risk).
In assessing risk an organisation needs to ask itself:
· How would it impact us if somebody stole our data and threatened to leak it?
· How would it affect us if somebody shut our systems down and we didn't have a backup?
· What would an attack mean to our reputation, especially if data is leaked?
Risk appetite implies you can choose between risks; which is obviously inaccurate. If you are successfully attacked you may have very little control over what actually happens.
However, focusing on the above three broad questions and thinking through your ‘risk appetite’ to any one of them may help to make security investment decisions. For example, on a network architecture that is designed to limit the blast radius of an attack; or a backup solution that looks to ensure the integrity of the backup data.
Actually, one of the questions I get all the time is, “Well, why would anybody attack us?” The way I describe the situation to clients is that the attackers send out hundreds of thousands of phishing lures every day in the form of phishing emails with malicious content. If an employee in an organisation clicks on one, then the attacker is able to embed some sort of hook into the organisation and get themselves inside.
Once inside they'll find out whom they have compromised. The company may be a small manufacturer of widgets, or a bakery in the north of England, and have sales of a million a year, The attacker will contact them and say something to the effect of “We've locked down your system, you can't operate, we know that you make profits of a hundred thousand a year, we'll take half of it, 50,000 to unlock you. Pay or else!” The organisation may not have a lot of choices.
It is important to remember that the attackers are economically rational and looking for a payday. What you're trying to do with different clients is make them understand that just because they're small or medium-sized or not part of the critical national infrastructure, doesn't mean they're not a target.
Then it's walking them through their IT estate (including operations) and making them aware of what the risk is; how would they react if all their data was leaked, or what would they do if their manufacturing system was locked down? And the response is often “ we haven’t really considered that”.
Obviously, different industries are worried about different risks. Manufacturing is worried that the production line will halt. Health care is worried about sensitive data leaking, or a delay in being able to provide services. However, the risks associated with breaches of Confidentiality of data, Integrity of data, and Availability of services are common to most organisations.
I talked to a company last year following a devastating ransomware attack. They chose to pay the ransom because they were dead in the water and there was nothing they could do about it.
Another challenge is the risk that arises from what I call brittle IT. For example, a financial client I worked for with Platform Smart had a complex technology stack that supported a large part of the company’s revenues. Parts of the technology required updating, but the company was unwilling to touch it in case an unintended consequence of an update brought the whole thing to a grinding halt. They understood the risk, but there wasn’t a lot they could do about it without a very large investment and time.
The more an organisation can maintain its IT estate and stay up to date the less legacy IT (IT debt) they will incur, which in turn will help to reduce risk.
HB: You've explained the importance of staying updated. Just as a quick overview, can you explain the importance of it, staying up to date on risk management trends and the best practices?
SCM: I went back to university and did an MSc in cyber four and a half years ago. Since my graduation three and a half years ago the threat landscape has completely changed. We're already in a much more aggressive world in terms of cyber than we were back then. Part of that is a result of the war in Ukraine. Russia has become a significantly more aggressive attacker against Western interests, as have North Korea and Iran. And there is growing concern about the level of espionage and influence being exerted by China through cyber-related activities. We have entered the world of nation-state cyber warfare. You could argue that it's been going on for well over 10, 15 years; but it has stepped up significantly in the last 5.
That means there's a continual need to stay up to date on security. The frameworks do adapt, but the real challenge is ensuring that an organisation’s processes and tools are fit for purpose - by understanding how the threat environment is continually changing and being able to go in and test procedures. So the organisation needs to do an annual incident response scenario simulation (at a minimum).
All large organisations should have a Security Operations Centre (SOC) functionality, along with endpoint management using some form of End Point Detection and Response (EDR) to continually monitor laptops and mobiles. And the organisation also needs to monitor its servers, cloud infrastructure, etc. That really should be the minimum level of security.
The other thing that goes hand in hand with that is ensuring that security awareness is part of the everyday lexicon of the organisation - so everybody's aware of the issues and talking about them as part of their normal business activities. By far the majority of company security breaches occur due to employee error. The more you can make people aware the better chance you have of minimizing that.
You do need people within the organisation whose job is to stay up to date on the latest trends. It's no different than if you're a lawyer and you're staying up to date on the latest changes in law; or if you're an accountant and you have to stay up to date on the latest changes in accounting rules or tax law. It's exactly the same for cybersecurity. You have to be continually up to date on what the threat landscape looks like, what are the latest ways in which people are attacking you, how they're going about it etcetera.
If you’re a smaller organisation, I think it does make sense to outsource a lot of that: for example, you get a company to come in and do an annual security audit; you use a company like Mimecast that does your email security, and as part of that they provide training videos on an ongoing basis throughout the year. However for larger organisations, you need in-house skills around cybersecurity, you need people to understand it.
HB: Have you ever faced resistance to risk management implementation? if so, how did you handle that?
SCM: I did some research and I came across an article and it said "Is cybersecurity investment a grudge purchase?" Sometimes you feel that it's not so much that there's resistance to risk management implementation, the resistance is to spending the money on it yet finding it hard to measure its effectiveness. It's a bit like paying insurance. You hope you never have to claim on it, but the trouble is the cost of insurance, in terms of the amount of tools and processes and overheads that you have to put in place to be cybersecurity secure, it's increasing every year. What you have to do today is way beyond what it was 10 years ago.
There's a certain grudge element to it, you can see the board saying, “Well we invested in cyber last year and now you're saying we need a 5% increase in budget this year!”. The CISO has to convince them that the threat landscape has changed and more budget is required. That’s not always possible.
The other resistance factor is ignorance. People don't know or understand the risks and how to deal with them. I think when you launch into an area where people are not very knowledgeable of the subject or even ignorant of it, fear creeps in and they don't know whether they're being sold something they don't need. I joke that cybersecurity is the only part of corporate strategy where hope is seen as a valid strategy. They literally just say, “Oh, we hope we won't be attacked”.
HB: My last question for you Simon is how do you stay up to date yourself on new risks and new risk methodologies
SCM: I do a lot of reading and there are a lot of good books out there actually. There's a very good one called Kingdom of Lies by Kate Fazzini. She wrote it about five years ago, but it's a wonderful high-speed and very well-written chase through the world of cyber-crimes. It's just brilliantly written.
There's another one called Fancy Bear Goes Phishing by Scott Shapiro, it's very much worth a read, It looks at a number of different major cyber hacks over the years.
There are a number of very good texts, so I read a lot. I have been fortunate enough to work for an MSP for the last year (that role has just been completed), which had a number of security experts. So, I'd sit down with the SOC team twice a week and do what I call SOC ride-alongs, or shadow the pen-tester. I’d talk with them about what they're seeing and how they set the tools, etcetera. You also earn a lot from your clients. I must have talked to over 50 clients in the last 12 months. Even if they don’t work with you, you learn a lot by talking with them about their approach to security.
One of the things I say is cybersecurity is an incredibly broad subject. It's also incredibly deep across its whole breadth, and you can find specialist experts in key areas. I try to position myself more as being able to sit and talk to the experts while not having their in-depth knowledge about every vertical; and then being able to turn around and bring that into managerial operational language. I can talk to the board or the senior-level management about the subject, and I think there's a massive hole in cybersecurity in that capability. One of the things I would say is that cyber is very much seen as an IT problem. It came out of IT. In Britain especially, I think IT, engineering, and technology are viewed as “oh, they're the geeks” or “the nerds” and sort of put you in a box and put you in the corner.
The reality is cyber is an organisation-wide issue and I often say that technology is a given. Being able to be secure in the organisation requires understanding its operations, its culture, and its behaviours. The tools enable the company to be secure. However, if your management and operations are wrong, all the tools in the world won't keep you safe. It's about how you implement and run information security, and cybersecurity within the organisation as a set of business processes that integrate seamlessly into the organisation that makes you secure.
To find out more about this article or our experience in the Technology market get in touch.
Get In Touch →
