The marketing of most cyber risk assessment tools seems wrong. You’ve heard the pitch: Security and business ingredients are tossed into some risk-o-matic for blending. The high-speed mix button is pushed, and report evidence then pops out to show senior management what a total loser you are. And yes, I get that highlighting security risks on a dashboard is needed for proper investment – but I’m just saying.
The reality – and by spilling the beans, I feel like that old Fox TV program that exposed the secrets of magicians – is that most cyber risk managers intentionally tweak risk inputs to ensure palatable output. This is not dishonest, mind you – because we all know how to game a questionnaire. But the process is distorted by the obvious recognition that it is in the interest of the security team to get at least a B-minus.
Last week, I had the pleasure to share coffee at Jack’s Stir Brew in Tribeca with one of the great minds working this challenge of optimizing risk assessment, Elon Kaplan from Cytegic. Possessing a PhD degree in organizational psychology, Elon has built, with his team, one of the finer platforms I’ve seen for collecting manually-derived and automatically-generated environmental and threat input to determine risk posture.
Elon first sketched for me the advanced features of his platform and how it effectively integrates the following: (1) Details offered about the local environment, (2) automated threat feeds from a variety of heterogeneous sources, and (3) specifics about the consequences of local assets being attacked. As I’ve been telling my graduate students for decades, these are precisely the three factors required to estimate risk accurately.
I then asked Elon about this issue of people-like-me not wanting people-like-our-bosses or people-like-our-customers to know the true nature of our cyber risks. He smiled, and responded with an idea that seemed as clever and original as any I've heard in the past thirty years – and I mean that. Elon outlined for me a creative concept in cyber risk management that I’d honestly never imagined:
The idea is this: The Cytegic team has engaged the formal partnership of legal counsel in the provision of their platform so that running a risk assessment can be performed under attorney-client privilege. Wow. Now I know this will not prevent your nosy boss from whining about all that risk still sitting around. But it will prevent the results of an honest assessment from being demanded by any external entity.
OK, OK – I can see you shifting in your seat, but let’s be 100% honest: Every cyber security team has some dirty risk laundry in the process of being sent off to the cleaners. The fear of discoverable output on a risk report prevents many CISOs from being willing to submit to the process in a truly open and honest manner. This clever idea of offering legal cover seems a good option in such cases.
The benefits of having your CISO comfortable with a risk tool should be obvious. For example, most platforms, including the Cytegic product, include up-front an assessment that requires judgment calls. If the CISO has the faintest hint that answers might be scrutinized later, then forget about unbiased honesty. “If you ask a security team about their firewall under these conditions,” Elon said, “then they will say they love it.”
I now believe that cyber security risk platforms should support a more introspective self-assessment process. CISOs and risk teams should feel 100% free to enter a brutally honest description of vulnerabilities without fear of the results being somehow discoverable. Managers can contribute to an improved atmosphere by allowing the CISO the same level of confidentiality as a pre-teen might given with a diary.
Take some time to have a look at the Cytegic platform, and if you like the idea of allowing yourself (or your CISO) the incredible gift of private assessment, then call Elon and he can explain how his team can help. With so much emphasis lately on cyber risk assessment, taking these steps to enhance the output of the process toward a more honest and accurate view might be the best decision you make all year.
Let me know what you think.