The following is adapted from Fire Doesn’t Innovate.
It seems like every day we hear news of a well-known company experiencing a data breach. Companies like Yahoo, Target, and Marriott have all dealt with having their users’ private information – user ID, password, and more – stolen by cyberattackers.
These attacks caused so much damage in large part because most companies do not have their main focus on practicing reasonable cybersecurity. The ability to prevent these attacks – or at least minimize the extensive damage through effective detection, response, and recovery capabilities – starts with a Cyber Risk Management Game Plan.
The first phase of assembling that game plan is measuring and scoring your company’s current cyber risks. Your company will encounter unlimited risks, but your resources to manage those risks are limited, so you need a strict method of prioritization.
Here are the eight steps to discovering your top cyber security risks.
Step 1: Widen Your Scope
Before you set the foundation of your cyber risk management game plan, you must widen the scope of what you want to measure and score.
Most companies tend to narrow in on one facet of cybersecurity (typically how their technological defenses can be better) and want to focus all of their efforts there.
Maybe they think they mostly need to pass their PCI-DSS audit, which will protect their customers’ credit card information. Or maybe they’re just so focused on delivering high availability of their IT services there’s just no mindshare or money left to practice their cybersecurity crisis management plan.
You need to measure every facet of your cybersecurity:
- People, process, management, and technology
- All digital assets, including customer data, payroll data, and trade secrets
- Across all departments in the company
Step 2: Get Buy-In
This game plan will not work without buy-in from your employees. Getting buy-in starts with your approach. To get honest responses in interviews and on questionnaires, reinforce the idea that creating a game plan will be a collaborative process.
Make sure your team knows this is not an attempt to catch people making mistakes. Do not use the word “audit”. You will simply be asking questions in order to gather information and find opportunities for improvement. Be open about the process your company is undertaking, and your email communication should reflect that open, collaborative spirit.
You will inevitably get questions in return, many of which will spawn from people’s anxieties about being interviewed. Be sure that your response to those questions reinforces the collaborative nature of the interviews.
Step 3: Select Interviewees
As a general rule of thumb, here’s how many interviews you should conduct:
- Less than $10 million in annual revenue: six people in a group interview
- $10-250 million in annual revenue: fifteen to eighteen in-person interviews
- $250 million to $1 billion in annual revenue: eighteen to twenty in-person interviews
- More than $1 billion in annual revenue: send out a questionnaire
Interview middle managers and other senior-level personnel from your finance, human resources, operations, and IT departments. These people are your cyber risk “experts” not because they have deep expertise with cybersecurity, but because they know what cyber risk practices are actually happening on your front lines.
Step 4: Generate the Questionnaire
The questionnaire that you give employees should look at five functions:
- How well you Identify digital assets and cyber risks
- How well you Protect your assets against those risks
- How well you Detect cybersecurity breaches
- How well you Respond to those breaches
- And how well your business Recovers from those breaches
Use the NIST Cybersecurity Framework as the source of your questions. It’s the best free standard available today to help you treat cyber as a business risk, not merely a technological one. Create questions either from the category or subcategory levels.
Each question in your questionnaire will start with the phrase “How well does your organization…” and the experts will score their response on a scale of 0 to 10.
Here’s how you should view the score ranges:
- 0-4: from no security to some security
- 5-8: minimally acceptable security to fully optimized security
- 9-10: too much security, which is wasteful of time, money, and morale
Step 5: Determine Your Target Scores
The next step is to determine your score is within the five functions: Identify, Protect, Detect, Respond, and Recover. You want to be in the 5-8 range for each function, but the target scores within each one depend on your company’s priorities.
Here are some approaches you might try:
- Minimum Acceptable Scores: Choose 5’s across the board
- First Responder: move up to 6 or 7 in Respond
- Big City: put a 6 or 7 in both Respond and Recover
- World Class: go with 8’s across the board (note that is very expensive to achieve and very difficult to sustain)
Regardless of the reasoning, choose your target score for each of the five functions and record them before you begin the interview process.
Step 6: Conduct the Interviews
If possible, have a neutral outsider conduct the interviews. Provide interviewees with a printed score key so they can easily respond to the questionnaire. The tempo of the interview should be very brisk—less than an hour per interviewee. Do not ask the interviewee to elaborate on their scores, but if they do feel compelled to provide justification, be sure to record those answers in a spreadsheet.
If you encounter respondents who say they don’t know anything about cybersecurity, remind them that they are an expert in their own department and that they know more about that department’s practices than anyone else outside of it. Reiterate that you want to collect their score for every question, even if it’s based on a perception or only partial information.
Step 7: Compile and Average the Scores
Once you’ve completed all of the interviews and recorded the scores for every question, your next step is to average them out and compare them to your target scores. You want to perform a gap analysis between your average scores and your target scores for each of the five major functions.
As you study the scores, you’ll see your biggest cybersecurity gaps and rank them one through five, with one being the highest priority.
Step 8: Communicate Your Top Five Cyber Risks
The only thing left to do is look at the data and see what stories they tell you. Most companies are strongest in the Protect function because that’s where they’ve previously chosen to invest their time and energy, and they are often weakest in Detect and Recover.
Historically, IT departments have been measured by their ability to keep tech services up and running. As a result, they are great at detecting outages, but they don’t spend nearly enough energy detecting violations of sensitive data.
Organizations tend to be weak in the Recover function because most companies are not accustomed to having their technological failures laid bare in the public eye, so they haven’t developed the capacity to explain to outsiders why their technology failed.
You have your scores from your questionnaires. What story do they tell you? And, what are you going to do about it?
For more advice on identifying cyber risks, you can download the first chapter of Fire Doesn’t Innovate for free.
Kip Boyle is founder and CEO of Cyber Risk Opportunities, whose mission is to enable executives to become more proficient cyber risk managers. His customers have included the U.S. Federal Reserve Bank, Boeing, Visa, Intuit, Mitsubishi, DuPont, and many others. A cybersecurity expert since 1992, he was previously the director of wide area network security for the Air Force’s F-22 Raptor program and a senior consultant for Stanford Research Institute (SRI).