In February 2009, researcher David Budescu published his study on “improving the communication of uncertainty;” in it, he discussed his study, which he gave subjects phrases from the Intergovernmental Policy on Climate Change (IPCC) report. Budescu then asked each subject to interpret the probability in the statement, for example, “it is very likely that extremely hot temperatures will become more frequent.” Budescu found that individuals varied considerably in how they interpreted the probability implied in the phrase.

Budescu found that “very likely” was interpreted as anything from 43% to 99%, and “unlikely” could mean as low as 8% or as high as 66%, depending on whom you ask.

There’s no evidence that cybersecurity would be any different when cybersecurity subject matter experts evaluate the probability of cybersecurity events in the risk register. One way to avoid some of these fallacies is to use financial impact analysis,...

The National Cybersecurity Alliance recommends focusing on four risk management practices: 

• Multi-factor authentication
• Strong passwords and password managers 
• Software updates 
• Recognizing and reporting phishing

However, this advice may be a bit overwhelming to small and midsized businesses without context and guidance. Starting with the fact that these are not necessarily risks but rather vulnerabilities and process advice (reporting phishing). 

Additionally, without a strategy, companies will be overwhelmed trying to boil the ocean and spend most of their time and resources on low mission impact systems. 

========

*** FREE GUIDE ***

https://www.execcybered.com/asset-management

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/
• Youtube: ...

Several studies conducted in other fields showed how spending effort on analysis improved confidence even when the actual performance was not improved. 

A study by the University of Chicago in 2008 tracked the probability of outcomes of sporting events as assigned by participants. These participants were given varying amounts of information about the teams, except the team’s name or players. As fans were given more information, their confidence in picking the winner increased, despite the chance of picking the winner remaining nearly flat no matter how much information was provided.

Imagine how many metrics and measures we have in cybersecurity; is your confidence level increasing or your performance on the outcome? 

Don’t be so quick to accept metrics and measures labeled “best practices;” best practice does not mean it was measured and scientifically proven to be the best performer among a set of practices. 

Focus on reducing risk; are your...

Asset management is most commonly associated with cybersecurity hygiene, which is associated with patching, anti-virus, access control, and other asset-specific protections. However, there are three NIST CSF sub-categories that I want to bring to your attention and how they align with a mission-based cybersecurity risk program.

ID.AM-1: Physical devices and systems within the organization are inventoried.
ID.AM-2: Software platforms and applications within the organization are inventoried.
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.

These three sub-categories are the foundation of your organization's cybersecurity program, specifically, your cybersecurity risk program.
Some factors to keep in mind when developing a priority methodology:

• The role the asset plays in generating revenue
• The asset's importance to ongoing operations
• The asset's cost to replace or protect
• ...

There are two types of third-party risk: product vendors and service providers. Product vendors outsource software, platform, and infrastructure, known as SaaS, PaaS, and IaaS. According to some estimates, only 40% of applications are hosted on-premises.

The service providers are consulting third-party vendors, such as management consultants, IT consultants, Cybersecurity consultants, and managed service consultants. However, regardless of the type of third-party vendor, these are the five focus areas your third-party risk management program should focus on:

1. Data access: who has access to your data? What kind of data is it? How is it stored? This is a confidentiality issue. Reviewing and discussing your providers' policy, procedures, and contractual language is essential. This is an area you should involve your legal team.
2. Security program transparency: where is the data center? What are physical controls in place? Make sure these questions are asked and, if possible, validated to...

Cyber attacks targetting small businesses that often do not have the resources to defend against devastating attacks like ransomware have grown. As a small business CEO or CIO, you have likely come across outdated security advice that does not help prevent the most common attacks. The security landscape has changed, and your cybersecurity knowledge needs to evolve with it. Here are 5 tips to get you started:
Establish a culture of [cyber] security
Talk about cybersecurity to leadership and staff, communicate cybersecurity program initiatives in your regular communications, and set measurable quarterly cybersecurity goals are just a few examples.
Hire a vCISO or part-time CISO
Due to the ever-changing nature of the cybersecurity threat environment, consider having a part-time CISO (vCISO) on a retainer to assist your organization with all cybersecurity initiatives. A vCISO can lead your staff in developing DRP, IRP, Acceptable Use Policy, Cybersecurity Policy, Remote Access...

The third-party outsourcing trend will continue to grow in the coming years, which places third-party risk as a significant concern for organizations, large or small. Depending on which statistics you read, 39-63% of breaches are caused by third parties. One of the most notorious breaches is the case of Target, where the HVAC vendor’s credential was stolen, resulting in the retailer's breach of 40 million credit and debit card numbers and 70 million records of personal information stolen.

How you manage this risk vector is the inspiration of several books and articles; however, it will all start in the contract and what you were able to negotiate upfront; then a mixed methodology assessment, where you use qualitative and quantitative elements to assess the vendor based on industry-accepted standards, such as NIST CSF or ISO 27001.

I would use caution in leveraging Service Organization Control (SOC) 2 reports; these reports vary by organization and may not cover all...

Pursuing perfection takes a lot of resources, financially and people. In Cybersecurity risk management, there are two key questions: 

• When will enough be enough? 
• What is the correct amount of time and effort should your organization spend to achieve a reasonable level of cybersecurity against an attacker?

The answer to these questions will be your risk tolerance. Chasing perfection has challenges and may not get you where you want to be. Chasing perfection may also risk missing the big picture, leaving security gaps in other areas of your organization, and burning out your staff.

A holistic and mission-driven approach to cybersecurity, with reasonable and measurable goals, will help secure your organization. To get you started, keep in mind three questions:

1. What are your organization’s cybersecurity risks?
2. How are you managing the organization’s cybersecurity risks?
3. How are you measuring your cybersecurity risk reduction?

========

• Blog: ...

Amid a global financial crisis and potentially facing cybersecurity budget challenges, you are now facing a tough decision; how to do more with less. What if I told you that you can; change the focus of your cybersecurity risk management program from a threat/vulnerability-centric focus to a mission-centric focus.

Using the same people, processes, and technologies you have but targeting critical systems in your organization. This change in strategy will allow your cybersecurity organization to provide valuable services by redirecting the same resources to a mission-centric approach, hence, innovating your cybersecurity strategy while being a good steward of your financial resources.

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza 
• Instagram: https://www.instagram.com/drbillsouza/ 

Author: Dr. Bill Souza...

Rules for Effective Cybersecurity Metrics

First, you must establish agreement among your leadership on the actual risk(s) to measure, then select which data will provide the most accurate representation of the risk.

The following are 5 fundamental rules for measuring cybersecurity risk:

1. Select informative measures with actionable value to leadership
2. Research other subject matter experts have done and worked
3. Keep the math simple and clear
4. Develop a standard reporting format and reporting governance
5. Keep consistent and allow your measures and metrics to mature over time

Bonus rule: Gain buy-in from your stakeholders.

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/

Author: Dr. Bill Souza | Jul 14, 2022