From cyber-weary to cyber-energised – KPMG

Philip Whitmore, Partner – Cyber Security, KPMG

There’s a rising chorus of “cyber fatigue” permeating New Zealand organisations, as cyber security is starting to become understandably tiresome. This phenomenon arises at a time when avoiding negative PR is paramount for success. As IT professionals concede that a breach is no longer a matter of “if” but “when,” it’s a given that some decision makers are exhausted as they revisit the same discussion over and over again. 

Over the past several years, some of the world’s largest firms and brands incurred cyber breaches that compromised data from hundreds of millions of consumers. It’s an endlessly expanding roster of high-profile security failures; a cascade of vulnerabilities that have heightened the insecurities of IT professionals, who in turn have bombarded the sensibilities of boardroom executives.

The increasing cyber security headlines bring to bear an onslaught of corporate introspection and second-guessing.  Boardroom executives across the country start to wonder what the use is.  It is a common reaction.  Not in reference to the devastating impact, but as a result of media saturation.  On any given day, the headlines are replete with stories about companies, irrespective of size or technological capabilities that have suffered security breaches.  The cumulative effect has begun eroding boardroom vigilance despite the potential effect on brand confidence and income.

To combat cyber fatigue requires a systematic, risk based approach.  Such an emphasis steers attention from the never-ending appeal for resources and redirects it to an objective assessment that reflects an organisations’s business strategies and innovation, risk tolerance, and unique cyber security costs. The five-pronged approach to combat cyber fatigue includes the following:

  1. 1. Make measured investments in cyber capabilities based on risk

As a first step in the process, we must quantify the risk.  These risks must be viewed through the lenses of cyber threat to business objectives:  How does a cyber threat actor interrupt or prevent the achievement of core business goals?  Simultaneously, consider which assets are the most critical to enabling these businesses objectives and evaluate the cyber threat landscape for risks to these key, crown-jewel assets.

The inverse relationship bears close scrutiny as it illuminates both common, expected risks - those that are observable and manageable, as well as those that occur less frequently - high impact events with growing uncertainty that test an organisation’s resiliency.

Once the risk is quantified, link decision-making to the amount of risk that the business is willing to assume. For those whose brand reputation is fragile and unable to sustain a sizable interruption, decisions will reflect a risk view that places value firmly in a manageable zone of routine, where losses are minimal and predictable. Some may be able to assume more elevated risk profiles, while others may be able to withstand disasters - extreme events that, though rare, inflict maximum loss.

Finally, once the organisation quantifies risk and makes decisions about its risk tolerance, it should pursue programs that accommodate those perspectives, modifying existing initiatives while undertaking new ones in an ongoing effort to mitigate vulnerabilities. For example, an organisation seeking to expand via acquisition may need to focus on building quickly-extensible IT services, including security capabilities designed to be consumed across a number of different platforms, mitigating the risk incurred by a new division’s people and technology. Conversely, an organisation planning a series of divestitures should be focusing security efforts on identifying sensitive data assets and the capability to restrict access quickly following the separation.

  1. 2. Regularly measure the effectiveness of your security investments

Most organisations do not fully understand the full amount that they spend on cyber security. It’s not that they are unwilling to determine that cost; rather, the process is fraught with complexities, making it impractical for many to complete the process with sufficient precision. As a result, they are unable to produce an operating model that mitigates risk while optimising cost.

The true and total security cost includes those elements that are easy to tally, such as hardware and software components - as well as those less tangible elements, such as those tied to one’s third-party contracts (IT hosting, supply chain services), labour, regulatory compliance, vendor and supplier management, among others. The latter are far more difficult to uncover and tally, particularly in complex sourcing arrangements. For instance, is a patching service level agreement with an outsourcer a component of the security program? What about the cost incurred by vendors to comply with controls required in third- party risk programs?

A complete and detailed capabilities model is required at this stage in the process, defining what will count as a comprehensive analysis across every phase of operations, delivering complete transparency into a firm’s current allocation of resources and a plan of action tied directly to risk tolerance. These capabilities, when tied to the risks they mitigate, enable a comparison of dollar value at risk to cost of protection. These analyses often depend on the use of unbiased and independent third parties, as the results may point towards a drop in spend with some suppliers or even refocused or reduced headcount.

Finally, the assessment is more than a one-and-done proposition and must be conducted regularly in order to provide accurate insights.

  1. 3. Develop/align the right cyber risk management model

Once you understand your cyber assets and how they are managed, begin structuring an effective cyber risk management model, one that incorporates fundamental cyber security practices as well as your risk tolerance, all in an effort to maximise your investment. It would make sense to align this to your larger enterprise risk management framework to help ensure consistency in measuring and reporting risks. At this stage, ensure that all stakeholders understand that risks exist - and will exist. As an organisation, what is needed is a process to manage the risks and clearly understand the residual risks. This process really helps ensure that all the security investments are tightly coupled with risk mitigation, and there is a way to manage or recalibrate them on an ongoing basis.

  1. 4. Continually update your model to reflect emerging threats

Cyber security is an elusive target; an ongoing challenge that mandates continual vigilance. At the same time, rest assured that, like fraud, cyber security is addressable and manageable. To do so requires modifying your corporate mindset away from “fix, fix, fix” - an entirely reactive process that will never adequately protect your assets. Instead, accept that it is a systematic business issue that will need ongoing funding to address, adding new capabilities as the need arises. Such an approach shifts the focus from a technology spend and instead repositions it as an innovation spend, a more practical characterisation that facilitates corporate growth and the ability for it to evolve fluidly as business models dictate.

Also, consider your assets in the broader context of your business and its true cost of security services to protect them, allocating resources intelligently and efficiently, while keeping in mind that the allocation will change as your business evolves and grows.

  1. 5. Build/promote risk-aligned security organisation

In addition to the systemic changes around identifying, measuring and managing cyber risks, one of the important but often overlooked aspects is building and continually developing a risk-aligned culture. This often entails a transformation that would shift the focus from security projects and activities to risk mitigation initiatives.

These transformations are successful only if cyber security is elevated as a strategic priority and a top-down focus is established on managing cyber risks through the security program. Any initiative undertaken in the security area needs to be aligned with a risk which is tied to a threat and crown jewel/business driver.

Many organisations take this as an opportunity to do a skill analysis of their security teams in order to evaluate readiness to adopt and align with this model.

Philip Whitmore
Partner, Cyber Security
+64 (9) 367 5931