Getting Away From the Bear in the ForestMarco Túlio Moraes on Defining a Risk Management Strategy
It's amazing how often we create narratives to justify sometimes harmful biases. In cybersecurity, we have a metaphor about a bear that runs after people in the forest, which represents a cyberthreat attacking organizations.
Bears Are Everywhere
In this analogy, to run away from the bear, you do not need to run faster than him. Rather, you just need to be faster than the other people who are also in the forest. Then, they - not you - will be the bear's victims. In cybersecurity teams, the metaphor says that your company does not necessarily need to have very good security; it just needs to do a little more than its competitor does, which in many cases is not much.
The metaphor highlights the idea that we should take the risk of doing digital business at the cost of good cybersecurity. But "bears" are everywhere, and companies don't much care about who is running faster or slower, as they have all been easy targets.
The bear metaphor is silly, and rather than helping raise awareness of cyber risks, it creates confusion. The truth is that the basic safety hygiene we envision for cybersecurity is not practiced much. The level of exposure is such that while sophisticated attacks exist, a lot of the attacks we have seen are very basic.
In cybersecurity, the saying goes, "Being attacked is not a matter of 'if' - it's a matter of 'when.'"
That is true. A cyberattack can happen to anyone. But we cannot use that as an excuse for doing nothing or doing little. Otherwise, incidents may occur more frequently and their impacts may become increasingly worse.
The solution lies in understanding if our companies are safe and elevating the issue to a strategic agenda.
To determine if your company is safe, you must assess the following:
- What threatens your environment;
- What specifically in your environment is under threat;
- The likelihood that the threat will occur;
- The impacts if it does occur.
This is what we define as risk.
The National Institute of Standards and Technology defines risk as a "measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (1) the adverse impacts that would arise if the circumstance or event occurs; and (2) the likelihood of occurrence."
The risk management strategy is the heart of a structured security program.
Today, everyone is worried about ransomware, and that worry is valid. Be concerned about it. But the topic goes further, and it is essential that each organization look inside and understand what its main risks are and define a strategy to deal with them.
Do the basics of cybersecurity hygiene - fight for the basics - but understand that the risk management strategy is the heart of a structured security program. It is essential both to provide visibility and to support the business in making decisions on how to manage these risks and understand which business opportunities can be leveraged.
If you have not yet mapped your main risks, stop and do it now. Involve everyone who can help understand them and build a plan that makes sense to sustain, protect and enable the business, customers and stakeholders. Introduce it. Discuss it. Negotiate it. Implement it. And then reevaluate it.
And please, let's change that metaphor and get out of this forest right now.
CyberEdBoard is ISMG’s premier members-only community of seniormost executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Marco Túlio Moraes is CISO at OITI. He has 20 years of experience in technology, risks and InfoSec, with 10 years of international experience, in the financial, tech, health and retail/marketplace industries and in startups and utilities. Moraes developed one of the first cybersecurity programs in Brazil and was recognized by IDG in 2020 as one of the top 50 global CISOs.