Why Move Cybersecurity From Compliance-based Risk to Risk-based Compliance?
Updated: Jul 8
Compliance-based Risk Management is often adequate for regulatory and customer trust frameworks but is of little use in managing cybersecurity as a strategic business risk and collaborating on investment priorities with business leaders who set budgets.
Risk-based Compliance Management addresses the gap between security teams who measure security control efficacy in technical terms and business leaders who think about the reduction of cyber-related business risks in financial terms.
While frameworks such as the the NIST Cybersecurity Framework outline support for operational risk decisions, they fail to provide a process that addresses the complexity of cybersecurity. The interaction among controls, threats, and attack paths affects the relationship between control efficacy and business risk reduction in unexpected ways.
Monaco Risk provides both a process and the simulation software required to bridge the cyber control – business risk gap. Monaco Risk’s Cyber Defense Graph™ and financial models help CISOs collaborate with business leaders who set cybersecurity budgets. Our software connects cyber control efficacy to cyber-related business risk reduction in dollars.
Compliance-based cyber risk management is our term for a “risk management” process that’s adequate for ISO 27001 certification and SOC 2 accreditation but does not help security teams prioritize control investments or enable business leaders to manage cyber-related business risks. CISOs and their security teams treat it as a checkbox process.
These frameworks and others including the NIST Cybersecurity Framework are often used to drive cybersecurity programs. However, they do not provide guidance to CISOs who must collaborate with business leaders to set strategy and budgets for the organizations’ cybersecurity programs.
Nor do these frameworks help CISOs and security architects prioritize control investments for a defense-in-depth architecture customized to their organizations’ specific business goals and culture.
Lists of controls do not address the complex interaction of attack surfaces and attack paths, threats, and controls. The efficacy of a control when evaluated in isolation does not necessarily reflect its risk reduction value when deployed in concert with dozens of other controls. Most critical is the inability to tie control efficacy to business risk reduction in dollars.
Compliance frameworks depend on risk registers as proof of a risk analysis process. The risk for each item in the risk register is typically calculated by multiplying a number (1-5) for likelihood by another number (1-5) for impact. The results are color-coded (red-amber-green) in a 5x5 matrix.
There are several problems with this approach:
Risk Register items too often are a mix of weaknesses, control deficiencies, and “loss events.” In reality, there are only a small number of loss events that are of concern to business leadership. Furthermore, the same weakness or exposure, like slow patching cadence, or low MFA coverage, can lead to multiple loss events such as ransomware and sensitive data exfiltration.
Calculating the risk of a loss event by multiplying “ordinal” numbers (1,2,3,4,5) representing likelihood and impact respectively is misleading. One risk might have an impact of 5 and a likelihood of 1 for score of 5. A second risk with an impact of 3 and a likelihood of 2 is scored as 6. Does this mean the latter risk should be addressed prior to the former? There’s no way to know. And the numbers selected are difficult to justify. Furthermore, the multi-colored heat maps based on this oversimplified analysis lead to erroneous decisions.
Risk Register items are rarely independent of each other and cannot be treated as independent events. So comparing them, or adding up the risk register items, is misleading. In the example above, might there be dependence between the two risks? Might there be exposures, attack paths, and/or controls that would affect both?
When dollar losses are calculated without taking into consideration the efficacy of controls, the results are not meaningful. The efficacy and costs of controls must be part of the risk management process because controls are, by definition, the tools for reducing the likelihood and impact of loss events.
Risk-based compliance management is our term for a process that treats cyber risk as a strategic business risk. It starts with identifying the loss events of concern to business leaders because business leaders set cybersecurity budgets and manage strategic business risks.
Instead of being just a component of a compliance framework, risk management becomes the overarching driver of the cybersecurity program. This aligns security teams with business leaders who focus on protecting revenue-generating business processes, critical assets, capital, and cash flow.
The lists of requirements in compliance frameworks are the “what we need to do” activities of cybersecurity. But a risk-based approach is needed to address the “how to implement” trade-offs that must be made due to limited budgets and resources.
Cyber risk and risk reduction investments that are communicated to business leaders in financial terms enable them to include cyber risk in their overall risk management budget allocation process.
Business leaders need to know:
How much business risk are we taking based on our current cyber posture? Do we understand the costs of a material cyber incident?
Do we have adequate capital reserves to sustain the organization should we experience a material loss? Are we resilient to material losses resulting from a successful cyber attack?
How much cyber insurance do we need and can afford? What controls do we need to implement to either reduce cyber insurance costs or increase coverage?
Do we need to expand our cybersecurity budget, or can we reduce cybersecurity costs?
Are we optimizing our current cybersecurity budget?
Business leaders are responsible for deciding how much cyber-related business risk they take on, the amount of capital reserves they will maintain, how much cyber insurance will be purchased, and the cybersecurity budget.
CISOs must provide sufficient information to enable business leaders to make informed decisions. This means connecting the technical metrics of cyber controls to business risk in dollars. This is difficult due to the complex interaction among controls, threats, attack surfaces, and attack paths into and through an organization.
Organizations deploy dozens of controls. MITRE ATT&CK® defines hundreds of threat types. And there are thousands of interleaved and overlapping paths into and through an organization that an attacker can traverse.
Monaco Risk provides a quantitative risk management process and software that models this complexity to support the security team’s efforts to collaborate with business leaders.
Monaco Risk's Cyber Risk Process
Monaco Risk cyber risk quantification approach is used in two ways – strategically for prioritizing major control investment projects and tactically for day-to-day decisions typically involving exceptions to policies like postponing a patch or onboarding a non-conforming vendor.
Our initial project with a client is typically strategic, and has three key tasks:
1. Define the loss events of concern to business leadership
Loss events include the revenue generating business process, critical assets/data, and related costs. An example for a manufacturer might be disruption of a manufacturing process via ransomware that stops the production of a product. For a retailer it could be disruption of the order-taking process that pushes customers to seek an alternative retailer.
We start with loss events of concern to business leaders for four reasons:
Risk by definition is about loss events. Loss events have a likelihood and impact which together determine how the event could affect the business goals of an organization.
This gives the CISO the opportunity to engage with business leaders on their terms, i.e., the cyber-related loss events that would impact the business.
Loss events give CISOs context to help prioritize control investments.
When CISOs present budget requests, they are in the context of those loss events the business leaders already expressed concerns about.
2. Baseline current cyber posture
Our Cyber Defense Graph™ statistical simulation software enables us to capture the complex interaction of threats of different capabilities, overlapping attack paths, and controls deployed at different levels of efficacy and coverage.
Traditional risk management decision-support tools like matrices, decision trees, attack trees, and bowtie diagrams do not adequately support the complexity of cybersecurity – dozens of controls, hundreds of threat types (as defined by MITRE ATT&CK®, and thousands of interleaved attack paths into and through an organization.
3. Evaluate alternative risk mitigation investments
During the baselining step, a set of proposed control improvements are surfaced. We define “what-if” scenarios representing alternative control investments individually or in combination. Our software generates visualizations that display these alternatives compared against the baseline in dollars.
Connecting control efficacy to risk reduction in dollars enables CISOs to collaborate with business leaders in the terms they are familiar with.
Quantifying and Visualizing cyber-related business risk
Baseline risk and impact of control improvement scenarios are shown in quantitative visual terms using two key methods - Loss Exceedance Curves and ROI.
Loss Exceedance Curves (LECs) are used to forecast the range of probabilities of dollar losses of cyber incidents that can happen in the future. This visualization exposes the true nature of rare but high-impact incidents to decision-makers. This is not unlike the way AccuWeather forecasts snowstorm accumulations. Here is a link for more information on Loss Exceedance Curves: https://www.linkedin.com/pulse/cybersecurity-risk-management-transformed-bill-frank/
LECs show the effect of the various what-if scenarios compared with the baseline risk, in probabilistic dollar terms. They help CISOs collaborate with business leaders to come to a mutual agreement on risk appetite, set cybersecurity budgets, and determine the amount of cyber insurance and capital reserves needed.
Return on Investment (ROI) shows the impact of the alternative what-if scenarios, taking into consideration the acquisition, implementation, and maintenance costs of controls as well as risk reduction.
To summarize, moving from compliance-based risk management to risk-based compliance management enables CISOs to collaborate with business leaders on cyber-related business risks and improves budget allocation.
Compliance mandates are satisfied in ways that contribute to cybersecurity posture and optimize use of scarce resources.
Business leaders need to understand cyber-related business risks in financial terms, i.e., risk reduction in dollars and ROI, in order to include them with the other strategic risks they manage.
We have seen that our approach result in larger cybersecurity budgets because business leaders are more confident that the money is being well-spent.
This article first appeared on LinkedIn on June 20, 2023.