Redefining the Cybersecurity Attack Surface Part 3: Managing Complexity
This is the last part of a 3-piece series on the concept of “attack surface”. Part 1 argued that an organization’s exposure to cyber risk – traditionally calculated as a tally of the technologies that house and traffic data – also includes the people who touch all those technologies. Part 2 introduced the idea of governance risk, where a lack of proper oversight creates a liability for boards that can be thought of as another attack surface.
Previous articles have argued that the cyber attack surface is far greater than the sum of technologies – that those who actively use technology (read: the workforce) comprise the true attack surface. Managers and directors who fail to recognize and take steps to address this true attack surface are themselves vulnerable to attack by shareholders who suffer damage from a cyber breach. With such a vastly expanded definition of cyber risk, how should executive managers and corporate directors prepare themselves for a cyber event?
Know Your Exposure
The fundamentals of risk management don’t change just because a new risk is introduced. Cyber risk exposure is still a function of all the points that could be vulnerable to an attack. The difference is that those exposure points aren’t what our intuition tells us they are.
Of course, the first layer of risk resides in the technology systems. In order to effectively manage risk, an organization must have a living inventory of assets, systems, and data that drive the business. The next requirement is to understand the workforce and the ways in which they gain access to systems. Who is authorized? How are they screened? What are the mechanisms that protect against unauthorized access? How do people enter and leave the system?
Understanding how these systems work together will expose the true cybersecurity attack surface. Being able to develop credible answers to these issues is critical in effective oversight of cybersecurity.
Big Problems First
The quest to understand the asset and access systems that make up attack surface often reveals some unpleasant realities. Inventories may be incomplete, and the processes intended to maintain them will prove deficient. Access control procedures may be decoupled from vetting and training functions. Risk managers may be at odds with system administrators, while all of them are at odds with security operations.
The situation is complex, but certainly not unusual. As with any complex system, there are problems at the center that are responsible for problems at the periphery. A deep dive into the biggest problems will stem the flow of energy to the myriad small ones.
Tackle the big issues first: asset inventories, identity and access management. Build collaborative, cross-functional teams with representatives from risk and security, of course, but also from human resources, IT, procurement, and compliance. The cyber risk problem seems intractable because it crosses the traditional boundaries of an organization. Collaboration along these breached boundaries – the outlines of the attack surface – is key to building resilient cyber risk management programs.
Alignment Equals Assurance
Executives and directors can be powerful evangelists for discovering, defining and understanding the organizations attack surface. Indeed, they must step into this role: their very own safety depends on mitigating cyber risk. A board of directors who fails to properly oversee cyber risk strategy – whether by omission or willful ignorance – will be held accountable by familiar adversaries: shareholders and regulators.
The cybersecurity attack surface represents a significant liability for boards of directors. The best protection is assurance that all who operate within the organization are pursuing best practices to manage cyber risk. Boards must strive for policy implementation that is observable and measurable.
An integrated approach that blends functional teams and demands support from managers will add depth to cyber capabilities. Processes should include methods for testing and continuous improvement. The quarterly report on cyber risk must demonstrate evidence of this activity, so that boards can understand and effectively engage in cyber risk management.
Cyber risk represents an existential threat to companies and the boards who govern them. The traditional concept of an attack surface provides guidance for thinking about this problem, but it is not wholly adequate. The attack surface is intangible and deeply interconnected; it is fluid and exhibits unexpected, emergent properties. In order to be adequately addressed, it requires a common framework that touches every level of the organization, and aligns all stakeholders with a common goal: cyber risk mitigation.