It has been a while since I last touched on GDPR and the Privacy Act’s impact on Australian businesses in Part 1. In Part 2, I extended the study to explore the business imperatives for company boards to come to grips with the ISMS challenges. I also unpacked a way we can ‘lock in’ annual security funding. Today, with just a couple more days left to 2018, I thought it would be helpful for our readers to examine some of the real challenges in prioritising ISMS controls.
Certifying your organisation to an international best practice standard, take ISO 27001:2013 for instance, is only part of the deal to locking in the funds. Yes, such a certification immediately facilitates access to tenders and international markets. However, the last barrier, notwithstanding these demonstrable benefits, is in justifying these investments in cybersecurity to the boss.
We all know that ‘minimising financial losses’ is music to their ears. The catch is this really, “is there a simpler way of putting a dollar value on risks?” Over the last few months, there has been an increase in chatter especially amongst the financial institutions about the Open Group FAIR framework. It seems to provide a structured and community vetted approach to undertake the cyber risk quantification process to communicate risks and prioritise mitigation efforts. It allow us to calculate the Return on Investment (ROI) on cybersecurity controls.
APRA CPS 234
Australian Prudential Regulation Authority (APRA) released the Prudential Standard CPS 234 on the 7th Nov 2018 with the following stated objectives:
to clearly define information-security related roles and responsibilities;
maintain an information security capability commensurate with the size and extent of threats to their information assets;
implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
promptly notify APRA of material information security incidents.
“By introducing CPS 234, APRA aims to ensure all regulated entities develop and maintain information security capabilities that reflect the importance of the data they hold, and the significance of the threats they face.” - APRA Executive Board Member Geoff Summerhayes
The standard is not prescriptive in how to dimension or quantify these security capabilities. Such dimensions must reflect the nature of the regulated entities and their operative environment. FAIR is one such framework which clearly and consistently quantifies business impacts attributed to the cyber risks identified from cyber risk assessment processes through ISO 27001 or NIST CSF, etc.
Their ISMS prioritisation decisions should be reflective of such dimensioning. It is no longer sufficient just to perform a security risk assessment, penetration testing and adopting the recommendations. It is important to justify the prioritisation of these recommendations.
Denny Wan, the FAIR Sydney Chapter Chair, explains the heat in this next section.
It is hot! Where is the heat map?
A common prioritisation approach is to map the risk assessment results in heat maps such as this:
Heat maps are a proven way for comparing risk and remediation options belonging to a similar context and assessment level. Unfortunately, they often fail to provide a useful mean to compare dissimilar items. For example, the findings from a penetration test ranked as “high” may be of a lesser importance than a “medium” PCI DSS gap to compliance-focused business executives.
There is therefore a recurring problem, known by most if not all risk partitioners: the need for a common language to better quantify risk and enable business decisions (and therefore the prioritisation of controls).
Quantitative Risk Paradigm
This paradigm shift from qualitative to quantitative cyber risk management shouldn’t come as a surprise given the “ASX 100 Cyber Health Check Report” released in April 2017, noting that 68% of directors consider the cyber risk to be extremely important. Moreover, 32% of companies admitted to having only a limited understanding at the board level of the extent of information shared with third parties. Indeed, only 37% have a clear understanding of their information assets. CPS 234 firmly puts the cyber risk on the enterprise risk management agenda under Prudential Standard CPS 220. Cyber risk is no longer just an IT problem.
This is a global trend. For example, the US Securities and Exchange Commission (SEC) issued a cybersecurity disclosure guideline in Feb 2018. The focus goes beyond disclosing cyber-attack incidents but also includes ongoing cyber risk management procedures, with an emphasis on reporting material risks and breaches and the associated costs. The SEC is setting a new measurement standard by which the 'costs' or losses associated with cyber risks and breaches need to be assessed in monetary terms, to determine the significance of their impact on businesses and their shareholders.
If open and clear communication of the prioritisation decision is the objective, using an open and globally vetted cyber risk quantification framework such as the Open Group FAIR frameworkwould provide a good foundation. In Part 2 of Shamane's series of articles on the ISMS journey, she has already explored some fundamental concepts around FAIR such as calculation of ROI for cybersecurity controls. I will leave the reader to refresh on the topic.
Prioritisation Decision based on Quantification
Quantification of risks can support the prioritisation of decisions both in the risk scoping phase and in the selection of recommendations as depicted below:
Targeted scoping helps to channel the risk assessment effort to address high business impact risk areas, e.g. to assess what matters most first. For example, in scoping a Red teaming exercise, the aim is to simulate a team of skilled and motivated attackers. It requires thinking outside the box like a potential attacker, combining intelligence gathering, social engineering, hacking, physical intrusion and other deceptive techniques to compromise the defences and gain access to your most critical information. The FAIR (Factor Analysis of Information Risk) based quantification process provides a structured way to decompose the risk to identify these potential attack and defense Factors.
Similarly, once the Red team exercise is over, the selection of remediation options requires consensus built on the communication of the business value of the proposed solution to all stakeholders. Quantification of the business value translating into financial impact and ROI using FAIR creates a business friendly language which is better understood by most stakeholders without any requirement for expertise in cyber risk management.
Getting Started with FAIR
The FAIR standard is available for download for free from the Open Group web site. The FAIR Institute provides excellent resources to learn the FAIR analysis. Membership is free to qualified risk professionals. Applications are available here. Global membership has seen a 25% increase in just the last 6 months from 3,000 to 4,000. Australian members can also join the Australian FAIR Chapters LinkedIn group to be informed of activities of the local chapter. There are currently chapters in Sydney and Melbourne.
About the Authors
Shamane Tan is the APAC Cyber Security Advisor at Privasec, a leading and independent Security Consulting Firm. She has worked with exciting start-ups all the way to global organisations extensively in the Asia-Pacific region. Shamane advises the C-Suite and IT Executives on their business security posture to the reality of the challenges they faced from regulatory issues and cybercrime. She is also the founder of the Cyber Risk Meetup which is in four major cities in Australia, as well as in Singapore. Her meetups offer Security Enthusiasts and Executives a unique platform to impart and exchange innovative insights.
Denny Wan is the principal consultant of Security Express and has a deep expertise in cyber risk quantification. He is the chair of the Sydney Chapter for the Open Group FAIR cyber risk framework. Denny has a strong business focus and is a certified CISSP and PCI QSA, as well as being MBA qualified. He advises clients on IT security policies, infrastructure design and architecture roadmap developments.