This blog series is a four-part discussion on observed challenges businesses will face with understanding and addressing cybersecurity risk. This is Part I – Enabling True Risk Ownership.
*No AI was used to generate this content.
When an enterprise decides to comply with cybersecurity legislation and mandates, it is effectively saying, “We are going to use a guide to help choose and implement cybersecurity best practices that will reduce our cyber risk.” Let us unpack this.
The list of cybersecurity best practices is nearly endless. When we approach a framework or a compliance mandate, we are looking at a scaled-back set of this blueprint. Often in differing frameworks, we observe similar concepts and best practices that overlap. We can think of these repeated best practices as core items. Meaning, we do not need to recreate the cybersecurity wheel. We know what works best, and we can focus on core features to build an effective cybersecurity program.
Another repeating theme between best practices and frameworks is that eventually, an enterprise will reach an impasse. That impasse will be a set of required controls (best practices) that are far more challenging to implement than they can handle. Oddly enough, every cybersecurity vendor has a solution to sell to these problems but struggles to conceptualize the why (risk) for their enterprise clients. Instead of using a risk-based approach to these solutions, we run into fear, uncertainty, doubt, and solution-based selling.
Fear, uncertainty, and doubt (FUD) fall apart because they are not true measures of risk. Instead, FUD says all cybersecurity problems and challenges are equal. In this container, we lose sight of what is most important and what needs our attention the most. In solution-centric selling, the vendor loses track of the customer's true needs and the cart gets placed in front of the horse. Avoid this issue by making risk-based decisions.
We conceptualize much of cybersecurity on a sliding scale and, ironically, avoid binary logic in cybersecurity decision-making. Risk is one of these concepts. Another is the sliding scale of the effort needed to reduce risk. A more challenging to implement control is going to require a high level of effort, financial investment, intelligence and skill, analytical capabilities, and consistent process adherence. This is the impasse.
“Do what you do best, let others do the rest”
Have you ever heard that? When staring up the mountain of difficult-to-implement cybersecurity best practices, things can be daunting. Especially when the efforts needed are not in your wheelhouse and hiring a knowledgeable employee that may be able to meet the challenge seems daunting. How can a CEO or stakeholder know that their cybersecurity representative is handling their risk effectively? Most of the time, they simply assume. Assuming, avoidance and hope are not effective tools for risk reduction.
There's no need to think too hard here. NIST 800-39 Risk Management Framework has done a lot of heavy lifting to adequately advise on how to address risk. Risk reduction takes intentionality and confirmation.
Intentionality in NIST Risk Management Framework (RMF) is expressed as due diligence and due care. Meaning, an enterprise acknowledges they have cybersecurity risks and decides the risks are significant enough to act. Due care is the implementation of cybersecurity best practices that continually identify, assess and mitigate risk. Compliance effectively states, “We’re making you practice due diligence. Are you practicing proper due care?”
Confirmation is proof and validation that risks are adequately identified and mitigated to an acceptable level. However, Stakeholders often throw confirmation out the window. Why? Cybersecurity is confusing to noncyber persons. So, what happens? Confirmation falls off, validation is not performed, and risk is not owned by the stakeholder because it is difficult and overwhelming to understand. There is a lack of clarity and unrealized risks exist.
Risk treatment is the precursor to risk acceptance and tolerance. It must be done first. Risk treatment looks like:
When a decision maker realizes a cybersecurity best practice is beyond the capabilities of internal resources, they can transfer responsibility. However, after risk treatment is completed, they must take it back.
It is common for stakeholders to forget that while somebody can carry the task of reducing risk for them, intentionality and confirmation are theirs to reclaim. Above, I mentioned that complex cybersecurity concepts can deter noncyber persons from owning risk. The solution is a three-step process.
Here are the answers to this challenge:
Like accounting, HR, logistics, and finance, cybersecurity is now a core business function. Stakeholders will face their cybersecurity journey through due diligence and due care, or they will be mandated to abide. Either way, the journey will eventually come to an impasse; where the stakeholder realizes the adherence to, and implementation of highly challenging cybersecurity best practices is best left to somebody else. As they transfer risk to another company or entity, their journey does not stop. True risk ownership is full visibility, insight, understanding, and tracking of identified risks and their tolerable state.
Far too many cybersecurity providers get this wrong. For RADICL, it’s a core tenant that for true risk ownership, the stakeholder must have the right to know. XTP is purpose-built to resolve this issue. It provides full visibility into all actions taken on your behalf as a trusted client. With this empowerment, partners can move forward with full visibility and control of their cybersecurity program. Want full visibility and simplicity of understanding in your cybersecurity stack? Reach out to RADICL to schedule a demo.
When Intentionality and Confirmation are skipped, we end up with a fear-based approach to cybersecurity. In the next blog post, we’ll cover how a fear-based approach expresses itself and how it distracts the company from adequately managing risk.