There have been numerous articles about the severe cybersecurity skills shortage in government and industry, and the steps being taken to solve it. Almost invariably, these solutions boil down to more support for university cybersecurity degree programs, and more advanced technology (e.g., artificial intelligence). Both have merit and will undoubtedly help, but there’s a third opportunity that goes almost entirely unacknowledged.
When I review cybersecurity programs in organizations today, I often see a tremendous amount of wasted time and energy expended on concerns that shouldn’t be a priority. In fact, the “Top Ten Cyber Risks” list has been wrong in every organization I’ve walked into that has taken the time to create such a list. By wrong, I mean most of the things in their list aren’t risks at all or aren’t their greatest risks. As a result, these organizations are focusing resources on the wrong things. I covered this a bit in an earlier HST article last year.
If that’s the case, a logical argument would seem to be, “Well, getting them to focus on a different top ten list doesn’t reduce their resource needs.” That’s true on the surface but having an inaccurate top risk list is symptomatic of a deeper problem that affects resource needs.
What matters most?
Imagine that you had a complex challenge to overcome and someone gave you a list of 105 things you could use in some combination to solve that challenge. The problem is, not all the elements in that list are created equal in terms of their efficacy, and many of them have some level of dependency on other things in the list. Unfortunately, those relative values and dependencies aren’t defined within the list. Furthermore, that complex challenge you’re trying to overcome is a set of distinct problems that aren’t equal in their importance and are addressed to differing degrees by the 105 elements in the solution list.
Without clarity regarding which part(s) of the overall challenge matters most and which elements in the solution list are going to have the greatest effect, the tendency is to treat everything as equally important. As you can imagine, this requires significantly more time, effort and resources than would be required if you could focus on what matters most.
Our complex problem
The complex challenge is cyber risk, which can be broken down into distinct loss event types, or problems to manage, such as outages, information disclosures, data integrity failures, and more. Depending on an organization’s mission, some of these loss event types matter more than others. In addition, some assets within an organization will be more relevant than others within the context of those loss events, like crown jewels. Your list of solution elements is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
The NIST CSF is a great list of control outcome objectives. and I’d argue that it’s the best out there today. However, the problem is applying it effectively — or more importantly — cost-effectively within the context of resource needs, which requires being able to prioritize the challenges an organization faces, and the control efforts being applied.
The only way to reliably do this is through solid risk measurement which, as we’ve discussed in earlier HST articles, has not been a strength or focus of our profession. To date, simply applying one’s subject matter expertise to qualitatively proclaim high/medium/low risk, or high/medium/low control efficacy, has been considered sufficient. It’s not.
Daniel Kahneman’s book, Thinking Fast and Slow, provides an excellent description of the perils of applying “gut” analysis (“System 1 thinking”) to complex problems, and Douglas Hubbard’s book, The Failure of Risk Management, provides additional insight to inaccurate measurement beliefs and practices. Risk professionals seeking a well-established framework for objective cyber risk measurement have rallied around the FAIR Institute and Factor Analysis of Information Risk (FAIR), the open, international standard accepted and managed by the Open Group.
At the end of the day…
If we agree that effective cybersecurity is a critical need within today’s increasingly connected world, and we agree that we will always have limited personnel and other resources with which to manage it, then there can be no logical argument against the need to be cost-effective. Being cost-effective mandates accurate prioritization of the risks that we face and the solutions we apply. Organizations should look at the skills shortage as another reason to move to more effective risk management practices.