Maksim Kabakou - Fotolia
It’s easy to be glib in answering a question like this and saying the best indicator would be no incidents, or no breaches, or no anything.
However, as we all know, absence of evidence is not evidence of absence, and doing cyber security badly – but being lucky – looks the same as doing cyber security well. Therefore cyber security risk indicators must give actual evidence and not be based on bias, ignorance or blindness to something that ought to have been found.
It is not as simple as asking for a single risk indicator (RI). As much as our boards would wish to see cyber security distilled down to something as simple as this, the threat landscape and our own vulnerabilities are too complex for this to have any real meaning.
Leadership sleeves must be rolled up and meaningful dialogue had on key cyber security risk areas such as behaviour of people, systems and technology failures, internal process failures, and external impacts and hazards. In other words: the people, the places, the information and the technology.
The prevailing attitude of expecting the IT security team to manage all RIs is not sustainable, effective or even useful. In part, because all we are then likely to get are technical measurements (this may be hits on the firewall, this many inbound viruses or this many port scans blocked), which are usually meaningless and indecipherable to the board.
Meanwhile, the IT security team is then often completely overwhelmed with data, while the business remains starved of insight. And, in part, because of the truth staring us in the face, which is that the vast majority of data breaches and cyber incursions are not failures in IT security, but caused by human error, loss of physical assets and cultural deficiencies.
Providing data is not the same as providing actionable insight. If we rely on being given data and asked to draw our own conclusions, literally nothing resembling cohesion will happen.
Read more from Computer Weekly’s Security Think Tank about key cyber security risk indicators
Instead, we should be looking at a more intelligent and business intelligence-driven system of risk indicators. One that is linked into an internal ecosystem of devolved authority, accountability and risk ownership. This will give us strategic, tactical and operational risk indicators coupled with appropriate metrics to allow consistent measurement and trend analysis.
In other words, we will have meaningful and actionable insight, and those concerned in each area will know who owns the response to the indicator and what to do about it.
Strategic RIs are owned and reported at C-level with an appropriate call to action:
- Cultural maturity
- Leadership engagement
- Security risk's that exceed current risk appetite
Tactical RIs are tasked from c-level and reported, actioned and owned at Senior Leadership level:
- Cultural engagement
- Supply chain risk
- Education and awareness effectiveness
- Near miss trends
Operational RIs are tasked from SLT level and reported, actioned and owned at middle leadership level:
- Near-miss reporting
- Local cultural assessments
- Pastoral care
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” – The Art of War
To expect our leaders and our organisations to succeed on limited insight of both the threat and on our ability to receive the threat is to invite disaster. However, with greater insight and broader coordination, we can be strong and succeed in the battles to come.