A grasp of risk
There is a new conversation happening in relation to risk, and it is wider than pure security, finds ALEX MEEHAN
11 December 2018 | 0
Since the 1960s large companies around the world have enjoyed the benefits of digitising their business processes. Information technology has made them more efficient, greasing the wheels of their operations, and they have come to rely upon it.
However along with all the benefits, technology has also brought headaches and chief among them is cyber security — a thorn in the side of businesses everywhere. The potential costs and reputational damage of losing data, being hacked, suffering a DDOS attack or even just of having staff make off with commercially sensitive data when they leave has meant that companies have had to adopt a new risk-based approach to security.
This approach has involved looking at security in a holistic manner, assessing threats and vulnerabilities upstream and downstream so that organisations can prioritise and mitigate risks. But it is no longer the 1960s, and today companies of all sizes are just as dependent on IT as the big guys used to be.
The result is that lots more companies have had to learn how to adopt a risk-based approach to security. Now that technology is so deeply embedded in the business processes used by almost all companies, some people are asking the question, is it enough to apply this holistic philosophy to just security?
Should it apply instead to all aspects of IT?
“When you look at IT security, both in theory and in practice, everything you do should be driven from the perspective of risk. But the reality is that for many companies that just isn’t how they do things,” said Chris Davey, security lead for Accenture Ireland.
“The three reasons organisations usually give for implementing IT systems is that they’re going to help make money, they’re going to help save money or because the government tells them they have to. Those aren’t risk-based motivations.”
However, Davey says that companies should asses the security risks and threats they perceive against any IT system and not treat security as a separate activity.
“If I’m implementing an AI chatbot to give my customers a better experience and to allow me to reduce costs in my call centre, that’s not driven from a risk perspective, it’s driven from a functionality perspective. But that doesn’t mean it doesn’t pose a risk if something happens to it,” he said.
The world is becoming far more dependent on IT and Accenture see a major trend towards the blurring of boundaries between the physical and the virtual.
“For example, take the Internet of Things – it and many other technologies all point towards the fact that more and more of the things we interact with in the real world are in fact being driven by IT. If things go wrong and these things fail, there are increasing risks to data and to physical things, ultimately up to and including people’s lives,” said Davey.
“But whenever we become more dependent on technology, it always presents new risks. For example, it’s been shown that self-driving and IT assisted cars are safer to drive, that the number of miles driven per fatality is significantly less, and statistically speaking this is a technology that can save lives. However, if it goes wrong it can also cost lives so it’s critically important to get it right.”
The message is simple. Many, maybe even most, opportunities present risk and mitigating against those risks is the sensible thing to do.
“We don’t throw out technologies because they present risks, any more than we don’t drive cars or fly in planes even though those can be fatal if something goes wrong. Instead we mitigate against those risks,” said Davey.
Accenture thinks that the risk-based approach to IT is becoming more common, and as evidence it points to the changing perception in the market of the importance of the chief information security officer (CISO).
“Starting around 2015, the CISO role started to change. Up to that point, that role was strictly seen as a technology job but that is changing and it’s becoming a business advisory role. We’ve done quite a lot of research around this and the way in which, for example, this role is discussed in the press has changed quite a bit since 2015,” said Davey.
“Our point of view is that there are very significant benefits to the organisation from bringing in the person who is best able to understand cyber and security risk right at the very beginning of any initiative that the organisation is undertaking.”
This is a sentiment that Hugh Callaghan, associate partner and cyber security leader for financial services company EY agrees with. He thinks that the risk-based approach makes sense wherever there is a finite amount of resources to spread over a significant proportion of the tech estate.
“If you don’t take a risk-based approach, then the likelihood is that you will not cover the things that are important to the business and that you may find gaps or redundancies in what you do,” he said.
The guiding principle here is that your strategy should involve an understanding of what is really important and critical to the business.
“It’s about asking what assets do we have and what servers must we protect, in other words what is the life blood of what we’re doing? And then asking what could disrupt those and what could put them at risk? What threats are there towards those. And then as a third step, determining your risk appetite,” said Callaghan.
“With just those three steps you have the basis of a risk approach. That applies to cyber security, it applies to regulatory risk, it applies to a whole variety of things.”
Taken on one level, the risk-based approach to IT management seems like common sense. Why would any company not attempt to guard against potential problems that could occur to disrupt its IT function and hence it’s business?
Not so simple
The reality is that life is rarely so simple. Budgets get decided on any number of basis, and human beings often do what they think is best without really taking a step back and looking at the potential consequences if something doesn’t work out.
“Instinctively organisations have a number of priorities at any given point. Their natural budgeting cycle leads to an effect where when they’re presented with their priorities for the forthcoming year and they’re allocating resources, against say personnel, financial budgets, change or maintenance then the business priorities are reflected in where those investments go,” said Callaghan.
“But when there isn’t a holistic view and the list from which they’re choosing where to spend their money isn’t a complete one, that’s when you get gaps. For example, a technology that’s flavour of the day might consume a disproportionate amount of the budget, leaving the business exposed in other areas.”
The big challenge here is that there can be many competing priorities. Take the changes that have happened in many industries in managing risk over the last couple of years, particularly in financial services. Take the changes in privacy legislation and the effect of the GDPR and ongoing efforts to embed that change.
How do you prepare for these things and what are the implications?
“There’s risk involved in taking a short-term view of ‘what do we have to do from a compliance perspective, what do we need to react to over the next year’, versus ‘what is the business need and where are we going over the next three to five years’,” said Callaghan.
“You should be trying to invest ahead and making sure that the investments you make this year aren’t too tactical, in other words that they produce benefits that are broader than just the question that is right in front of you today.”
Despite the ‘common sense’ nature of taking a risk-based approach to IT, often common sense is in short supply from an organisational point of view. According to Rita Martin, sales director of Red Flare, IT security as an area of specialisation is changing and evolving into the area of general risk and compliance, and security is really only a part of this.
“IT security is still an issue but it’s increasingly just part of an overall risk-based approach to business management. Companies are realising that if they took a risk-based approach not just to IT but to all aspects of their business then they would operate in a much more stable and structured manner,” she said.
Following best practice involves taking this approach and in Martin’s opinion, companies that take what they do seriously will ‘get’ this immediately while others won’t.
“Take the issue of managing third party providers – we recently worked with an organisation where I asked the CEO ‘roughly how many vendor suppliers or third party companies do you think you have?’. He thought he had around 80, but in the end it turned out to be 152 suppliers,” she said.
“In turn, we then asked how many of those had been audited to make sure that the data being handed off to them was secure? The answer was none. The reason that situation had occurred was because of a lack of a risk-based approach.”
While much has been written about the difficulties of implementing the general data protection regulation (GDPR), Martin thinks it has been a positive force for change in the Irish market, forcing companies to engage with their risk profiles in a way they previously have not.
“You are obliged to make sure that you do proper due diligence to the best of your ability on your third-party providers. That’s the law. If you have engaged with a supplier then you have to make sure that they have in turn done everything to make sure that their IT infrastructure is secure and that data is handled properly,” she said.
“For example, if you employ third party IT service suppliers to come into your company and deliver services, then I can pretty much say with 99% certainty that their staff have not undergone confidentiality and data security training. You’re liable for their attitude to your data and not enough companies realise that.”
The reality is that the world has changed and the degree to which companies depend on IT, and hence the risk potential problems related to IT pose, has also changed. Haroon Malik, cyber security consulting director with Fujitsu argues that the way in which companies respond to this change must also change.
“Traditionally organisations were used to adopting the standard waterfall approach and the standard compliance-based approach. Now it’s 2018 and from here on in, they really can’t afford not to adopt a risk-based approach and the reason is that there are more threats facing them than there were in the past,” he said.
“The way you tailor your IT, strategise and plan has to have that risk-based approach embedded at all stages of the IT lifecycle. Risk shouldn’t just be a bolt-on aspect of what you’re doing, it needs to be fully ingrained.”
Malik’s argument is that traditionally, when it came to risk management and the IT lifecycle, companies have been very good at identifying risks but quite poor at mitigating those risks throughout the whole IT lifecycle.
“The IT environment is changing quickly but when we design IT systems and implement software, hackers know how to get into those software systems — they’ve already designed exploits to break them down. More often than not, awareness and culture is the best defence,” he said.
“You need to ask yourself how are we changing mindsets within our employees and driving a behaviour of risk awareness within our organisations? Only when you get behavioural change, that’s when you see a real improvement in the human element of IT security.”