When I was recently asked to write a blog post making cyber and technology risk predictions for 2018, I balked. If you’ve read (and you should read) Superforecasting: The Art and Science of Prediction (Dan Gardner and Philip Tetlock), you’ll understand why.
Most (almost all) such forecasts are garbage — they word the forecast in a manner that makes it all but impossible to be certain whether they were wrong or right. I simply didn’t want to add to the noise. After thinking about it though, I decided I did have something to say about what we can expect to see in 2018.
Forecast #1: Breaches
Duh. There will be more of them, both large and small. The big ones — especially if they’re as poorly handled as some have been — will draw outrage, calls for heads on platters, more stringent regulatory requirements, and stiffer non-compliance penalties and lawsuits. But that’s not my point or my prediction. My prediction is that if you looked into the root causes behind those events you’d find the organizations shared many of the same characteristics:
- Their risk registers are loaded with audit findings and other control failure descriptions rather than risks.
- “Risk” severity is rated by people who may be brilliant at security architecture, auditing, application security, etc., but who have no training or tooling for risk analysis.
- They have hundreds or thousands of unpatched “critical or high risk” vulnerabilities, many of which, if you really examined them, don’t come anywhere near being high risk.
- They spend a lot of time and effort on compliance.
In other words, they all will have a huge signal-to-noise problem — i.e., an inability to prioritize effectively due to an inability to measure cyber risk effectively. They’re drowning in a risk swamp that they don’t know how to drain, and their compliance efforts don't seem to be making a material difference.
One other characteristic I can almost guarantee you’ll find in these organizations is that none of them do true root cause analysis for the control deficiencies they experience. As a result, they play whack-a-mole on one or more (probably more) fundamental and systemic security problems.
Unless/until compliance requirements begin to focus on the fundamentals of making well-informed decisions and ensuring reliable execution (see the 2017 Risk Management Maturity Benchmark Study), their effect is likely to be as detrimental as beneficial. Yes, a heavier hammer will incentivize organizations to work harder, but it won’t drain the swamp. In fact, it often adds to the swamp by requiring more things that simply aren’t cost-effective from a risk management perspective.
Of course, breaches can (and will) happen to organizations that do have mature cyber risk management practices and that don’t resemble what I described above. It’s just much less likely.
Forecast #2: Progress
The good news is that the cyber and technology risk industry is coming around to the need for more mature — rather than just more — risk management practices. Evidence that I’m seeing on this front includes:
- The increased focus on analytics and risk in conferences, books and papers
- Inclusion of FAIR and quantitative risk measurement expectations in proposed new regulations
- Rapid increase in FAIR Institute membership
- More organizations actively looking for professionals who have FAIR certifications
- Many more universities upgrading the risk component of their security curricula to include FAIR
- Major security technology providers shifting from focusing on compliance/security to risk
- Standards like NIST CSF beginning to emphasize risk rather than compliance
So despite the challenges that prevail today in our profession, I’m hopeful for the future. Will we magically turn some corner in 2018? Probably not. But it seems pretty safe to say that the risk bus is leaving the station, so the question is whether your organization is going to be on that bus or under it.
You can make a difference for not only your organization but our industry as a whole, by becoming an active advocate. Join the FAIR Institute if you haven't already, start a FAIR chapter where you live, write, and speak at events.
Help drive and fuel this bus by raising the bar for those around you. When you hear someone proclaim something to be high/medium/low risk, ask questions. What EXACTLY is it that they're measuring? Is it even a "risk"? What were their assumptions? Are their estimates calibrated? What does high/medium/low mean?
Be aware that many people won't appreciate being faced with these questions because they won't have good answers, so sometimes you may have to be gentle in order to prevent them from digging in their heels. Properly applied though, the discomfort they experience will drive them to evolve. Hang in there with me and together we can move the needle even faster.
Have a wonderful and safe holiday and New Year!
Jack Jones is Chairman of FAIR Institute and creator of Factor Analysis of Information Risk (FAIR), the leading model for quantitative analysis of cyber, technology and operations risk.
Read Jack's book, Measuring and Managing Information Risk: A FAIR Approach.
Take the online FAIR training course.