By: Greg Crabb, Founder and Principal of 10-8
Cybersecurity professionals everywhere find themselves in a precarious situation, grappling with two major forces that will continue into 2023:
- Pressure on corporate budgets from a tightening economy
- The rise in cybersecurity attacks from nation-state actors
These challenges are common among my clients. Many of them are looking for ways to address financial scarcity while trying to protect their organizations from evolving global threats. I’m advising them to leverage cybersecurity risk levers to find greater efficiencies in their programs and reduce costs.
Quick story: I had the good fortune of building and leading a cybersecurity program at one of our nation’s most recognized and beloved brands: the U.S. Postal Service. Although it generated annual operating revenue of more than $70 billion dollars, the agency was known for its financial challenges, often making front-page news.
During my six years as CISO, the Postal Service consistently ran at a multi-billion dollar loss. These dire financial conditions forced me to develop new skills and methods to sustain — and grow — my cybersecurity program. My team and I did this by using key cybersecurity risk levers.
Here are six cybersecurity risk levers we put into action:
- Confirm the list of high-value assets and services with your organization’s leadership. Leadership may be deemphasizing or sunsetting non-profitable lines of business to get through these tough economic times. Sponsorship and funding for cyber resilience activities should be based on the assets and services that leadership view as the ‘Crown Jewels’ of the organization.
- Reconfirm your risk measurement criteria. Risk measurement criteria are objective ways for the organization to evaluate, categorize, and prioritize cyber risks. Without these criteria, you have a difficult time consistently gauging the potential effect of a particular cyber risk. Organizational impact areas can include reputation and customer confidence, financial health, safety and health of staff and customers, and legal penalties. It is important for the organization’s leadership team to confirm the specific measures of impact: high, medium, low, etc.
- Apply a systemic approach across your organization’s business impact and risk assessments to find efficiencies. Business impact assessments are driven by the criticality and sensitivity of information and application assets. Risk assessments need to consider threats and vulnerabilities. Organizations should conduct frequency and severity evaluations across these assessments to identify patterns that can be addressed systematically in the organization.
- Gain efficiency by ensuring a complete collection of your organization’s risks. Random and incomplete methods for risk collection are inefficient and lead to inefficient risk mitigations. Many techniques can be used to identify risks, such as using questionnaires and surveys; using tools, techniques, and methodologies, such as information security risk assessments; performing internal audits; performing scenario analysis; and using lessons-learned databases, such as the incident knowledge base.
- Use likelihood, severity, and impact to obtain critical resources to mitigate the risks. Risk statements help you articulate the context, conditions, and consequences of risks. Your risk statements should include information about the asset affected (people, information, or technology), weaknesses or vulnerability of the asset that could be exploited, actors who would exploit the weakness, the undesired outcome, the likelihood of the risk being realized, the consequences to the organization of the undesired outcome, and the severity of the consequences.
- Evaluate the financial efficiency of sustainment strategies for assets and services. You should consider using a variety of Lean Six Sigma techniques to drive efficiency into your sustainment strategies. Seek out and eliminate the eight types of waste in your information security practice. For example, you could look for areas where you are over-processing and eliminate unnecessary steps.
You can use these risk levers within your cybersecurity program to effectively respond to the evolving needs of your business, achieve financial stability, and secure your organization from bad actors.
Greg Crabb is the Founder and Principal of 10-8, a former strategic advisor to CISA, and ex-CISO of the US Postal Service. He is a respected and sought-after advisor by organizations seeking to protect digital assets and develop and apply best practices and pragmatic cybersecurity strategies. Check out more of our governance and risk compliance (GRC) articles here.