It is around 3 a.m. as you are fast asleep and in a “Clark Griswold-like” dream state contemplating how your annual bonus check will be spent. Then, the sudden and jarring ring of your phone turns your soft slumber into a half-conscious nightmare. You regret keeping that corded land line by your bed for one additional reason now. The CEO is not happy, as she has spent a better part of an hour on an urgent call from the authorities explaining that they had knowledge of a significant cyber-attack on the company. The “fun” part is that they don’t know the intent or impact to the company, only awareness of an attack that they had been watching for several weeks in parallel to another case. So, where do you start? Who do you call? What do you do?
Good news! This was all a dream and none of this has occurred… YET!If you haven’t had this call and the subsequent firestorm of activity, cash outlay, and sleepless nights, you are in luck. You have the pleasure of asking some great and shockingly easy, non-technical business questions preemptively to get ahead of the game It won’t eliminate the pain of a cyber-attack, bit it can reduce the time to diagnose and potentially ease your pain. There is ONE “magic question” in cyber risk management that should get you 80% the work done for you. They say a magician should never reveal their secret, but by examining why the magic question is needed, you will get a better appreciation for how to perform the trick.
“Many organizations can’t yet comprehensivelyarticulate their areas of potential greatest impact or loss in a cyber-attack driven by either an outside attacker or a malicious insider. Why is this?”
Many companies have focused on traditional information classification to identify crown jewels to protect, which is not a bad place to start. Additionally, business continuity and disaster recovery plans are standard for many areas. However, only focusing on information theft or how to recover critical systems when compromised won’t help you in a malicious attempt to disrupt operations or manipulate/corrupt data that is critical to the legitimacy of your business. Information security professionals all know these two things as “integrity” and “availability.” Together, the types of information security impacts could entail “Confidentiality”, “Integrity”, or “Availability. Even with that knowledge, companies still have a heavy focus on the confidentiality of information.
“If 99% of the global news focuses on hackers stealing data. Why would I focus beyond that if I have to prioritize?”
This is a legitimate question and there is a good reason why the news focuses on theft.” Most companies are required to report security incidents that result in the breach of personal information (customers, employees, partners). However, it could be assumed that many incidents beyond this reportable scope don’t make it outside of internal conference and board rooms unless someone gets indicted or arrested. The bad guys/girls have different motivations, so focusing only on theft won’t necessarily help you reduce the biggest risks. Information Security practitioner terms like “the C.I.A Triad” may inwardly sound cool, but the fact of the matter is that terms like that can quickly lose or confuse your business leaders.
So, what is this magic question??
“If it was 3am and I called you to tell you that our company was undergoing a significant cyberattack, what would you be most concerned about? If the bad guy was to steal, corrupt data, or knock our critical systems and business processes out of commission”
For example, if you are talking to the Executive Vice President of Sales and pose the above question, think about his/her possible responses:
- Theft of the strategic marketing and sales tactics used to launch a new product or sensitive customer records?
- Unauthorized manipulation of financial records or sales call data?
- Taking down a daily critical CRM (Customer Relationship Management) system of which there is not backup / manual process to keep the activities operational?
If obvious answers aren’t coming to them, start throwing out potential company impacts to their area of the company if a cyber-attack were to occur:
- Brand image and customer trust damage
- Operational impairment
- Human safety
- Impact of intellectual property compromise
- Government fines or penalties
The answers you get back are most likely top information security risks from a business impact standpoint. These areas probably warrant heightened focus. The next step is determining where things could go wrong:
- What IT applications, databases, content repositories, or infrastructure/hardware is involved?
- What 3rd parties support those critical business activities?
- What departments, personnel and business processes are involved?
- Has anyone evaluated the above 3 items from an information security standpoint?
Regardless of your IT and IS budget, you don’t have unlimited resources at your disposal. Trying to boil the ocean is a fool’s errand (despite many CISO’s recurring attempts.) There is no magic question to make everything you could possibly want to do magically appear in a completed package with a nice bow. Stick to the basics of flushing out what matters most to your business, and making rational prioritization decisions based upon risk driven logic. The execution will be up to the caliber, capacity, and commitment of you and your organization. However, make sure you are focused where it matters most!
Notice: The story, characters, and accounts in this scenario are fictitious and did not occur to me, but the scenario has been made quite real for many information security leaders.
Feel free to COMMENT, REPOST, or LIKE to keep these free articles coming. If your security program needs help translating strategy into action and being more business risk/threat focused, you can request more information at firstname.lastname@example.org. More information can be found on www.revealrisk.com
(Note: These are my views/opinions only and do not reflect any past, current or future employer’s or client’s views. For educational and discussion purposes only.)