Focus. It’s a critical quality every organization needs when it comes to managing information security and operational risk, but it’s something that very few do well.
The reason is simple — focus requires that an organization identify the few most critical elements of their risk landscape, which can only happen when it can compare elements effectively. Unfortunately, every single organization I’ve encountered in the past two years has been unable to do this well.
For example, the list below is representative of the “top ten cyber risks” that several large organizations have shared with me recently. (Any similarity to your organization’s list is purely coincidental.)
- Mobile technologies
- Cloud computing
- Cyber criminals
- Third party risk
- Social engineering
- State-sponsored hackers
- Web application vulnerabilities
- User awareness
- Data leakage
- Insider threat
At first glance most people would look at this list and nod in agreement that those seem like significant cyber risks. Maybe, but now answer the question, “Which are the top three risks in this list?” — and then defend your answer with a straight face and in terms that are meaningful to business colleagues. Extend my question to include, “… and what were the 11th and 12th risks that didn’t make the list?” and things become even more interesting. I have yet to hear a cogent answer when I challenge someone in this manner. Generally I get deer-in-the-headlight looks followed by a lot of hand-waving and “It’s complicated.” That being the case, what are the odds that these organizations are focusing on the most important elements of their risk landscapes?
Apples and Oranges
A first principle of prioritization is that comparisons can only be made between things that are fundamentally similar to one another and/or can be evaluated using a common unit of measure. Unfortunately, the list above is a grab-bag of different risk landscape elements. For example, mobile technologies are just that — a technology, while cyber criminals are a specific community within the overall threat population, social engineering is a method used by various threat communities, and web application vulnerabilities are an example of weaknesses within a specific part of the technology landscape. Clearly, these are not fundamentally similar to one another, which means that in order for us to compare them we have to be able to evaluate them using a common unit of measure.
To be continued in Part 2 next week.