Government Keynote on Communicating Cyber Security Risk in a Meaningful Way
Director, Agency Partnerships,
Digital Public Service Branch,
Department of Internal Affairs
Understanding the Cyber
Security Threat and Cost
In our modern world, especially since the start of the pandemic, the threat of cyber incidents has risen exponentially, and cyber security protection is now a bigger issue for all industries than it was just a few years ago. However, because of this, Chris Buxton, the Director of Agency Partnerships in the Digital Public Service Branch at the Department of Internal Affairs, who is also the Chief Digital Officer at Stats NZ, says that “how we talk about cyber risk is one of the fundamental challenges that we have as a community.” The main reason for this is because almost all cyber incidents involve people – the very same people who run the organisations, arrange the protections and often create or are involved in the mishaps. So, “while people remain our biggest vulnerability, they are also our biggest defence.”
To combat the threat, it is very important to “communicate the cyber risk in a meaningful way,” but till now, “the reality is that we haven’t really been doing a particularly good job of it.” In general, and in large part, this is because the threats and the risks have become “so incredibly large.” In some of the largest of the breaches, companies have been “losing millions of records which has caused them billions of dollars’ worth of commercial damage.” Apart from the fact that this in itself has negative implications, because it is essentially only focused on one measurable metric, it is hard to fully comprehend and even harder for executives to understand. They want to “translate the breach or the risk into a clear strategy and action plan that they can then invest in and do something about, but when the breaches and numbers involved are so large, it is too hard to understand and react to.”
Despite that, executives tend to understand numbers and how to calculate things, so one of the ways to help them understand the threat and the risk is through “cost modelling.” For instance, before a breach occurs, there are costs associated with “detection and escalation,” but these measures are often not enough to stop a breach. Then there is the “post breach response, notification costs and lost business costs.” Each is different and necessary, and it is not “just all about the clean-up.” As the scale of a breach increases, “the cost increases too.”
In 2018, IBM calculated the cost of a data breach. They found that the average annual inflation rate of a breach is 6.4%, “so the cost is constantly going up,” whilst the cost per lost or stolen record in 2018 was $148, “but that is in American dollars, so it is at least about $200 per item in the New Zealand context now.” That is a significant figure, but since it takes into account all of the associated costs (mentioned above), it makes it easier to translate that into “the actual financial impact of a compromise on a system and lets us start to explore different strategies on how to deal with the cost.”
Communicating the Cost and the Risk
Having the executives better understand the cost and the risk is one thing, “but we have to communicate it to the whole organisation. We can’t ignore the lower levels.” One way to do that is to “build a security metrics program,” and then link that “to a portfolio management approach.” In other words, the threats and risks need to seem real and need to be “translated into a business context.” This means “understanding your key business outcomes, your cyber capabilities that deliver those outcomes, and then looking at the risk(s) associated with those to get a clear line of sight between your digital and cyber risks, all the way through to your business impacts as an organisation.”
However, the spanner in the works is that “different industry sectors have different regulatory requirements and different reporting requirements, so therefore potentially very different costs.” This means that whilst establishing all the elements is still important, customisation is also critical. Every industry and every organisation “have a different way of looking at things.” Therefore, the real crux of the matter is that each organisation can “tell their own stories around the data and the process.” These stories are or should be about “how you take a risk, turn it into a real scenario, and then apply it directly to a business function.” They are about putting the risk “into the context of an employee to help them understand what the real impact for them is in each scenario.” That creates the awareness and understanding that often seems to be missing.
Whilst these stories can be verbal or even in written form, they can also be visual. For instance, a Gemba Board is one way of depicting “problems or values in a visible way.” The issue with that however can be that “threats and vulnerabilities become front and centre, and once they are publicised, they are more likely to be compromised. So there needs to be a balance between making them visible so that people understand the risks, and also dealing with them as an organisation.” There is no correct method or proscription related to that because every organisation and maybe even every individual needs to find a methodology that they are comfortable with. The risks and threats however do need to become “ingrained in the psyche” of each worker, but how that happens is up to them.
For executives or others with access, dashboards are a way of also visually depicting the risks. “They can aggregate the data together at a portfolio level to give them a very clear picture of what are the risks that executives actually need to worry about. Ultimately, having something the executives can actually do is what you want to try and get down to.” However, protecting against risks and vulnerabilities is not about patching. For any cyber system, patching should be a regular occurrence that happens almost without any intervention. It is the bare minimum that every system needs to have in place. “The reality is though that many patches are outstanding and often people spend their time focussed on the patches” rather than on more serious and external risks. This is especially true when it comes to “legacy challenges and other business priorities.” The solution therefore is “to think differently.” Rather than looking at “a big catalogue of metrics or trying to answer all the world’s problems,” the better way of looking at risks and vulnerabilities is by “targeting what the organisation is worried about today, and then iterating.” This means looking at the portfolio management, creating great stories, talking about risk management in a meaningful way that makes sense to the employees, and adjusting at each step of the process. It also means getting feedback from the executives and the other employees as well as customers, and “developing a cyber security communication program the same way you would for software development.” That means “start small, start early, get feedback and learn as you go.”