Cyber Risk Insights: A Practitioner's Perspective
In this monthly series of ‘Cyber Risk Insights: A Practitioner’s Perspective’, we aim to bring you an unbiased view of Industry leading experts in the field of Cyber risk management and uncover the most pertinent questions around how to assess, prioritize and monitor risks using new technologies.
In our very first interaction, we have an eminent Cyber Risk expert, Loic Jegousse, in discussion with our CEO, Rostow Ravanan.
Loic brings a wealth of experience as a senior technology and operational risk executive at one of the largest banks, and he currently serves as a CISO advisor to Alfahive. Throughout his career, Loic has worked with major financial services organizations, working across all three lines of defence. He commenced his professional journey in financial and technical audits, transitioned to the first line of defence in IT operations, and presently fulfils a vital role in the second line of defence, focusing on operational and IT risks.
Please note - the insights shared by Loic in this discussion are solely his own and should not be attributed to his present or previous employers.
“When you look at typical challenge in the banking sector or financial institutions, the pressure on cyber security remains an existential one and we are all in the race and everybody, every single organization is trying to keep up and try to run as at least as fast as the other ones.”
- Loic Jegousse
Following is the summary of the discussion between Rostow and Loic:
Rostow: I am delighted to engage in this conversation with you, Loic. Let's begin with the first question: Could you please shed light on the common day-to-day challenges faced in risk management and share your strategies for effectively navigating through them?
Loic: When it comes to risk management in the financial sector, there are several day-to-day challenges that organizations face. Drawing from my 20 years of experience, I'll shed light on some of these challenges and how we navigate through them.
To illustrate the importance of risk management, let's recall the infamous bank robber, Willie Sutton. When asked why he targeted banks, he famously replied, "Because that's where the money is." While the financial landscape has evolved significantly since then, financial institutions still encounter substantial risks due to their central role.
In today's digital era, data has become synonymous with money. Protecting information against threats to confidentiality, integrity, availability, and continuity is crucial. The threat landscape encompasses a wide range of actors, including small-time criminals, organized crime syndicates, and even nation-states.
Financial institutions operate in a dynamic environment. They face increased competition not only from traditional banks but also from non-banking entities such as fintech companies. Failing to adapt is not an option, as any change introduced into the IT environment carries inherent risks. Moreover, the geopolitical context is increasingly volatile, and there is a growing interdependence between third-party and fourth-party entities. Regulatory oversight has also intensified over time.
In the banking sector, cybersecurity remains an existential challenge. Every organization is engaged in a race to keep up and match the pace set by others. It is essential to address multiple aspects of cybersecurity, including awareness, creating the right environment, allocating sufficient budget, fostering a cybersecurity-oriented culture, and developing a robust incident response plan.
Navigating these challenges successfully requires a comprehensive approach and a continual effort to stay ahead of evolving threats. By prioritizing cybersecurity and integrating it into the core fabric of our operations, we can effectively manage risks and safeguard the integrity and stability of our organization.
Rostow: Thank you for a very insightful and comprehensive answer. Let me ask another pertinent question. How do you generally approach the process of translating control complexity into risk insight? Are there any specific tools or methodologies that you find effective?
Loic: When it comes to translating control complexity into risk insight, the assessment of controls plays a vital role in any robust cyber program. Controls serve as reliable predictors of future risks. As a professional, my goal is to tailor and contextualize the control framework effectively, understanding the interplay between controls and the value of assets.
In the industry, there are various excellent control frameworks that have evolved, such as NIST CSF and ISO critical security controls. These frameworks define the standards for effective controls, and non-compliance with these standards usually indicates higher risk.
For organizations, the key is to select a framework that aligns with their needs and refrain from excessive customization that could dilute its effectiveness. The adoption of a standardized taxonomy is crucial, as it enables the translation and grouping of control gaps into common themes.
However, there are several challenges that arise when assessing controls in large organizations. First, the volume of work keeps increasing due to heightened scrutiny and the need to assess controls across business lines and third-party vendors. Prioritizing this workload can sometimes result in blind spots where certain areas are deprioritized or not reassessed frequently.
Another challenge lies in maintaining the rigor of control assessments. It can be tempting to assess the operating effectiveness of controls with simple "yes" or "no" answers and rely on a few representative samples. However, it is important to consider controls within the context of end-to-end processes or environments.
Multiplication of assessments is yet another challenge. Obtaining a comprehensive picture often requires conducting multiple assessments. For instance, in the case of third-party assessments, relying solely on external reports may provide some initial information, but it should be supplemented with additional sources of data.
Furthermore, there is a shortage of qualified resources available to effectively assess controls. The cybersecurity talent shortage is well-known and finding individuals with the right blend of technical skills, control expertise, and essential soft skills poses a significant challenge for organizations.
Lastly, even if all these challenges are addressed, aggregating the conclusions of control assessments remains a challenge. The quality of aggregation relies on the taxonomy used and the accuracy of the data gathered.
To navigate through these challenges, it is crucial to strike a balance between comprehensiveness and efficiency. Leveraging automation tools and technologies can streamline the control assessment process and improve the accuracy and timeliness of risk insights. Additionally, investing in talent development and fostering a strong cybersecurity culture within the organization can help overcome resource constraints and enhance the overall effectiveness of control assessments.
“Leveraging automation tools and technologies can streamline the control assessment process and improve the accuracy and timeliness of risk insights”
- Loic Jegousse
Rostow: You made very insightful points in the above answer. Now, I would like to address another challenge that individuals consistently encounter. From your perspective, what are the essential elements that contribute to qualitative risk reporting? Moreover, how can organizations transition towards a more quantitative and data-driven approach to risk reporting?
Loic: The core of cyber risk management involves a life cycle of risk identification, assessment, prioritization, treatment, and making informed decisions about the risks to be taken. This life cycle should inform governance and be applicable at various levels within the organization, including the micro and macro levels. However, one of the significant challenges in the field of cyber risk management is the objective measurement of cybersecurity risk.
As Peter Drucker famously said, "Only what gets measured gets managed." In other words, effective management of cyber risks requires measurement. Unfortunately, it can be difficult to aggregate the results of control assessments, even if an organization excels at assessing individual controls. As a result, organizations often employ additional techniques to address this challenge.
Four such techniques are Key Performance Indicators (KPIs), Objectives and Key Results (OKRs), cyber maturity assessments, and qualitative assessments. However, each of these techniques presents its own set of challenges.
KPIs and OKRs are often considered the Holy Grail of security metrics, but there is still no industry consensus on common metrics. Additionally, these metrics tend to focus more on the micro level and are predominantly designed by and for security professionals.
Cyber maturity assessments are effective in identifying areas for improvement, but there is a risk of these assessments becoming score-driven exercises that mask underlying weaknesses.
Models and simulations provide an effective means of gaining a macro view of cyber risk. However, they are not widely deployed outside of military exercises and operational risk modelling. The use of these models is sometimes limited due to regulatory constraints. Changes to frameworks such as Basel IV may offer hope for organizations to test and adopt new methods and simulations for better aggregating and simulating overall exposure to cyber risk.
Lastly, qualitative assessments involve plotting risks on a two-dimensional map based on likelihood and impact. Unfortunately, these assessments face significant issues, such as the difficulty of adding newly identified risks and the potential for bias.
The field of cyber risk management has a long history and is deeply ingrained in the culture of many organizations. Frameworks such as NIST, COBIT, and OWASP have played a significant role in promoting and shaping the practice. However, some academics have identified issues and problems associated with these approaches.
One example is the problem of range compression, as discussed by Douglas Hubbard. It can lead to suboptimal decision-making and the potential for not prioritizing the most important risks. While the industry recognizes the need to move towards more quantitative and data-driven approaches, there is no clear silver bullet or one-size-fits-all solution.
To embrace more quantitative and data-driven risk reporting, organizations need to acknowledge a few key points. Firstly, there are two distinct discussions about cyber risk: one at the macro level, focusing on controls, and another at the micro level, tailored for day-to-day conversations within the organization.
Secondly, relying solely on qualitative approaches is insufficient for measuring cyber risk at the macro level. While qualitative methods may have a place in education, they lack the scientific rigor and robustness required for the task.
The third acknowledgement is that only quantitative approaches can effectively address significant questions, such as return on investment for controls and demonstrating the value they provide to the organization. However, the path to quantitative measurement is challenging and may require different skills and tools than what teams currently possess.
Lastly, even within the industry, there is a lack of consistent language when it comes to measuring cyber risk. Definitions and interpretations vary, making it difficult to establish a unified approach. For example, Douglas Hubbard defines measurement as observation that quantitatively reduces uncertainty, emphasizing the use of Bayesian methods to quantify risk based on new information.
In the quantitative world, risks are often expressed as probabilities of events resulting in specific losses within a confidence interval. This introduces rigor into risk expression. Similarly, vulnerabilities are quantitatively assessed as probabilities of threat agent actions resulting in losses.
Rostow: Thank you! What role do you see technology playing in the future of cyber risk management? Are there any emerging technologies that you find particularly promising?
Loic: In the future of cyber risk management, technology, particularly artificial intelligence (AI) and machine learning, will play a significant role. As we progress into 2023, AI and machine learning have become buzzwords, presenting both threats and opportunities.
Cybercriminals are already leveraging AI to commit fraud and launch attacks. They utilize deep fake technology, impersonate individuals, and deploy armies of bots to orchestrate denial-of-service attacks. However, on the flip side, AI is also employed by cybersecurity professionals to combat these threats. It helps identify unusual behaviours or patterns, create honeypots to lure attackers, and develop technologies for defence.
Machine learning, especially large language models like GPT-3, has garnered attention in 2023. Chargeability, the ability to automate text-heavy tasks requiring human judgment, is a promising concept. The automation of mundane and tedious activities, such as asset mapping, threat analysis, and control assessment, could become a reality through AI and machine learning advancements.
The potential for automation and simplification of these tasks holds great promise. Additionally, as AI and machine learning become more prevalent, there may be an increase in statistical literacy. This would foster valuable discussions about the validity of machine outputs and the best utilization of these technologies.
“I'm quite hopeful that the advancement in artificial intelligence and machine learning will help the cyber risk management to move forward.”
- Loic Jegousse
Rostow: Based on your experience, what advice would you give to organizations looking to improve their cyber risk management practices and stay ahead in today's rapidly evolving threat landscape?
Loic: In today's rapidly evolving threat landscape, organizations must be proactive in improving their cyber risk management practices to stay ahead. I would offer two key pieces of advice.
Firstly, organizations should allocate a portion of their cyber risk management program to automate control work as much as possible. This helps address the challenge of sustaining manual efforts and ensures efficiency. Additionally, developing meaningful Key Performance Indicators (KPIs) that are well-suited for monitoring at the micro level can provide valuable insights and enhance risk management.
Secondly, at the macro level, it is crucial to embrace quantitative measurement. Organizations should consider conducting proof of concept pilots using simulations and models. This approach can yield new insights and perspectives on risk, as well as enable more effective conversations with senior management. Embracing quantitative measurement can enhance risk assessment and decision-making processes.
By combining automation and meaningful KPIs at the micro level with quantitative measurement and simulations at the macro level, organizations can strengthen their cyber risk management practices and position themselves ahead in the ongoing race against evolving threats.
“At the macro level, embrace quantitative measurement, do some proof of concept pilots using simulations and models as it might bring some new insight and new ways to think about risk and how to present and have conversation with the senior management and those are my two thoughts in terms of what organization should do in order to stay ahead of the race.”
Key Takeaway from the discussion
In conclusion, effective cyber risk management is a multifaceted endeavour that requires careful consideration of control complexity, evaluation of control effectiveness, adoption of emerging technologies, and a shift towards more quantitative approaches. Organizations must navigate challenges such as resource shortages, measurement problems, and the need for consistent industry standards. However, by investing in automation, leveraging AI and machine learning, and embracing quantitative measurement, organizations can enhance their risk management practices. It is essential to stay proactive, adapt to the rapidly evolving threat landscape, and continuously strive for improvement. With a holistic approach and a commitment to staying ahead in the race, organizations can mitigate risks, protect their assets, and foster a secure digital environment for the future.
