Threat Smart: Cyber Risk Management Done Right

▼CyberCrime, CyberEspionage, Data Breach & Cost, Incident Response, AML/CFT/CTF/KYC & More▼

MISCELLANEOUS WRITINGS | VOLUME 75 | UPDATED SINCE 2015

Can you innovate and scale while giving risk management the 24/7 vigilance it demands?

There's a difference between risk intelligence on the one hand, and risk maturity and cybersecurity maturity. And smart insiders and pros acknowledge that C-Suite needs the latter two the most.

Furthermore, the urgent realization that anti-money laundering, counter-terrorism financing, etc. also belong in the conversation.

Is InfoSec and IT exempt from geopolitics? Hint: COVID-19 pandemic resource kit (⬆). For denialists, a bolder reality check is right here.

Have/can cyber insurers nail(ed) continuous compliance or business risk?

Why keep hiring execs who won't treat cyber risk as financial risk?

Do you understand the 3 Reasons Risk Management Has Failed?

How to protect brands after data breaches?

These are leadership questions. And to forget humans — not IT — are the source of cyber risk is inviting trouble. Ask this Equifax ex-CEO.

From the $1.4 billion Equifax breach to the infamous Yahoo hacks, the former's eventual punishment and exhaustive research tell us that breached organizations lose millions in value. And for the U.S. economy and cyber insurance industry billions in insured losses, following major cloud cyber attack incidents (report at bottom of the article). Which is why leaders who are blasé about holistic security AREN'T threat smart and hence, unfit to lead. And incidentally, President Donald Trump's stubborn insistence for a long time on

clinging to his old Android phone add(ed) him to the mix. And do keep Virtual Assistants from him!

As with Incident Management basics, the 9 Critical Steps For Incident Response Success (PDF) is right behind the hyperlinked image above.

Further, just as being street smart is a survival skill, good (Cyber) Risk Management is not just a strategic business vigilance and survival posture. It is increasingly a hallmark of good leadership. And good leaders ensure that their organizations maintain Zero Trust architectures for maximum data security, —while nailing Cyber Risk Assessment and Due Diligence. From third-party security to M&A transactions à la Verizon's $4.48 billion data breach-defining acquisition of Yahoo. Click image.

We're talking about leveraged growth opportunities responsibly balanced against security, whatever the platform or device. Enterprise, institutions, home, Cloud, IoT/IIoT, BYOD. Such that “we take security seriously” isn't merely a punchline, nor Reputational Damage the sole driver for leaders.

For one thing most executives, IT and/or Security pros who regurgitate that line don't know until challenged that they can't technically and conclusively prove they know WHERE their data is. Let alone WHAT to do in the event of a Data Breach (images hyperlinked). In many cases even, how to safely manage their Apple ID to protect critical and sensitive business data.

One aggressive, data-greedy headhunter who tried the “Your [data] will be held in strict confidence. Never shared.” line with me recently was humbled and silenced, when confronted with the facts. Some addressed here.

In Africa meanwhile, a former business partner's contented assumption that: “We don't have your hacking problem here”, suggesting cyber crime is a developed nation-only American problem drew laughter on Twitter when I shared it with InfoSec pros. Companies like that already got pwned. Including government and business leaders who, lacking risk maturity (in their ranks and cabinets) haven't made the connection between robust customer data security gray/grey zone warfare.Whether in the energy sector running ICS/SCADA systems/power grids or not, the avenues of attack are countless. From Ukraine to America, adversaries are already waging cyber warfare, attacking or probing energy, nuclear, aviation, water and critical industrial, manufacturing infrastructure/assets. As such, expert knowledge, advanced threat modeling and threat intelligence together with good communication enterprise-wide of the threatscape; upskilled (strategic and technical) staff training; AI and IoT risks absolutely should be part of a strong risk analysis regime. And critically, with robust:

Cyber Resiliency and Antifragility as strategic imperative, and sign of responsible leadership

A seasoned Security professional constantly thinks of Risk Management holistically. Hence, Risk Management today is not “your grandfather's” traditional definition but in fact (Cyber) Risk Management. And PricewaterhouseCoopers apt definition bolsters my point:

“Cyber risk management is the coordinated management of intelligence, technology, and business operations to effectively manage an organization’s business information assets to prevent unwanted consequences. It is the process by which a business protects its critical assets and reputation from external and internal threats from individuals or organizations, but it is not limited to technical measures. Increasingly, financial institutions should now see cyber risk management as an integral aspect of managing their business and controlling risks.”

The security and strategy-oriented professional somehow assimilates both the 5 Tips for Better Enterprise Security even as he assimilates my more scalable tips below:

Time/responsiveness; people, employees, culture, training; software development; process management, are all linchpins of human risk. Developers too. Mismanage them, and business missions together with cyber security, fail. As Peter Drucker aptly said: “Time is the scarcest resource and UNLESS it is managed NOTHiNG else can be managed.” Philosophical?

Listen to U.S. intelligence chiefs lamenting agencies' lack of speed and agility during Russian cyber and hybrid warfare in the 2016 U.S. Presidential Election.

To manage your first risk, set out to build a highly risk intelligent and risk mature, Zero Trust culture that is obsessed with significantly and constantly seeking to reduce its attack surface knowing that data is a toxic asset. Radical cyber, mobile and social media security solutions are here. But first:

All this applies to small businesses seeking to beef up their cyber security hygiene too. Whether you're talking business performance, personal achievement, customer or patient data loss, costly high profile data breach or ransomware attack, most resounding strategic failure begin there. Hence, the case for NIST's Privacy Framework for mitigating privacy breach and organizational risks, beyond compliance. Moreover, from Social Engineering, highly sophisticated Phishing and BEC (Business Email Compromise) fraud and scams, to insider threat types like Edward Snowden, mind your vendors and the contractors you outsource talent acquisition to.

Know your Risk Appetite and be realistic about aggregate costs.

Or wing it at your own peril. But know that advanced insight at the board level doesn't come by putting the wrong people there.

Better security awareness — the type that makes organizations today threat smart and therefore ready and/or able to mitigate risks come through investment in training. And transformational training that both assures advanced insight and delivers better security by selecting the right people in the first place.

People, by the way, who's maximum risk vigilance/mindset encapsulates vendors, partners and all third parties with access to your network.

That's why no matter how small or big you are, the earlier you understand that Risk Management and Information Risk Management today is not a theoretical matter left to 'old guards' to mismanage, nor data breach the problem of some 'other' company or person in some 'other' continent, the better the chances of your company's survival. But of course, you don't have to take my word for it.

Just ask The Hacked Team, or click above to see how hacked companies are fighting cyber crime globally.

User ignorance/incompetence — often the enabler of serious security breaches — is bad enough. But even worse, the makeup of board that doesn't appreciate the risks an organization faces. It'd from there that incompetence trickles downward. What visionary, well-informed leadership does best is remain cognizant of its own incompetence, outsource what it doesn't know while sticking to, and leveraging what it does. Moreover, the best of them go farther than that, —with robust cyber risk insurance as an added layer of defense. These are the well-led organizations nailing readiness as a component of risk management done right. The ones best positioned to tackle everything from sophisticated supply chain attacks to as-a-Service crimeware. Including these dreaded threats:

What I recently found at a heavily under-resourced, under-performing and under-utilized holdings group seeking to simultaneously fill several C-Level roles one of which it flew me into Africa for, was a command-and-control mindset by 'old guards' with no concept of critical assets, Business Impact/BIA or software supply chain security, let alone how to properly scope projects, optimally execute strategy; constantly interfering; in denial, and out of touch vis-à-vis competitive landscape, threatscape of The Group, and critically, the scale of effort/time resources required to address such challenges, balanced against their cyber risk appetite. Precisely the kind of leaders to appreciate the weaponized Artificial Intelligence too late.

When Chinese megastar Jackie Chan said in an interview that people kept copying his style, comedy and stunts until he started doing dangerous stunts and “nobody copied me anymore”, he was demonstrating asymmetrical resilience & IP acumen worked into competition and business sense. A level of sophistication the old guards at the abovementioned organization lacked, —despite things looking OK in the short term.

BEC, BPC, and Targeted Attacks are all opportunistic crimes. And their cavalier attitude to risk makes them tomorrow's likeliest high profile data breach victims. All because from the boardroom right down to management, the corporate structure made it any hacker's Social Engineering, Phishing or Spear Phishing goldmine. And if Verizon can be social engineered by teens to hack CIA Director John Brennan's private email, isn't it time to concede that (Cyber) Risk Management is fundamentally a mindset/healthy paranoia that repeatedly MUST be drilled into any culture and leadership that claims to take security and data protection seriously?

Ignore Social Media Security at your own peril.

We live in a Social Media era where, unable to hide or spin crises or bad PR, CEOs and directors of government agencies alike, are the face of the organizations they lead. In fact, they're not just the face but both a prime security risk and target. Whether they like it or not. And not just CEOs but the entire C-Suite, organizations government agencies as well, are one major security incident away from irreparable reputational damage.

For that reason alone, the importance of the quality of decisions you make, the makeup of entire boardrooms — high quality, security-minded professionals in touch with the times with a history of good judgement, successfully executed — plus, a threat smart CXO as well as CHRO/HRM minds, is vital.

No. We're not talking about hiring people who'll erect innovation barriers at every turn.

Rather, you want the Satya Nadella(s), Mark Zuckerberg(s), Sundar Pichai(s) who come in armed with data; obsessive about merciless testing — always ready to work data and design thinking into strategy execution, like PepsiCo's Indra Nooyi.

These are the leaders intelligently approaching the vision, change and the results they want implemented from a position of business acceptability balanced against risk profiling. Always prepared to outsource what they don't know — as Zuckerberg has repeatedly done so well via the likes of Sheryl Sandberg, and countless other smart hires and acquisitions — while sticking to what they do best. And speaking of smart hires, a thorough regularly reviewed system for keeping corporate security bypass miscreants in check also matters.

Is it any wonder then, that despite expected privacy breaches, the 1.5 billion user Social Network behemoth hasn't suffered the kind of crippling security breach(es) that beset other organizations, governments and institutions?

Drawing naive untested conclusions about the imagined security of your devices, software, business units, key partners (and not hiring the right threat smart strategists); or the relative weakness of your competitors, is leadership based on wrong data. Remember Sony in 2014? Had Indra Nooyi done that, neither she, not PepsiCo would have done so well. And you can add Microsoft's resurgence since old guard Steve Ballmer's exit and Satya Nadella's entry to that equation as well. Hence the (blog's theme) video.

The lessons from #2 (in particular) and 3 above are easily applicable to cybersecurity, connected home and/or IoT/IIoT devices, and can be used for home security as well. Yet, the mind-boggling levels of complacency and ignorance most users attach to their (nonexistent) data security posture, as borne out by the latest research, is sobering. Detailed study here. Zoom below:Nothing, except more consumer devices, funny cats and dancing pigs videos and memes to distract the same selfsame users who draw naive conclusions about the imagined security of their devices, has changed since. I'll spare you personal/user stories from IT and InfoSec risk problem solving.

Are you organizationally in the position to make the 6-step shift from Cyber Security to Cyber Resilience? Because old guards should get to stay only if they have the discipline to get out of the way of fresh thinking. But the key to intelligently implementing (information) risk management while profitably innovating and keeping cost in line, is effectively tying all of the above together.

In the case of home security, the suggestion about every household having a CISO isn't at all a bad idea. It may for example be the Social Media savvy, highly mobile and threat smart teen rather than the father who worked for IBM ages ago who's better qualified.Be it a government agency, corporate board or academic institution, case of home security, the slower you act, the more likely you are to be the next #OPMHack as the bulk of the strategic heavy-lifting is cultural. And security awareness suffers in any culture where C-Suite demanding “a return on investment forecasts even for something as simple as training employees” to better handle file sharing apps and technologies they’re given so as to keep critical data assets secure while old guards consistently kill innovative ideas bolstering overall security, becomes a distraction. The same leaders who wouldn't underinvest in cyber security if they at least read leading non-technical media.

Nevertheless, ultimately, the real question is: Why would any rational person, organization, or leader WANT to be a cyber crime magnet? If you don't, then click/tap/zoom (below), study, and resist!The same way you can't get excited about IoT, BYOD, or the Cloud and throw your devices and personal data at them without a good understanding and mitigation of inherent risks, the HR burden — which cannot be emphasized enough — begins with hiring right in the first place. That means, a threat smart culture begins with a threat smart HR and C-Suite synergy committed to minimizing the human risk factor as part of a robust, Insider Threat and hard to Social Engineer culture/organization.