It’s Cybersecurity Awareness Month!
We’re doing our part for #BeCyberSmart by focusing on the risk management aspect of cybersecurity in a three-part blog series. This week, we’re focusing on five cybersecurity risk mistakes and how to avoid them. Check out our other article, Cybersecurity Risk Management: Are Your Enterprise Architecture and Security Teams Lacking Engagement?
Mistakes are simply a part of the learning process. We’ve all had it happen: tried that, didn’t work, so we tried something else. However, we can avoid some mistakes simply by listening to the advice of others.
We wanted to share how we work with cybersecurity risk management internally, so we interviewed our Security and Risk Managers with their combined 42 years of experience. They shared some common mistakes they’ve experienced through the year and how they now work to prevent them within our company.
Hopefully, their mistakes can be a learning experience to help you avoid future headaches and mitigate cybersecurity risk.
5. Working With Unorganized Data
When we don’t understand the processes and systems in our business, we cannot hope to do a perfect job of assessing risk. Each department or segment of a company likely maintains an overview of their processes and systems, codified using their tools and terminology. That leaves us with different piles of data in mixed formats that don’t link to show the complete risk assessment picture.
In many traditional IT settings, governance and risk activities depend on a spreadsheet-based central repository, which is chronically out of touch with what people are using to get their jobs done.
To organize the data and get a representative overview, you need a flexible and dynamic solution to allow you to organize and analyze data on your business processes, systems, and more. In addition, it gives the ability to analyze, assess, and manage the risk.
In Ardoq, we naturally use our platform for Enterprise Architecture (EA) - we call it Ardoq-in-Ardoq. We send out periodic Surveys to our employees to have a complete As-Is overview of all our application assets. Having all our departments reporting their application assets in a consistent manner makes it easier to measure and manage the associated risks.
4. Complete Rigid Representation vs. Good Enough
In dinosaur days, risk assessments might take weeks or months to perform, especially if the assessments are outsourced to consultants with little or no prior knowledge of the organization. The assessment would invariably start with asking tons of questions, looking at the architecture diagrams, and trying to get an accurate view of the IT environment. Nothing could move forward without this first step.
Ideally, no one works this way anymore. However, aiming for completeness creates a perfectionist trap. When every detail of data is needed to move forward, the first step can be the last, and no risk assessment happens. It's better to understand the key or critical business functions as a starting point and work iteratively from there.
Our security team has identified two ways to move into a functioning and iterative risk overview. First, even if a company is just starting with EA, they will have a basic architecture description, which can easily be used to form a beginning risk assessment. It may not be 100% accurate, but 70% is much better than zero. It's better to measure something and build on it over time instead of waiting for unrealistic data completion. Second, if the platform can crowdsource what apps and systems people use internally, you cut down on your workload, get a quicker overview of what’s happening, and iterate over time.
3. Working With Too Much Low-Quality Data
Above we noted that incomplete data can still be enough. However, out-of-date data is a different story. If your network’s maps, application inventories, and process descriptions are a few years or months old, you could be measuring the wrong problem or scenario. For example, maybe your asset inventory shows that your document sharing system is sitting in your own data center, running on servers. However, in reality, your employees have all started using cloud options and are now storing all their documents there.
Essentially, this can be solved by interconnections. That is, collecting up-to-date information directly from systems that produce that information in real-time. In that case, you will be confident that you’ll have the current and authoritative information.
In Ardoq, we take advantage of our HR system’s open Application Programming Interface (API) to create a representation of our organization in the Ardoq platform. We bring in just enough information to represent our People and Departments in our Enterprise Architecture and synchronize the data regularly. When someone new joins our team, they automatically turn up in our People workspace and are included in Surveys e.g., as part of our application portfolio management.
Having up-to-date information from multiple data sources helps mitigate security risks. For example, combining information from our “People in the Graph” with data from our security awareness platforms helps us track department-level security awareness metrics and trends. As lower awareness would increase our risk of succumbing to attacks such as Phishing, tracking and gently nudging departments has helped us manage this risk.
2. Failing to Speak the Organizational Language
Cybersecurity and risk teams may talk about threats, vulnerabilities, zero-days, and how to minimize risk. Your Business teams, meanwhile, likely talk about how to deliver the best value. This doesn’t mean these teams are working at odds with one another, just that they’re coming from different perspectives. Each team will build an understanding of the organization based on their starting point, using different syntactic and semantic paradigms.
In our experience, the best solution is to develop a common language that can act as a bi-lingual dictionary, translating cybersecurity and other risks into a language the business teams understand. This solution doesn’t use words at all but rather visuals.
When we describe our organization using Ardoq, we leverage the concept of a metamodel, which gives us a common language that the whole of the organization can understand. When we then describe aspects of our organization - such as applications, business processes, and risks - these are all represented and visualized based on our metamodel. This helps us get everyone on the same page. For example, patch levels, viruses, and SQL injection don't mean anything to anyone outside of IT and security. Instead, using a standard classification that describes risk in the context of your own business enables you to communicate effectively across departmental divides.
1. Not Showing Alignment with Business Goals
From a risk standpoint, one of the best things an organization could do is sit perfectly still so that the risk profile doesn't change too much. However, that's not a realistic way to run or grow a business. Your EA and security goals need to be aligned with your business goals, which requires an understanding of the business beyond the departmental boundaries.
Security, risk, and compliance are often seen as synonyms for “something that slows down our growth”, while the opposite should be true. Take security awareness training as an example: it might be framed as “yet another thing we have to do that distracts us from our real work.” However, it’s also one of the ways a company demonstrates its commitment to secure its customers’ data. In essence, a compliance activity is a sales enabler.
Alignment needs a common language to show how cybersecurity risk management impacts the business goals. When people understand how risk management affects the business, they are less likely to see an inconvenience and more likely to understand the value.
Cybersecurity Risk Mitigation: 5 Solutions to 5 Mistakes
While mistakes are inevitable, you can sidestep a few by learning from the mistakes others have made. Here are the five mistakes you can avoid with these five solutions:We at Ardoq wish an informative Cybersecurity month and safe security year-round.
Ardoq is passionate about engaging and connecting stakeholders across the organization. We listen to our customers’ pain points, deliver solutions, and write about them here.