Beyond Spreadsheets: No formula for excelling at risk

a man sitting at a desk in front of two computer screens with spreadsheets pulled up

Explore the complexities of risk assessment in the realm of cybersecurity with insights from the Edinburgh Security Leaders gathering. From navigating asset discovery challenges to addressing the human factor in ownership, discover strategies for CISOs to hack through the jungle of risk assessment effectively.

Many boards assume that getting a true picture of risk is a basic task for the security team—a simple case of pointing some scanners at the environment and cataloguing the issues.  Unfortunately, security leaders know the truth is anything but. Hampered by business silos, human factors, fragmented technical infrastructure and existential questions over what even constitutes an asset, the output of such initiatives is often an incomplete spreadsheet which dates the second it is created.

How do CISOs hack through this jungle of issues to fully understand risk? This was the topic in question when a group of security leaders gathered in Edinburgh recently to understand the key issues at play.

Asset discovery is complex 

Understanding risk first requires a solid grasp of assets. Yet, discussions uncovered that methods for achieving this are often manual, time intensive and knowingly full of known unknowns. Some even talked of team members being tasked with traveling to separate offices to log risk points in Excel. 

While a step in the right direction, those present were quick to acknowledge this process produces an incomplete and static picture of a risk which succeeds precisely because it is pervasive and dynamic. While new assets are revealed over time, it is often when they are exposed by Red Teams, or worse, attackers themselves.

This process is made more complex by a lack of agreement across business silos on what qualifies as a business asset— whether human, procedural or technological. Definitions of criticality vary depending on the objective of a function so any CISO hoping to correctly orient their risk assessment must first get clarity and alignment from senior stakeholders.

Those present also agreed that asset discovery is further complicated by an array of factors unique to each business. For example, organisations which have grown rapidly through mergers and acquisitions (M&A) or cloud-native organisations operating a rapidly iterating culture have very specific issues which frame the entire exercise.

Human nature vs ownership

Those present agreed that, once defined, finding owners for assets is easy. However, getting people or teams to take ownership is not.  

This belief is founded in the fact that risk culture is still predominantly ‘blame focussed’, making it hard for security teams to apportion responsibility. Unwilling to step up to the plate, many seek easy routes out and defer decisions. One attendee characterised this as “learned incompetence”. 

A source of friction for all present, a broad swathe of approaches were discussed. For many, a consultative stance was favoured—providing transparent guidance and arming stakeholders with the facts necessary to make informed, risk-based, decisions. At the more pointed end of the spectrum, it was  highlighted that exasperated security teams could ascribe ownership of an asset by turning it off to see who gets angry.

Effecting lasting change

It was agreed human issues act as a major drag on strategies for assessing and mitigating risk wholesale.

To counteract this, such initiatives need to be seen less as an investigation to apportion blame and more as collaborative effort to enable business operations.

This is a cultural shift that needs to come from the top.

Affecting this change requires CISOs to convince executive teams by having more relevant discussions couched in non-technical terms. To add impact, stories must be made relevant for each stakeholder. It’s not a network outage, for example, but a total halt on the ability to make trades, fulfil customer orders or keep factories running. Such conversations will impress upon senior teams an understanding of the holistic nature of risk, as well as ensuring this trickles down to an operational level. Conversely, this may also have the useful effect of drawing information out from those ‘on the tools’ which can be communicated back up for risk mitigation.

Those gathered also agreed that exercising was a good way to reinforce such messages. Running teams through crisis and incident scenarios not only underlines the importance of risk mitigation by holding their toes to the fire, but it can also help to identify gaps in people, process and technology. 

In summary, it was agreed that assessing risk requires a mastery of many different nuances. As with so much in security—a blend of technologies and processes are all given shape by human and cultural behaviours. It is also important to acknowledge this is a journey of constant iteration, rather than a destination that is arrived at. For this reason alone, it is not something that can be captured in a spreadsheet.