“Before the bubble bursts – Tackling the threat of a global security

debt crisis”
Link: https://orangecyberdefense.com/uk/wp-
content/uploads/sites/10/2020/03/Orange_Cyber_Before_the_bubble_bursts_Whitepaper.pdf
We face a looming debt crisis. I’m not referring to the $58 trillion in public debt held by governments across the
planet. Nor am I referring to the $6.3 trillion debt load for U.S. corporations. Instead, I’m referring to a more
intangible, but no less insidious, form of debt that threatens governments, corporations and private citizens
globally: security debt.

Security debt is a derivation of the concept of ‘technical debt’ (also known as code debt), popular in software
development circles. Technical debt is a term that refers to increasing the future cost of code maintenance
because of design trade-offs made in the past. This concept applies neatly to security, where developers and IT
teams continually compromise on the security of their software and systems. In the quest to ship fast, bugs and
other imperfections are introduced into code & architectures with a vague intention to patch or rectify in future.
Done on a grand scale this technical debt can build into a security timebomb, with little or no collective planning or
coordination on dealing with the consequences.

It doesn’t matter which sector your company operates within or how much data it holds: risk is ever-present.
Instead of viewing this as an endless battle, though, there’s an opportunity for businesses to assume control by
taking a proactive approach to cybersecurity. Many businesses are needlessly exposing themselves and their
employees to risk, due to poor password security, a lack of cybersecurity skills, and choosing convenience over
security.

The bubble is growing and one day it might just pop. The effects could be devastating, not only in terms of the
serious financial consequences, but alsoin acting as the straw that breaks the camel’s back in inducing severe –
and potentially counterproductive – regulation for the industry

The responsibility for addressing the security debt risk cannot be left to policy-makers. It needs proactive self-
regulation from within the industry, combined with an inclusive and collaborative approach to working with
stakeholders from outside, to create awareness of the risks. Within the industry, software companies, their
developers and the businesses that use their products, all need to be committed to repaying their debts. When
interacting with those outside the industry, there must be a greater commitment to speaking the same language
as influencers and decision makers. Assume that a company CEO doesn’t spend time on GitHub or attend
Hadoop meetups. Assume that the CFO isn’t conversant in internet-speak such as pwned, l33t and haxor.
Assume that the government regulator doesn’t know the ins and outs of agile development. Speaking in the
wrong terms is preclusive and can serve to repel rather than engage those that have sway over the industry’s
future. Clear and accessible language, on the other hand, can bring debate and foster greater understanding of
how software development works, and what can be done to limit and address unintended consequences.
“Challenges to effective EU cybersecurity policy” + GLOSSAIRE
Link:
https://www.eca.europa.eu/Lists/ECADocuments/BRP_CYBERSECURITY/BRP_CYBERSECURITY_E
N.pdf

What is cybersecurity? There is no standard, universally accepted definition of cybersecurity.

Broadly, it is all the safeguards and measures adopted to defend information systems and their
users against unauthorized access, attack and damage to ensure the confidentiality, integrity and
availability of data. Cybersecurity involves preventing, detecting, responding to and recovering
from cyber incidents. Incidents may be intended or not and range, for example, from accidental
disclosures of information, to attacks on businesses and critical infrastructure, to the theft of
personal data, and even interference in democratic processes. These can all have wide-ranging
harmful effects on individuals, organisations and communities.
  How well prepared are EU institutions and agencies for the next big attack launched
directly against them?
 What role is there for the EU to help bring gender diversity in the cybersecurity field?

“Cyber Risk Appetite - Defining and Understanding Risk in the

Modern Enterprise”
Link: https://www.rsa.com/content/dam/en/white-paper/cyber-risk-appetite.pdf
According to Deloitte Advisory Cyber Risk Services“the fundamental things that organizations
undertake in order to drive performance and execute on their business strategies happen to also be
the things that actually create cyber risk. This includes globalization, mergers and acquisitions,
extension of third-party networks and relationships, outsourcing, adoption of new technologies,
movement to the cloud, or mobility. And they are not going to stop doing these things any time soon.
Cyber risk is an issue that exists at the intersection of business risk, regulation, and technology.
Executive decision-makers should understand the nature and magnitude of those risks, consider
them against the benefits a strategic shift would deliver and then make more informed
decisions.”Accordingly, organizations must now factor cyber into their risk appetite and explicitly
define the level of cyber risk that they are willing to accept in context of their overall risk appetite.
This paper will provide a foundation for organizations looking to better understand cyber risk
including; a systematic process for defining and comprehensively categorizing sources of cyber risk, a
description of key stakeholders and risk owners within the organization, and finally, outline the basics
of how to think about calculating cyber risk appetite.

The price of some cybersecurity failures can be measured in monetary units. Hard currency costs
include fines, legal fees, lost productivity and mitigation, remediation, and incident response. These
hard costs also include fines from lack of compliance. Other costs are more difficult to quantify. They
are qualitative and long-lasting. These include diminished brand equity, reduced goodwill, and the
loss of intellectual property, all leading to a weaker market position or, in some cases, complete
elimination of competitive advantage. There are third party impacts in both directions. It’s possible
that a third party experiences a loss event, and while unintentional, this could impact deadlines or
worse reveal proprietary information. These costs that are more difficult to quantify still have large,
negative impact on the business and must be accounted for.“The notion of how to show value for
cyber risk investment is one that the industry struggles with because success is invisible –it’s the
absence of a cyber event, or the ability to show that an event had a lesser impact than it might have
had. It is difficult to show return on investment for cyber risk programs. Organizations need to
develop the ability to demonstrate that the investments they are making are aligned with the actual
risks they face. They have to ask if they are making the appropriate investments in security, vigilance,
and resilience, and whether those decisions are based on a realistic understanding of the specific
risks their organization faces –and the magnitude of impact that a cyberattack could have. Managing
cyber risk is not just a cost to the business, but a positive investment to enable the success of
strategic growth and performance initiatives,” contributes Deloitte Advisory Cyber Risk Services.

isk appetite is the level of tolerance that an organization has for risk. One aspect of the definition is
understanding how much risk an organization is willing to tolerate, and the other is thinking about
how much an organization is willing to invest or spend to manage the risk. Risk appetite sets the
boundaries for prioritizing which risks need to be treated.Cyber risk appetite should be set by the
CEO, CISO and CRO and then shared throughout the organization. Calculating cyber risk through
ongoing assessment using defined and proven methodologies and both quantitative metrics and
qualitative risk elements is critical to an organization determining how much risk they are willing to
accept to achieve specific business goals or objectives. Further, determining cyber risk appetite
cannot be a point-in-time exercise. It must become an ongoing process involving constant evaluation
and re-evaluation. While it seems like setting cyber risk appetite may be just technical, there is more
to it than that. There are conversationsthat need to include non-technical functions. Cyber risk
appetite ties together operational risk, cyber risk, and enterprise risk in cross-functional
conversations. The strategic conversation is about the risk that the organization is willing to take on
and what controls it puts in place to prioritize cyber risk management. Setting the appetite is critical
to managing the business effectively and efficiently to help an organization know where to invest
time and resources.

Digital (IT) governance is broken! 9 ways Enterprises Mismanage

Their Cyber Risk
Link: https://go.recordedfuture.com/hubfs/reports/digital-governance-broken.pdf

In our experience, as cyberattacks increase in complexity, frequency, and velocity, many enterprise
organizations rely on outdated IT governance. The organizational paradigm is limited by slow-moving
bureaucracy and scarce resources. This situation is often the result of a limited understanding of
decision-makers’ risks, like board executives who rely on outdated corporate governance frameworks
developed in response to accounting scandals (like WorldCom, Enron, or Tyco), not cyber risks.

1. Security spend decision-making is generally conducted by a committee, which is a slow,

consensus-driven process.
 2. Outdated governance models propagate security control spending inertia. The penalty for
inaction may be considerable financial losses, but many organizations are still playing Russian
roulette with deferred investment. Digital governance decisions are made based on an
inaccurate view of cyber insurance coverage. Insurance may cover partial losses, but it won’t
cover all of them, and, more importantly, it can’t repair a reputation in tatters after a
devastating public attack.
3. The CISO reports to the CIO This reporting creates misaligned incentives between the
technology enablement mission and reducing operational risk.
4. Organizational charts do not equal good governance.
5. Compliance efforts contribute to successful audits, but compliance does not directly
correlate to operational risk reduction. Correctly identifying, measuring and communicating
risk to executive stakeholders takes a backseat to compliance progress.
6. CEO detachment from cyber risk management is a digital governance issue. Gartner expects
that by 224, “75% of CEOs will be personally liable for cybersecurity incidents”.
7. Enterprise executives often make poor control investment decisions based on bad data as
they attempt to define a degree of relative risk urgency based on qualitative assessments.
Based on current controls, no every cyber threat poses a risk.
8. A collective owner approach (“everyone is an owner”) to digital governance leads to an
expanded attack surface increasing the risk of cybersecurity events and financial loss.
9. Excel spreadsheets and additional headcount may be reasonable for a proof-of-concept risk
register, but it’s a woefully insufficient solution for tracking the state of cyber risks and
corresponding controls.

Nine solutions:

1. Enterprises must consider an alternative approach for cyber resourcing decisions that extend
beyond audit compliance. Ideal digital governance requires management and budget
committees to have visibility into both audit compliance and IT risk management to properly
allocate cybersecurity resources.
2. Provide solid data justifying proactive spending, such as through analyzing the cyber
experiences of other organizations.
3. The CISO should be a peer of the CIO. To align effort effectively, GRC and operational security
teams should both report to a chief risk officer (CRO), chief operating officer (COO), or chief
financial officer (CFO). Enterprises generally tuck the chief information security officer (CISO)
under the chief information officer (CIO) because the responsibilities all have a vague nexus
to technology. That’s a mistake. When a CISO reports to a CIO there may be objective
misalignment. Additionally, the CISO may be missing a proverbial seat at the senior executive
table.
4. Align incentives and motivations between GRC and operational security teams to help
increase mutual respect for each other and for the overarching objective of digital risk
management.
5. Executives and the board of directors need two real-time views: audit compliance and risk
management.
6. Beyond compensating for personal liability, more CEO engagement in digital governance is
important to organizational success.
7. For that subset of threats that do need to be managed as risks, the next steps are to triage
them and then resolve them – as through a risk register.
8. ??
9. ??