Many years ago, I worked at an organization where I was told on my first day, "We never tell leadership they can't do something, we find a way." Granted, this was a government organization with a very serious mission—they couldn't afford to NOT do something because a security person needed to check a box.
Words to live by, as long as you understand the risk.
When we talk about cybersecurity today there's one thing missing from the conversation, and that is common sense. If your goal is "better security" or "more monitoring" or "improving access control," well, we aren't doing those things just to be "more secure" or because we want to spend money. We do them to decrease the risk to business operations. Too often, we let the checklist get in the way of actually reducing risk.
If your goal as a security professional is something other than maintaining business operations when adversity (or hackers) strike, you're doing it wrong.
We can accept risk, or avoid it, mitigate it, or transfer it but we have to live with it. I worked with a client once whose CEO refused to have a password longer than two characters. No amount of discussion, persuasion, or education could sway him. Besides the obvious problem that security culture starts at the top, the security team was left with accepting and mitigating this risk as much as possible through other means. They worked hard to understand the actual risk to the business – does one person's password really make that much difference? (Debatable) And is this indicative of a bigger problem that would make this person more likely to open a phishing email? (Absolutely)
In this case, the security team did three of the four control strategies. They couldn't avoid it, but they accepted some level of risk, mitigated with additional security controls and monitoring on this account, and then transferred risk back to the CEO. After all, ultimately executive leadership determines the level of risk they are willing to live with, and is responsible for seeing that systems and processes operate at or below that level.
I recently had a great conversation with Brian Contos about how our understanding of cyber risk has changed, whether risk management is an art or a science, and the difference between risk acceptance and risk tolerance. For more on all things risk related, check out the Verodin podcast.
Visit here to subscribe to the Verodin Cybersecurity Effectiveness Podcast, winner of the 2020 Cybersecurity Excellence Awards in the category of best cybersecurity podcast for a company with 1,000 to 4,999 employees. Listen in to our latest podcast series and gain insights from some of the most powerful women in cyber.