A common approach that many organizations have been pursuing since 2017 is the development of a risk appetite. Conceptually, this has great promise. In practice, it is falling severely short of the promise in most organizations.
A risk appetite is a representation of the business’s desire to accept risk. This is a modern concept and a reflection of the evolution from checklists to a risk-based approach. It is an important admission that risk is inevitable, and that risk is a tool that can be taken in measured doses to support business success. A clearly articulated risk appetite should give the organization an opportunity to express how much risk it wants, and this can be used to guide cybersecurity investment. All in a business context!
The reality is that many risk appetite efforts have become platforms for the executives to express “yeah, we don’t like risk around here.” And “we have zero tolerance for cybersecurity risk.” But these expressions are largely at the extremes.
The real failure of risk appetite efforts is that they need to include a measurable scale of risk and an underlying governance process that enables effective risk decision making. Most do not have these components.
Lacking these basic components dooms risk appetite statements to be another exciting approach to addressing risk-based needs that will fall short of its promise. When concepts like these sit at the Peak of Inflated Expectations, only to fail, they lose their power to do good in the marketplace and are abandoned. When they are revived years later because they are actually very good concepts, people dismiss them and say, “we tried that and it doesn’t work.”
Quantification is not a panacea
Quantification has been growing in interest within the Gartner client base since 2017. It is fueled by completely understandable needs to present risk and security in terms of money (is that a $5 million risk or a $50 million risk?) and likelihood of damage (what is the percentage chance of getting hacked?). Boards are demanding it, and increasing numbers of clients are buying in to the idea that this may be the answer they have been seeking.
Quantification has reached a near-fever pitch of inflated expectations in 2020. There are several observations that indicate it will not materially impact most organizations. And we recommend every organization match its interest in quantification against these considerations to determine if it is right for the organization.
First, quantification is an extremely heavy lift. It takes significant resources in time, money and FTE to develop credible and defensible results. This heavy investment continues for as long as you are engaged in it to maintain the value. Smaller organizations will struggle to have sufficient data for their organizations to create credible and defensible results. And they will lack the resources to execute.
While we have fielded hundreds of calls from organizations that are interested in learning more about quantification, a negligible number have reported credible and defensible success to Gartner. The ones that have reported success tend to be extra-large enterprises with sufficient data and resources.
Beware of misuse. We have several examples of organizations that have engaged in quantification exercises that produce exactly what they need as far as charts, evidence of rigor and quantified results. The problem is that down inside their calculations sit assumptions and “expert opinion” that essentially dictate the result. If you use the veneer of quantification only to get what you want, you are lying to yourself and your executives, and you are not supporting improved cybersecurity.
And finally, an organization should assess the value of the results in supporting improved decision making. As part of an evaluation, explore a thought exercise related to how the results would be used. In Gartner’s experience, quantification has shown value in supporting how much cyberinsurance an organization needs, for example. But it does not support daily investment decisions that every organization needs to make related to priorities and investments in cybersecurity.
In the end, quantification may make sense for some organizations supporting certain key investment decisions, and it may be worth the investment. Quantification absolutely will not be the panacea that many people believe it to be.
Internal Audit and Regulatory Compliance Remain as Primary Drivers
Many board level executives still believe that internal audit and regulatory compliance are their primary guides to address cybersecurity. There are several indicators of this, including:
Cybersecurity board reporting buried in the audit committee
A focus on addressing internal audit findings over building an effective program
The number of organizations where cybersecurity reports into an organization called “audit and compliance” or “risk and compliance”
The checkbox mentality is alive and well in many organizations:
Which framework should I use?
Our program is based on ISO or NIST.
We are seeking program certification.
The limitations of this mentality are well-known. Compliance does not equal protection. Internal auditors should not dictate how much risk is acceptable or which controls are most important. Checkboxes create spend in areas where you don’t need it and take resources away from areas where you do need it.
Real Failures Caused by the Disconnect Between Cybersecurity and Business Decision Making
Gartner’s analysis of Equifax CEO Rick Smith’s congressional testimony following the Equifax hack in 2017 showed a disconnect between executive understanding and levels of cybersecurity capabilities in the organization. This condition is very common in the Gartner client base. The final House subcommittee report issued in December 2018 indicated that “Equifax’s CEO did not prioritize cybersecurity”
These disconnects should create a wakeup call for CIOs, CISOs, and executives to the critical need to address cybersecurity in a business context and as a business decision. Use the following examples in an executive narrative to illuminate the risk of cybersecurity to business outcomes beyond hackers and data breaches.
Cybersecurity investment increases heart attacks. A study funded by the U.S. National Science Foundation highlighted that the cure may be worse than the disease. “Breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes.” Corrective actions are intended to remedy the deficiencies in privacy and security of protected health information. Remediation activity may introduce changes that delay, complicate or disrupt health, IT and patient care processes. After data breaches, as many as 36 additional deaths per 10,000 heart attacks occurred annually at the hundreds of hospitals examined.1,2
Inconsiderate engagement of risk. A banking executive chose to ignore a risk assessment recommendation for multifactor authentication on a new customer-facing online banking application. This executive had the authority to shut it down, and ironically, it may have been the right business decision to protect customer experience. The failure is that this executive had no understanding or accountability for the security of the application.
Engineering failure in a cyber-physical system. A field engineer gathered configuration telemetry from a large field installation across several acres of large moving machines. The information was fed into a simulation program back at the manufacturer’s headquarters. Due to a misconfiguration, the simulation program began reconfiguring the live field installation hundreds of miles away, risking millions of dollars in damage and human safety. All the field techs shared the same ID, and there was no consideration of security in the product management process.
Cybersecurity as an existential threat. The manufacturer of a device for shop floors globally had ignored cybersecurity in the development of its internet-connected product. The foundation software was open source and riddled with vulnerabilities, supported by a completely unnecessary and fully functional operating system. The dark web identified all of its devices connected to the internet and the company became host for every imaginable cybercrime, from money laundering to distributed denial-of-service bot controllers. The executives were notified, but did not care, because none of their shop floor customers complained. This is a business waiting to be sued out of existence for liability.
Lack of executive understanding related to third-party risk. A financial services organization, with full support of the board, decided to pursue a business strategy of outsourcing many of its business functions. The security team established a rigorous assessment process to inform business decision makers about security risks and to make go/no-go recommendations on working with certain partners. A business decision was made to engage one particular partner, despite a material recommendation to not engage that firm due to security weaknesses. Six months into the engagement, the company suffered a material breach for the same control weaknesses that were raised in the recommendation. The board held the security officer responsible for the failure. Follow-ups with the board focused on improving the board’s understanding of third-party risk and emphasizing the impact of business unit decision making on material security posture.
These examples show that business decision making — disconnected from the realities of business impact — can lead to serious business harm. These are the situations that matter, but executives are distracted by compliance, hackers and how much they are spending.
Broken governance is a business decision that impacts cybersecurity readiness, but is made with no consideration of that impact. We have forms that executives sign to “accept the risk,” but mostly those forms are not worth the paper they are written on. There is little or no accountability, and in Gartner’s experience, there is little evidence that the risks are described appropriately in a business context. So, the executives don’t really understand the risk they are signing off on.
Non-IT executives don’t typically inquire or insist on certain levels of security in the technologies that support them. For them, security just comes with the technology, because “what idiot would build an unsecure system?” If IT and security people engaged them over their desired levels of security, they would discover that implementing that level of security would increase their cost, lengthen their delivery schedules and negatively impact functionality, including customer experience. So those conversations generally don’t happen.
This disconnect between executive decision making and effective cybersecurity is what should keep executives awake at night. And it should focus their attention on new ways to approach the problem. The first critical step is to create a business context around cybersecurity.
To create a business context around cybersecurity, you have to first understand the business context of your organization. Every organization — public, private, for profit, not for profit, charity, governmental, defense and nongovernmental organization (NGO) — has a business context. They all have budgets and costs, desired business outcomes and supporting business processes, sources of revenue and customers. And they all have technology dependencies.
These dependencies create a need for investment to protect the technologies that support their business outcomes. Understanding an organization’s most important outcomes, its most important processes, and its most important technology outcomes is the first step in putting a business context around cybersecurity
The Limitations of Current Standards, Frameworks and Maturity Models for Cybersecurity
Cybersecurity standards and frameworks are published recommendations to secure an environment. There are dozens of them, including the most popular, the NIST cybersecurity framework and ISO 2700x.
The principal objective of these standards is to reduce cybersecurity risks. They generally include collections of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best-practice assurance and technologies.
Process maturity models use the guidance in the standards and the frameworks to extract best practices and techniques in determining capability levels. Together, they guide priorities and investments to achieve desired levels of cybersecurity capability. Their biggest limitation is that maturity models measure how good capabilities are, not what they are achieving!
As organizations achieve higher maturity, these maturity models, frameworks and standards begin to lose their value. Around a maturity level of 2.5, they become poor guides in helping an organization determine further priorities and investments. Above 2.5, the complexity of potential investments must be crafted more closely to the context of the organization.
Regulators have also signaled that cybersecurity capabilities must have characteristics beyond those commonly represented and audited in maturity models and existing standards.
Maturity models have helped organizations prioritize billions of dollars in spend over the last two decades, and that has netted admirable results. Gartner maturity data for all industries indicates an average between 2.6 and 3.6 for all industries. Organizations need something more powerful that has that direct line of sight to delivered levels of protection.
Outcome-Driven Metrics for Cybersecurity
Organizations struggle to determine the right amount of cybersecurity protection and investment. They need to shift to measuring levels of protection to guide investment.
In 2020, typical security audits focus on the existence of controls. An assessment of an audit standard for the NIST Cybersecurity Framework showed that 73% of the audit questions are related to the existence of controls, not their performance or levels of protection.
Outcome-driven metrics (ODM) for technology risk are an abstraction of tools, people and processes to reflect how well an organization is protected, not how it is protected. ODM can be used to enable more effective governance over cybersecurity priorities and investments. ODM creates the language necessary to have meaningful business-focused conversations with executives and boards
The CARE Standard for Cybersecurity Readiness and Investment
Elizabeth Denham, the U.K. Information Commissioner, clarified in July 2019, that the severity of GDPR fines following major breaches is not related to organizations getting hacked or the number of people impacted; there is an expectation that organizations will be hacked.3 Society may suffer a double standard where it expects digital banks to be perfect, but the regulators do not.
The commissioner clarified that the severity of fines is related to the presence of adequate, reasonable, consistent and effective controls. Gartner believes this to be the best available signal from a regulatory authority for determining how much security you need. This clarification offers the opportunity to define a new standard based on a new way to approach appropriate levels of protection (see Figure 1).
Figure 1: the CARE standards for Cybersecurity