Rumble in the cyber jungle
The Australian Securities & Investments Commission’s (ASIC) plans for 2022-26 include driving good cyber risk and operational resilience practices across all sectors of the economy for 2022-2026. A big question is how to simplify the process of cyber security risk governance for all stakeholders, and improve education and training in a discipline which is complex and has an acknowledged skills deficit. Stakeholders are finding their voice.
Legislative and regulatory efforts are starting to take shape
The recent amendments to the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act), introduced concepts of “positive cyber security obligations” and legal precedent established in the ASIC vs RI Advice Group case, confirm the ongoing evolution of a cyber security governance system or framework. The accountability of senior executives and directors and their oversight obligations are emerging like road signs in the fog. Also, the acknowledgement that cyber security risk can be reduced through [active management and] adequate cyber security documentation and controls. Further guidance will assist all stakeholders understand what is adequate cyber security documentation and a control framework.
Legal precedent but insurers pave the way
In May 2022, ASIC was successful in its action against RI Advice Group, a Financial Services provider, for breaching its licence by failing to effectively manage the cyber security risks associated with protecting customer information. Up until now, it’s the cyber insurance sector that has largely driven cyber risk management thinking. Faced with growing loss ratios, insurers recognise the need to improve the quality of cyber security risk information and better manage their risk. Their requirements for more rigorous underwriting methodologies and security controls have now yielded greater accuracy in risk understanding and pricing.
As regulators and the courts play catch up, it is clear that these same risk management principles apply for senior executives and directors. Inadequate risk management systems and controls mean poor quality cyber security information to inform decision making. This is amplified for senior executives and directors whose ongoing risk management and oversight responsibilities are significantly more onerous than any insurance underwriter.
Yet another horror story
In the absence of guidance, nightmarish stories of cyber attacks and countless sponsored articles that rehash directors’ responsibilities only drive cyber anxiety. Not cyber security improvement. Talk of how failure to properly consider cyber security risk may put them at risk of breaching their duty of care abounds. Concern in some circles is that the fragmented and inadequate nature of cyber security risk systems and processes is unable to provide intelligible information suitable to inform cyber security risk decisions.
The disconnect here is the lack of adequate data-driven information to inform the effective management of cyber security resilience and risk management decisions. Subjective questionnaires and efforts “that seek to mark your own homework” can’t replace quantitative measurement of risk. Only evidence-based metrics are adequate to inform a formal process or framework. Little wonder that executives and directors are feeling under pressure; maybe it’s because they feel they don’t know, what they don’t know.
Tools and processes to know what you need to know
This security information quality problem is the same as the one faced by the cyber insurance industry. It was solved with more rigorous risk assessment and insurance contracts that allocate clear risk responsibilities between the parties. Just like insurers, senior executives and directors need to ensure that there is a clear understanding of and accountability for the quality of the risk information being provided to them and its adequacy to inform cyber security oversight.
While it may not be apparent to some who rely on it; right now, a considerable amount of the operational risk assessment information is not fit for purpose. Growing legal responsibilities mean that much of this arbitrary and unverifiable information is unsuitable to meet the needs of senior executives and directors and their oversight obligations. Quantitative measurement, enables evidence-based comparative risk appraisal; while qualitative judgements, are inevitably prone to human bias, and will result in lower confidence decision-making – cyber security risk or otherwise.
And its not just the directors looking for data-driven metrics
In late August the Cyber Security Industry Advisory Committee (IAC) released its annual report. It observed, that there is a need for a governance “framework that is coordinated and integrated”. Experienced committee members, familiar with the cyber security sector, repeated many of their findings of previous years:
- The government needs to be an “exemplar” of cyber security best practice (currently is not); and
- There needs to be the adoption of empirical data-driven cyber evaluation and measurement methodologies to improve cyber security practices.
The report and the scale of the interdependencies of a whole-of-nation strategy reminds us that cyber security impacts everything, everywhere. “Without a rigorous evaluation and measurement system and against an evolving maturity index, there is too much reliance [being placed] on qualitative anecdotes and commentary to determine the progress and effectiveness of initiatives under the Strategy [to improve cyber resilience across the economy]”. This is the very problem faced by business and directors. Whether because of a disclosure obligation or a duty of care, directors too are observing the fragmented nature of the cyber security governance framework and the absence of a framework to effectively manage and report on cyber security resilience.
Information is spread far and wide – especially if cyber isn’t your second language
The focus of a new Federal Minister responsible particularly for Cyber Security will undoubtedly assist in removing some of this fragmentation around cyber security information sources, guidance and the regulatory requirements, to better anchor a governance framework and improved cyber security processes and resilience. If senior executives, experienced in cyber security management, and lawyers skilled in matters of the law are seeking clarification, it’s fair to assume that many others are too. How can a cyber security assessment report, without evidence-based measurement, reliably inform a cyber risk management process?
Whether it’s a Notifiable Data Breach or disclosure of the nature now required by the SOCI Act, to notify the Australian Cyber Security Centre (ACSC) of a significant cyber security incident within 12 hours of becoming aware of it; it will be difficult to confidently assess and comply with the requirements without an empirical based risk measurement system.
Managing risk is not new – it’s part of the job
Systematic frameworks, risk management instruments and tools abound in the field of risk management and oversight; and business has relied on these methods and practices to manage all types of operating risk– credit or FX, for example. Irrespective of the nature and complexity of the risk to be managed, however, the broad principles of risk likelihood, mitigation and impact remain familiar constants for directors and risk management decision-makers. Cyber security is no different. Except to say that the risks are more complex and the frameworks, tools and risk management methodologies still evolving. Selecting the correct cyber security risk framework may depend on your regulators, the industry or any jurisdictional operating obligations; but at a management level, however, the suitability of security risk frameworks, their simplicity, ease of use, fidelity and accuracy of the information are vital.
A quantitative cornerstone for risk management – the ACSC Essential Eight
Australia has a proven cyber security risk framework, which was published as a cyber security maturity model as early as 2017. In drawing a distinction from the broader cyber security governance framework talked about earlier, the ACSC Essential Eight Security Framework is internationally regarded as one of the most effective IT risk cyber security frameworks in the world – with its easy to use, systematic and incremental risk assessment capability. This is particularly so when it is used to automatically measure the presence, effectiveness and maturity of a set of eight key cyber risk mitigation strategies. In this “industrialised” form it provides the basis of an empirical measurement and quantitative security control reporting platform to assess the resilience of your risk prevention, containment and recovery efforts.
Obviously, additional controls can be added to increase the reach of your security controls, but as eight technical controls, it’s a very accessible way to establish an “IT asset-centric” baseline of security resilience and, according to the ACSC, reduce your cyber security risk.
The benefits of the ACSC Essential Eight framework are compelling:
- An actively maintained, easy to use, systematic cyber security risk framework and maturity model
- Ideally suited to the empirical measurement of control effectiveness, evidence-based risk management and quality improvement; and
- Like a diagnostic imaging tool – it provides a clear, accurate and reliable depiction/view of your cyber resilience
The technical guidance and techniques of cyber security are converging
For the first time in more than 20-years, international security agencies have begun issuing multiple joint guidance statements. Perhaps this is in the recognition that cyber security control effectiveness has become an almost universal measure of resilience; and our adversaries similar, if not the same. The implications are clear, irrespective of whether you follow another cyber security framework or have other jurisdictional obligations, for local organisations the ACSC Essential Eight provides quick and easy visibility of your cyber security controls and maturity levels. By automating the empirical measurement and reporting of those eight key controls, senior executives and directors can quickly assess the levels of cyber resilience and make data-driven cyber security decisions with confidence.
Plenty to do: the makings of a world class cyber security resilience strategy
What we do know is that qualitative anecdotal risk information is not enough. It will inevitably impact the adequacy of the cyber security risk management process and potentially decisions that impact the cyber security strategy itself. Ongoing cyber security resilience is now a feature of modern enterprise as it seeks to transform its business processes for greater efficiencies, bringing with it the inevitable increases in cyber risk. Another feature is the risk team who is responsible for the assessment, management and reporting of those risks. They educate stakeholders, develop assessment tools and build systematic models to better explain the nature and quantum of mitigated and ultimately the residual risks. The better the visibility of risk the more reliable the quality of risk oversight – at all stages of its lifecycle.
We spoke before about the volatility of the cyber security risk environment and the need for the never-ending mitigation of vulnerability gaps. It’s the reason why detail matters. It’s why risk measurement needs to be accurate and objective and provide a relative measure or priority of a particular risk and its proposed mitigation strategy. It’s also why quantitative “risk accounting” and auditable assessment processes that support cyber security IT frameworks are vital to an effective cyber security risk management and oversight process.
New risk management processes and technologies will evolve to support a broader cyber security governance framework and near real time empirical risk measurement system. Right now, however, the ACSC Essential Eight risk framework is ideally suited to the systematic measurement of enterprise (and even nationwide) cyber resilience. What is required, however, is education and practical advice to better integrate the Essential Eight risk framework into the execution of the broader national cyber security resilience Strategy.