From threats to risks – the critical cybersecurity journey
2nd June 2022 • Munich Marriott Hotel
CISOs’ focus on threats is obscuring the real issues. Let’s start talking properly about risk.
It has been clear for some time that the current model we use to try to keep organisations and individuals safe from cyberattack is flawed – but perhaps not for the obvious reasons. Yes, the traditional perimeter no longer exists. Yes, what is simplistically called ‘basic cyber hygiene’ is almost impossible to guarantee. Yes third-party security, especially third-party software security, is an almost impossible problem. And yes, the attack surface is growing and threat actors are multiplying and becoming more sophisticated and aggressive.
But the real issue is the constant focus on the latest threat and attack types when what is actually important is risk: ransomware is not a risk. Ransomware is a threat that can cause the corruption of key data. The risk is data loss. DDoS attacks are not risks, They are a threat to the continued operation of a system. The risk is the lost output or functionality of that system.
By focusing on specific threats, CISOs and vendor condemn themselves to never-ending whack-a-mole strategy in which they are always playing catch-up to attackers who only need to be right once and who are increasingly better equipped than the defenders. This strategy is bound to fail – hence the commonplace ‘assumption of breach’.
Instead, companies and CISOs must focus on risks: what assets, data, applications, and processes are essential to their businesses? Which of those are susceptible to cyber-attack? What is the actual risk to the business if those elements of business-critical infrastructure are taken out by a cyberattack? And what is the most cost-effective way to mitigate the risk?
Even today, ask most CISOs about cyber risk and they will start listing threats. So how can we change mindsets and start thinking about security and in terms of risk and resilience? How can vendors help – they too focus on threats and defence against particular threats?
And let’s start talking about costs: it is noticeable how little vendors talk about costs versus how much CISOs talk about resources. It is even more noticeable how few CISOs map potential risk costs to spend. Is it time for a more open discussion about what an affordable security stack looks like, what affordable means for different types of organisations and what level of spend gets you what level of security and data privacy?