Why More Cybersecurity Tools Aren't Always the Solution: Focusing Your Organization's Cyber Risk Conversation
By Richard Moore III, Managing Director, Alvarez & Marsal
Bottom line; we have become over dependent on utilizing cybersecurity tools to mitigate risk instead of making risk based decisions.
Over the last several decades, organizations have been implementing technologies that have either automated a manual process, enhanced decision making abilities with more precise data, or provided some technological advantage over competitors. A few technologies have changed the way in which we work, and in many cases where we work; such as virtual computing, cloud services, big data, and now products being placed in the Internet of Things (IoT).
While many of these new technologies have driven the total cost of operations down, they have also created process complexities and have transferred and increased costs to other areas, particularly risk management areas. Technology changes that address new business objectives and transformation initiatives have not increased cyber risks to the organization in and of themselves. But, they have provided many organizations with a false sense of security.
Without a mature cyber risk program providing executive management with strategic decision making abilities, an organization effectively begins to expose and erode its capital through unforeseen events and poor purchases.
Organizations that are discussing cyber risk and its impact at the Board of Directors level are better off than the majority of organizations that are not. More than one CEO has said that cyber is the new credit risk, and that it is the single risk that could wipe out an organization’s capital and reserves.
As Boards are getting up to speed in understanding the tools and techniques employed to lessen the risk, a wide gap between what needs to be presented to executive management versus what is currently offered remains. Technology alone cannot solve cyber risk issues. Cyber risks can only be resolved by first understanding the business objectives, working with technology departments to understand the deployment strategy in meeting those objectives and coordinating with compliance, regulatory and privacy departments to lead the creation of a mature cyber risk program.
A well designed cybersecurity and risk program must be driven by the organization’s cyber risk appetite. This involves trying to quantify and qualify the value of assets and determining which of those assists in generating revenue. Completing the valuing of an asset assists with the understanding of the asset’s deprived value or loss of revenue generation. This understanding is critical for better decision making regarding capital expenditures and reserves for cyber risks as well as what needs to be put aside when a cyber interruption precludes an organization from making cyber insurance claims.
"We have become over dependent on utilizing cybersecurity tools to mitigate risk instead of making risk based decisions"
Heads of information security need to have these types of conversations with executive management and directors. Unfortunately, all too many times, the discussion focuses on operational metrics that don’t always add value to decision making and convolute the process. Understanding how to steer the conversation to how or why tools mitigate risks is increasingly important as indications show the cybersecurity market will approach $122 billion by the year 2021, with a plethora of products that will require evaluation and review to approximate best choices.
The growing level of tools and products noise should not divert attention away from the foundational elements and capabilities of cybersecurity and cyber risk programs. Tools and products that don’t fully realize the maturity of capabilities and foundational elements of cyber risk programs may first appear to solve cyber risks, but when implemented they actually increase the resource burden to the company.
For example, if an organization purchases a tool to identify incoming malware, but its cyber risk appetite is set on the exfiltration of information or the lateral movement of malware, it has essentially made an incorrect decision on resources and capital allocations. Additionally, many of these tools are designed with a dedicated interface that is unable to interact with an organization’s current processes or technology environment, thereby increasing the numbers of full-time employees with too specific skill sets to maintain, or additional changes to the technology architecture.
Alvarez & Marsal (A&M) works to decipher the black box of cybersecurity to help organizations make better informed cybersecurity decisions through sound risk management principles. A&M focuses on providing foundational solutions that mitigate risk and ensure appropriate levels of capital reserves while maximizing operational effectiveness. With a hand-on, operational approach, A&M cybersecurity professionals leverage their regulatory and industry experience to address the demands of organizations and to manage cyber and operational risks in a comprehensive manner.
Every organization faces cybersecurity risk; no organization is immune. Each organization must start building foundational cybersecurity solutions by acknowledging its unique portfolio and that it will have different levels of cyber risk maturity compared to industry competitors. Attempting to solve for cybersecurity issues with FEAR (false evidence appearing real), organizations will ultimately continue to fail in meeting regulatory and industry demands, and will not satisfy their own cyber risk appetites.