How do you measure how well your organization handles cyber risk? How healthy is your organization’s approach to cybersecurity governance?
Determining the “health” of your cybersecurity strategy is challenging. Knowing when you’ve spent enough on preventive measures seems difficult to gauge. Knowing whether you’re focusing on the right areas is often unfathomable.
To gain perspective, let’s compare gauging our cyber health to evaluating our physical health. If we want to learn more about our physical vulnerabilities in order to predict how well we will do in the future, we could take two approaches:
Google – learn more about known problems.
23andMe – analyze our genetic makeup.
Suppose our concern is the possibility of a heart condition. A Google search can provide a snapshot of how far treatment has come and some insight into the latest research. This may help in understanding potential treatment, but it’s not a good predictor of our health outlook over the next several years. We could dig deeper by searching out our family medical history on Ancestry.com, but any predictions will be unreliable, since individual traits determine health and behavior to a far greater extent than does family history.
For a much deeper, individualized understanding of our physical makeup, we could opt for a complete genetic workup from a company like 23andMe. A genomic analysis assesses interactions between 20-25,000 genes to deliver an “inside out” picture of every genetic predisposition. Not only can we see how and why we behave in certain ways, we learn of potential looming problems and how to address them.
Companies want to mitigate cyber risk because they see the threat that breaches represent. In attempting to understand their own vulnerabilities at a deep level and how to address them, they can choose two analogous paths:
The Google Option
An expensive one-time manual or automated assessment of cybersecurity, often driven by spreadsheets full of specific points to verify, together with an aggregation of outside information about the company.
The 23andMe Option
An automated internal assessment that reveals vulnerabilities by comparing the organization’s “security DNA” with best practices, i.e., contrasting existing practices against well-accepted standards.
On the one hand, the external assessment is based upon gathering of data about the company’s vulnerability to an ever-changing base of an estimated 500,000 threats that morphs continually over time as new threats emerge. Because of the “turnover” in the threat list, the half-life of external cyber risk assessments is relatively short.
On the other hand, a detailed internal assessment compares the “what is” with the “what should be” – in other words, it identifies where we fall short compared to standards developed by leading industry experts. For example, comparing your existing cybersecurity against the NIST Cybersecurity Infrastructure Framework will highlight how we are faring in three dimensions: Risk Management, Risk Culture, and Risk Influence. The first, Risk Management, comprises policies, procedures, and technologies. The second, Risk Culture, assesses the degree that responsibility for cybersecurity has permeated the entire organization. The third, Risk Influence, measures how sophisticated we are in vetting partners and vendors based on the level of risk they introduce into our networks.
If done in isolation, the Google approach of a one-time threat analysis produces a score and suggests fixes that may not be the most important in the longer term. The 23andMe approach produces a prioritized plan comprised of the actions most likely to reduce risk. To extend our analogy, these actions are like continual “gene modifications” to correct weaknesses – changes that build up over time, and the changes remain in place from evaluation to evaluation.
Is one approach superior to the other? They both provide useful information that can help reduce risk. Without the internal “genetic analysis,” however, the likelihood of a long-lasting evolution toward cyber maturity is doubtful.