Using our semi-formal, semi-quantitative approach, we’ll need a way to measure cyber risk in order to use data to manage it.
Because we’re taking a managerial approach to our risks, as opposed to a very technical one, we’ll need measurements that facilitate management thinking and action which will open the door to making useful changes.
We also need to be able to measure the true nature of security. Let me tell you what I mean.
The True Nature of Security
Most people believe that you can never have too much money. However, it is possible to have too much security (or too little). Look at the left side of the diagram.
You can see that as we go from left to right along the x-axis, we’re spending more and more trying to reduce risk.
Notice that risk does go down rather quickly as we begin to manage it. As you move to the right and enter the green zone, the curve goes lower, and risk levels drop to an acceptable level.
However, as you continue to spend money and add more controls, the risk increases again as you move further to the right and out of the green zone.
Why is that?
Well, past a certain point, security gets to be so difficult that people begin to look for ways to go around the controls, which can create a false sense of security for the people responsible for managing risk.
False Sense of Security
In other words, risk managers may be using more resources than are required and getting a risk level that’s much worse than they need in return.
I’m sure you’ve experienced a situation where there was too much security required to get your job done.
Example of Level Ten Security
I’ve seen remote network access systems that were so secure it required four separate, two-factor authentications to reach your data!
It was so complicated and time-consuming, most people didn’t use it, which reduced that organization’s productivity.
And it caused them to spend a lot of money on a remote access solution that was operating far under capacity.
So, the challenge with security, as with most things in life, is to find a good balance between protection and usefulness.
Now, let’s create a score key that captures these three security states and the need to find balance.
Score Key Explained
Starting on the left:
The scores zero through four, colored in yellow, represent various levels of insecurity. From no security at all to some.
The scores from five through eight, colored in green, represent a range from minimally acceptable security to fully optimized.
And scores nine and ten represent too much security, which is wasteful of time, money, and morale, just like the remote access solution I mentioned.
Granularity of Scores
Notice there are five possible scores for insecurity, four possible scores for balanced security, and two possible scores for excessive security.
This reflects my experience that we often need less granularity to measure and improve situations that are too secure as opposed to the other two possible states.
Only Two Colors
Also notice there are only two colors: yellow and green. This is a result of my emphasis on simplicity.
What do I mean by that?
When it comes to risk management, I’ve noticed people tend to make things complicated.
But too much complexity becomes counter-productive to creating clarity and moving at a brisk pace.
After all, cyber risk is already an abstract and difficult thing for most people to understand, especially executives who set priorities and control your budget.
So, do what you can to keep your risk management work as simple as possible without getting so simplistic you can’t deliver results!
Cyber Risk Opportunities provides middle market companies with cost-effective Cyber Risk Managed Programs to prioritize and reduce your top cyber risks, including the specific requirements of PCI, HIPAA, SOC2, ISO 27001, DFARS, and more.