CISA defines cybersecurity governance as a comprehensive cybersecurity strategy that integrates with organizational operations and prevents the interruption of activities due to cyber threats or attacks, which includes accountability frameworks and decision-making hierarchies.
My thoughts on cyber risk governance start by looking back to the history when GRC was coined by Michael Rasmussen during his time at Forrester in 2002. Governance, risk and compliance initiatives were primarily focused on IT GRC and the controls, policies and processes that an organization implements and performs to identify compliance requirements, manage risk and effectively govern those activities.
There continues to be some level of hype around GRC with NIST releasing a Risk Management Framework 20 years later (January 2022) and describing it as a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems. This is much easier said than done and that is why I consider this to be part of the hype.
Organizations hope to utilize frameworks to achieve the objective of instilling good business practices into “business as usual” and provide three lenses of visibility for making risk-based decisions. Cyber risk quantification continues to evolve and involves the application of risk quantification techniques to an organization’s cybersecurity risk relative to their information assets (technology infrastructure, software applications, and data).
Cyber risk quantification is the process of evaluating the cyber risks that have been identified and then validating, measuring and analyzing the available cyber data using mathematical modeling techniques to accurately represent the organization’s cybersecurity environment in a manner that can be used to make informed cybersecurity infrastructure investment and risk transfer decisions. Cyber risk quantification is a supporting activity to cybersecurity risk management; cybersecurity risk management is a component of enterprise risk management and is especially important in organizations and enterprises that are highly dependent upon their information technology (IT) networks and systems for their business operations.
Many technologists and executives, me included, believe that the current methodologies for scoring and statistically oriented models for cyber risk quantification are based on flawed assumptions along with unproven algorithms, fall short of answering several key and critical questions. A methodology that quantifies cyber risk that incorporates the physical and virtual technology assets (infrastructure, software, data) in use by an organization inclusive of the interrelationship, the associated technical vulnerabilities for those assets – and the actions planned, in progress and completed to mitigate cyber risks.
In addition, non-technology assets must also be considered, which includes business processes (both revenue and non-revenue generating), and intellectual property assets (research and development) as allocating and attributing risk are central to modifying the behavior of individuals and organizations, enabling the business to more easily attribute and allocate risk to specific business functions and business units.
Now that we’ve level-set on a shared thoughts on the definition of cyber risk quantification, let’s investigate the harsh reality and answer the question “how do we get there”, because it’s clear that what got us here, won’t get us there.
It all starts with a cyber security risk assessment where we must identify the current state of cyber security risk by assessing the controls in place (administrative, technical and physical), the effectiveness of those controls and the mitigating controls in place that are designed to manage cyber risk across the organization.
Risk assessments are nothing new and whether we like it or not, if you work in information security, you are in the risk management business. The challenge remains in terms of the ability to collect, aggregate, correlate, de-duplicate, normalize, calculate and orchestrate the volume of data from security technologies that produce data points of the vulnerabilities and flaws in an organization’s technology landscape.
An essential component that must be included in the delivery of the metrics and measures provided for use at the operational / technical, IT management, executive management and Board levels, is traceability up, down and across each of those decision-making areas. This is necessary to be capable of answering the inevitable question, “how did you get the numbers”.
We are now in the era of Cognitive GRC that leverages advanced and emerging technologies such as artificial intelligence (AI), machine learning (ML), natural language processing (NLP), and predictive analysis to completely transform GRC and transition into cyber risk governance. Cognitive technologies come closest to human behavior to solve complex challenges and bring together the data sources for the purpose of generating a more consistent, accurate and traceable degree of metrics and measures that deliver visibility for risk-based decisions.