Professional Documents
Culture Documents
Lectures Applied Cybersecurity Strategy
Lectures Applied Cybersecurity Strategy
debt crisis”
Link: https://orangecyberdefense.com/uk/wp-
content/uploads/sites/10/2020/03/Orange_Cyber_Before_the_bubble_bursts_Whitepaper.pdf
We face a looming debt crisis. I’m not referring to the $58 trillion in public debt held by governments across the
planet. Nor am I referring to the $6.3 trillion debt load for U.S. corporations. Instead, I’m referring to a more
intangible, but no less insidious, form of debt that threatens governments, corporations and private citizens
globally: security debt.
Security debt is a derivation of the concept of ‘technical debt’ (also known as code debt), popular in software
development circles. Technical debt is a term that refers to increasing the future cost of code maintenance
because of design trade-offs made in the past. This concept applies neatly to security, where developers and IT
teams continually compromise on the security of their software and systems. In the quest to ship fast, bugs and
other imperfections are introduced into code & architectures with a vague intention to patch or rectify in future.
Done on a grand scale this technical debt can build into a security timebomb, with little or no collective planning or
coordination on dealing with the consequences.
It doesn’t matter which sector your company operates within or how much data it holds: risk is ever-present.
Instead of viewing this as an endless battle, though, there’s an opportunity for businesses to assume control by
taking a proactive approach to cybersecurity. Many businesses are needlessly exposing themselves and their
employees to risk, due to poor password security, a lack of cybersecurity skills, and choosing convenience over
security.
The bubble is growing and one day it might just pop. The effects could be devastating, not only in terms of the
serious financial consequences, but alsoin acting as the straw that breaks the camel’s back in inducing severe –
and potentially counterproductive – regulation for the industry
The responsibility for addressing the security debt risk cannot be left to policy-makers. It needs proactive self-
regulation from within the industry, combined with an inclusive and collaborative approach to working with
stakeholders from outside, to create awareness of the risks. Within the industry, software companies, their
developers and the businesses that use their products, all need to be committed to repaying their debts. When
interacting with those outside the industry, there must be a greater commitment to speaking the same language
as influencers and decision makers. Assume that a company CEO doesn’t spend time on GitHub or attend
Hadoop meetups. Assume that the CFO isn’t conversant in internet-speak such as pwned, l33t and haxor.
Assume that the government regulator doesn’t know the ins and outs of agile development. Speaking in the
wrong terms is preclusive and can serve to repel rather than engage those that have sway over the industry’s
future. Clear and accessible language, on the other hand, can bring debate and foster greater understanding of
how software development works, and what can be done to limit and address unintended consequences.
“Challenges to effective EU cybersecurity policy” + GLOSSAIRE
Link:
https://www.eca.europa.eu/Lists/ECADocuments/BRP_CYBERSECURITY/BRP_CYBERSECURITY_E
N.pdf
The price of some cybersecurity failures can be measured in monetary units. Hard currency costs
include fines, legal fees, lost productivity and mitigation, remediation, and incident response. These
hard costs also include fines from lack of compliance. Other costs are more difficult to quantify. They
are qualitative and long-lasting. These include diminished brand equity, reduced goodwill, and the
loss of intellectual property, all leading to a weaker market position or, in some cases, complete
elimination of competitive advantage. There are third party impacts in both directions. It’s possible
that a third party experiences a loss event, and while unintentional, this could impact deadlines or
worse reveal proprietary information. These costs that are more difficult to quantify still have large,
negative impact on the business and must be accounted for.“The notion of how to show value for
cyber risk investment is one that the industry struggles with because success is invisible –it’s the
absence of a cyber event, or the ability to show that an event had a lesser impact than it might have
had. It is difficult to show return on investment for cyber risk programs. Organizations need to
develop the ability to demonstrate that the investments they are making are aligned with the actual
risks they face. They have to ask if they are making the appropriate investments in security, vigilance,
and resilience, and whether those decisions are based on a realistic understanding of the specific
risks their organization faces –and the magnitude of impact that a cyberattack could have. Managing
cyber risk is not just a cost to the business, but a positive investment to enable the success of
strategic growth and performance initiatives,” contributes Deloitte Advisory Cyber Risk Services.
isk appetite is the level of tolerance that an organization has for risk. One aspect of the definition is
understanding how much risk an organization is willing to tolerate, and the other is thinking about
how much an organization is willing to invest or spend to manage the risk. Risk appetite sets the
boundaries for prioritizing which risks need to be treated.Cyber risk appetite should be set by the
CEO, CISO and CRO and then shared throughout the organization. Calculating cyber risk through
ongoing assessment using defined and proven methodologies and both quantitative metrics and
qualitative risk elements is critical to an organization determining how much risk they are willing to
accept to achieve specific business goals or objectives. Further, determining cyber risk appetite
cannot be a point-in-time exercise. It must become an ongoing process involving constant evaluation
and re-evaluation. While it seems like setting cyber risk appetite may be just technical, there is more
to it than that. There are conversationsthat need to include non-technical functions. Cyber risk
appetite ties together operational risk, cyber risk, and enterprise risk in cross-functional
conversations. The strategic conversation is about the risk that the organization is willing to take on
and what controls it puts in place to prioritize cyber risk management. Setting the appetite is critical
to managing the business effectively and efficiently to help an organization know where to invest
time and resources.
In our experience, as cyberattacks increase in complexity, frequency, and velocity, many enterprise
organizations rely on outdated IT governance. The organizational paradigm is limited by slow-moving
bureaucracy and scarce resources. This situation is often the result of a limited understanding of
decision-makers’ risks, like board executives who rely on outdated corporate governance frameworks
developed in response to accounting scandals (like WorldCom, Enron, or Tyco), not cyber risks.
Nine solutions:
1. Enterprises must consider an alternative approach for cyber resourcing decisions that extend
beyond audit compliance. Ideal digital governance requires management and budget
committees to have visibility into both audit compliance and IT risk management to properly
allocate cybersecurity resources.
2. Provide solid data justifying proactive spending, such as through analyzing the cyber
experiences of other organizations.
3. The CISO should be a peer of the CIO. To align effort effectively, GRC and operational security
teams should both report to a chief risk officer (CRO), chief operating officer (COO), or chief
financial officer (CFO). Enterprises generally tuck the chief information security officer (CISO)
under the chief information officer (CIO) because the responsibilities all have a vague nexus
to technology. That’s a mistake. When a CISO reports to a CIO there may be objective
misalignment. Additionally, the CISO may be missing a proverbial seat at the senior executive
table.
4. Align incentives and motivations between GRC and operational security teams to help
increase mutual respect for each other and for the overarching objective of digital risk
management.
5. Executives and the board of directors need two real-time views: audit compliance and risk
management.
6. Beyond compensating for personal liability, more CEO engagement in digital governance is
important to organizational success.
7. For that subset of threats that do need to be managed as risks, the next steps are to triage
them and then resolve them – as through a risk register.
8. ??
9. ??