You can more - Fotolia

Risk management key to cyber security, says Bank of England CISO

An essential part of information security is identifying and managing the risks, experts tell the European Information Security Summit 2016

Risk management is a vital component of any cyber security strategy, security experts told the European Information Security Summit 2016 in London.

And having a strategy is important, they said, because cyber criminals have a strategy – of using all available means to achieve their aims.

“But cyber risk is not about technology alone; it is also about people and processes, and therefore it is about leadership and management,” said Will Brandon, chief information security officer at the Bank of England.

It is important for business leaders to own the risk, he said, but that means they need to understand the risk before they can manage it.

“Any cyber risk is combination of threats, vulnerabilities and assets – and all three have to be present for a risk to exist,” said Brandon.

Apart from understanding what the most likely threats are, organisations need to identify the assets or data and systems that matter most, and the vulnerabilities.

Organisations can most effectively address vulnerabilities by focusing on their people, processes and technologies, identifying weaknesses and mitigating those as much as possible.

According to Brandon, every organisation needs a range of mitigations and controls aimed at reducing the risk of the most likely threats.

This requires drawing up and maintaining a risk register to score and prioritise risks, and establishing some form of risk governance process that includes the risk owners – who are responsible for business-critical data and systems – as well as representatives of IT security, information security, procurement, human resources (HR) and legal.

Read more about risk management

Assess risk to predict attacks

Understanding the risk is important, as was illustrated by Japan’s failure to cope with the consequences of the earthquake that hit Miyagi and Fukushima prefectures in 2011, said Andzej Kawalec, chief technology officer at Hewlett Packard Enterprise.

Failure to understand the risk of a tsunami resulting from earthquake activity, he said, meant Japan did not have the necessary processes in place, resulting in sea defences being overwhelmed, power generators knocked out and the meltdown of the Fukushima nuclear power plant.

Risk assessment is a key component of predicting not just natural disasters, but also cyber attacks, he said – which is vital in informing organisations how to prepare, detect and respond for them.

Another key element of risk that tends to be overlooked is the risk associated with sharing information with customers and partners, said Adrian Davis, managing director for Europe at (ISC)2.

“Sharing information is essential for modern businesses, but it is also risky – the key question organisations should ask themselves is exactly who is sharing information, what they are sharing and who will see that information?” he said.

Share data - but in the right way

Davis cited the example of an aircraft industry engineer who was looking for a particular hydraulic pump and inadvertently shared the blueprints of a new aircraft along with the hydraulic pump requirements with a prospective supplier in China. This resulted in the blueprints being made widely available online before the aircraft manufacturer was able to get them removed.

Organisations need to factor in security across their supply chains, said Davis, and recognise that sharing information automatically changes their risk posture – possibly in ways that are difficult to quantify.

However, he said failure to share threat information will give cyber criminals an advantage because they are extremely good at information-sharing to achieve their goals.

“If business does not share cyber attack information, it will make everyone more vulnerable, and the bad guys will win and ruin the best engine of economic growth in years,” said Davis.

Mike McLellan, head of incident management at Cert-UK, said sharing information about threats and best practice is a valuable tool in achieving effective risk management.

But Julian David, chief executive of TechUK pointed out that, according to a recent IBM Security survey, while over half of CEOs polled agreed that collaboration is necessary to combat cyber crime, only a third were willing to share their organisation’s cyber security incident information externally.

How to estimate risk appetite

Echoing Brandon’s comments, he said it was vital for organisations to understand what is important to them at all levels of the organisation – including the board – and to use that as a basis for all risk-management processes.

Brandon said thjat, once an organisation has identified the risks, mitigations and planned mitigations, it is important for the chief information security officer (CISO) to find out if the remaining “net risk” falls within the risk appetite of the risk owners.

He said the way to find out the risk owners' true risk appetite is to ask if they are happy to accept the net risk; and if they are not, to outline what effort and money it would take to reduce that risk.

Once risk owners have either approved further mitigations and controls or signed off on the net risk, they have taken ownership of the risk, and the CISO’s duty is done, said Brandon.

Read more on IT risk management