Risk yoga - are you as flexible as you think you are?
Businesses exist to make money. The route they take to get there might be simple, or it might evolve over time. Take Nokia, which started off as a paper mill company before selling rubber boots - it went on to become one of the biggest names in mobile phones and telecoms networks. Or Nintendo, which started off with playing cards in 1889 before moving into electronics and video games later in the 20th century.
For CISOs that have to support businesses around making money securely, being flexible in what your priorities are might seem obvious. But how many of us are really flexible in our thinking? How many of us are really ready to make significant changes based on evolution in the business that might affect our approach? And how can we improve that flexibility over time?
It should be no surprise that I turn to the concept of yoga to teach people about flexibility. Yoga has existed for centuries as a framework for life, covering physical, mental and spiritual disciplines. What can CISOs and business leaders apply from Yoga to help them manage risk in more flexible ways?
Applying the right approach around risk
Yoga has centuries of thought and development behind it. To simplify all this study down might seem like an exercise in frustration. However there are three steps that can be used to concentrate, based on Adhi-sthana, Asana and Kriya - grounding the mind, posing the right questions, and then acting with intent.
Grounding the mind involves developing a sense of what is important to concentrate on and what are the right concepts of measurement. To achieve this, we have to look at what is a tangible risk and what is intangible. Intangible risk covers all the potential challenges or issues that might affect a company and lead to a material impact. Tangible risks are those that can be specifically, unambiguously and empirically seen to occur.
Drawing this distinction is important, because it is easy to worry about sophisticated attackers or remote exploits. However significant these potential threats might appear, they are often intangible, which makes them harder to protect against. Instead, they can and should be decomposed into measurable parts. Tangible risks are those that are specific enough that we can reduce potential exploits against them. By understanding what we can influence directly and indirectly, we can then measure the impact that our decisions have on those risks.
Posing the right questions around risk
Following on from this, we can then think about the future for the business. This affects what we decide to measure and what value is at risk for the business. As companies explore potential opportunities and markets, they will make decisions on where they want to play and how they are going to win in those markets. Those companies will create solutions that they bring to market, and then run their operations to successfully expose and capture more value for customers. At the same time, this increases the potential for risk. For example, launching a new product or opening a new office will potentially increase sales, but that new office will have staff or assets that have to be protected, or the new product might have a software flaw that can be broken.
Understanding 'value at risk' helps you define the amount of money that is potentially jeopardized by tangible risks. This is a continuous process depending on new actions that the business takes, as well as new tangible risks that could affect the organization.
Acting with intent involves eliminating risk that matters to the business. Once we know what to measure and how much value is at risk, we can then look at how to remove or prevent those risks to the business. Organisations can understand value at risk as the combination of cash on hand, revenue generated and market capitalization against the losses that might be incurred as a result of a breach, disruption or other attack result, and the regulatory or civil penalties that can be incurred due to that breach. For the board, value at risk is the key item to understand, so CISOs have to live there too.
Reducing risk and improving reward
To act with intent, we have to understand where the business sees the most return on investment, and how to protect those activities against attack. At the same time, we also have to define what risks are the highest priorities and what impact those resources have. By staying in step with the business on where value lives, we can keep those risks under control and spend where it has the most impact and highest reduction in risk. This can involve IT security controls or actions like patching software; what these steps should deliver is a fundamental change in overall risk levels over time.
In the future, every business will change its approach. Security teams will have to stretch their approach to keep up with those changes. By taking a mindful method to measurement and value, IT security leaders can pose the right questions and take deliberate actions to deliver what the business needs. That flexible mindset should also deliver a tangible impact around security that supports the business to generate more value.
