Several studies conducted in other fields showed how spending effort on analysis improved confidence even when the actual performance was not improved.
A study by the University of Chicago in 2008 tracked the probability of outcomes of sporting events as assigned by participants. These participants were given varying amounts of information about the teams, except the team’s name or players. As fans were given more information, their confidence in picking the winner increased, despite the chance of picking the winner remaining nearly flat no matter how much information was provided.
Imagine how many metrics and measures we have in cybersecurity; is your confidence level increasing or your performance on the outcome?
Don’t be so quick to accept metrics and measures labeled “best practices;” best practice does not mean it was measured and scientifically proven to be the best performer among a set of practices.
Focus on reducing risk; are your...
There are two types of third-party risk: product vendors and service providers. Product vendors outsource software, platform, and infrastructure, known as SaaS, PaaS, and IaaS. According to some estimates, only 40% of applications are hosted on-premises.
The service providers are consulting third-party vendors, such as management consultants, IT consultants, Cybersecurity consultants, and managed service consultants. However, regardless of the type of third-party vendor, these are the five focus areas your third-party risk management program should focus on:
The third-party outsourcing trend will continue to grow in the coming years, which places third-party risk as a significant concern for organizations, large or small. Depending on which statistics you read, 39-63% of breaches are caused by third parties. One of the most notorious breaches is the case of Target, where the HVAC vendor’s credential was stolen, resulting in the retailer's breach of 40 million credit and debit card numbers and 70 million records of personal information stolen.
How you manage this risk vector is the inspiration of several books and articles; however, it will all start in the contract and what you were able to negotiate upfront; then a mixed methodology assessment, where you use qualitative and quantitative elements to assess the vendor based on industry-accepted standards, such as NIST CSF or ISO 27001.
I would use caution in leveraging Service Organization Control (SOC) 2 reports; these reports vary by organization and may not cover all...
Amid a global financial crisis and potentially facing cybersecurity budget challenges, you are now facing a tough decision; how to do more with less. What if I told you that you can; change the focus of your cybersecurity risk management program from a threat/vulnerability-centric focus to a mission-centric focus.
Using the same people, processes, and technologies you have but targeting critical systems in your organization. This change in strategy will allow your cybersecurity organization to provide valuable services by redirecting the same resources to a mission-centric approach, hence, innovating your cybersecurity strategy while being a good steward of your financial resources.
Author: Dr. Bill Souza...
First, you must establish agreement among your leadership on the actual risk(s) to measure, then select which data will provide the most accurate representation of the risk.
The following are 5 fundamental rules for measuring cybersecurity risk:
Bonus rule: Gain buy-in from your stakeholders.
Author: Dr. Bill Souza | Jul 14, 2022
In a mission-based risk assessment, the question is, how do you perform one?
A four-layer approach will be a good start:
Author: Dr. Bill Souza | Jul 13, 2022
When measuring risk in your organization, you’ll typically discover two challenges: First, top key risk measures that do not have supporting data (aspirational). Second, you’ll be developing middle to low measures with supporting data that do not entirely address the risk.
The lack of data to calculate a particular measure is no reason not to measure the risk; these are your aspirational measures; setting an organizational ambition or goal for your cybersecurity program to report over time is a good strategy; allow your cybersecurity program mature.
To calculate the percentage of assets identified as critical will require two data points, first, the total number of assets, and second, the total number of critical assets; if you don’t have these numbers, you can start by collecting secondary data and establishing secondary measures that will drive towards the aspirational goal of calculating the percentage of assets identified as critical.
There is a three-point framework to keep in mind when preparing a report to the Board, especially if you are a small to medium-size business with annual revenue between $100M to $700M with [potentially] no CISO in your organization.
One key factor to remember is to be prepared to answer how your organization compares to others in the industry. I suggest discussing with other organizations in the same industry and of similar size.
Author: Dr. Bill Souza | Jul 8,...
How do you understand a digital asset's business value?
First, let’s define what a digital asset is; a digital asset is a system, process, data, and technology that is used. A cyber event could affect one or more of these digital assets, resulting in a loss for the business.
These digital assets have a hierarchical relationship:
Understanding this hierarchy in your organization will lead you to the critical systems in your organization.
Author: Dr. Bill Souza | Jul 7, 2022
NIST has developed a cybersecurity risk management framework that addresses the issue as a comprehensive process that requires organizations to:
These four pillars must be addressed by all small and midsize businesses. A small and midsize business (SMB) is a business that, due to its size, has different IT requirements — and often faces different IT challenges — than do large enterprises, and whose IT resources (usually budget and staff) are often highly constrained.
Author: Dr. Bill Souza | Jul 6, 2022