By Julian Arango | July 07, 2019
Thinking about risks is not easy, and risks are everything in cybersecurity. Furthermore, fitting cybersecurity risks with those of business is challenging. We wanted to discuss a bit about this topic with Nicolás.
Is it difficult to quantify the risks you manage in monetary terms?
"Remarkably difficult, as is usual in other fields.
We have a traditional approach,
and we face the same common issue: prioritization.
Which risk is redder than the other reds?
We still rely on probabilities and impact.
Broadly speaking, the current approach to risks in cybersecurity
has three commonalities: we are not good translating hazards to money;
we are not good creating business cases for cybersecurity
—that’s why it’s often perceived as costly—;
finally, we are not good at achieving approvals for what we want to do.
As a whole, cybersecurity is poorly understood,
and we are responsible for that.
I’m not saying that we still speak in terms of
IT assets to top management.
Nevertheless, in Corona, we have started to build a new language
to speak directly to the business, referring to risks.
We have managed to speak in financial terms to senior executives
by leveraging on the expected loss paradigm,
something we came across by, among others,
exchanging ideas with Fluid Attacks.
Though, it’s still an enormous challenge.
The expected loss indicator is not perfect,
and it’s complicated to understand.
Nevertheless, it’s the best approximation we have to speak in business terms.
(Interested in Expected Loss? Take a look at
Risk Indicator Roundup.)
In organizations where security breaches
translate quickly into money, it’s easier to connect the dots.
For instance, the risk of a successful hack targeting an online banking user
5,000 in his account is easy to quantify.
However, a scenario where a hack reveals personal information or industrial
secrets is not straightforward to numbers.
In the latter, you have to analyze more.
How much does it cost that someone steals you a food recipe
or an industrial design?
You just try to take what seems more readily available,
for example, sales forecasts."
How companies and cybersecurity teams face struggles are diverse. Nicolás shared with us some of his setbacks as CISO.
What setback was particularly relevant for you as CISO?
"I think of technical and managerial examples:
In one occasion, we should have waited to deploy a protection. We proceeded, and in doing so, we also hindered major operations by taking down some critical systems. That was never the intention, but we ultimately caused the whole financial department of one of our companies to be halted for half a day.
In another time, it was my first presentation to the board of directors. I assumed they were aware enough about cybersecurity, but that was plainly not the case. During my presentation, they started asking whether my topic was worthy of attention. They simply did not understand what I was conveying and I should have started by sensitizing the audience
What I learned in both instances was pretty clear: not to rush when a control or protection is missing; chances are that some blind spots play a big role in the middle of the rush. Second, that the first contact with a board of directors should be focused on sensitization, even if they already are cybersecurity aware. Common language must be established from the beginning to succeed in the difficult task of speaking to the board."
To conclude our conversation, we talked about what Nicolás consider false in the discipline, as well as what is true. We wondered what a CISO like Nicolás could tell us.
What do you think is a ‘lie’ in cybersecurity, but most people seem to believe in?
"I sometimes see cybersecurity as a cult. For me, cybersecurity is not as severe as the market tries to show; people usually overestimate what happens. We are not the most targeted organization, although we receive daily attacks. And think about our size: we are a team of seven protecting a 10,000-people organization.
When there is ‘no time’? When are circumstances so urgent that you can’t even blink? When are we ‘on fire’? It has happened once in the last seven years. In my previous job in a bank, it happened twice in about the same period. It’s odd: I see a cult of stress, a cult of being relevant by being busy. It seems to me like an inertial thing that is just not true. I don’t buy that stressful scenario we sometimes see on TV or the movies. Sometimes you do have to worry about and to act quickly to contain an incident, for sure, but it’s not every day, not even every week. In my experience, cybersecurity is not that stressful.
In this discipline, you don’t have to do everything. You can leave to randomness some things. Take, for example, theft. Every day, people are a victim of some theft. Yet, local institutions don’t place a policeman in every corner of the city. That’s the value of the expected loss approach because it allows you to better weight your actions. To do nothing is also a managerial decision. Sometimes it’s better to accept that some incidents happen, and when they arrive, you deal with them. Not every time you get a fever, you go to the doctor. In cybersecurity is the same. We need to be sensible about cybersecurity.
Fluid Attacks, for instance, I’m certain will always manage to breach some of my protections in the projects we work together. How much do I have to invest to be immune to them? There is no point on that. I just accept that fact, and I protect from more likely scenarios. The lie is to go until the end. You have to know when to stop. Many professionals should discard the go-until-the-end idea".
And, what is ‘a truth,’ but most people don’t seem to believe in?
"People and organizations usually think
that nothing will ever happen to them.
You hear from time to time “It will never happen.”
The truth is that something will happen eventually.
The thing is, not as many people are aware of cyber risks.
For more than 130 years, some events seemed to have never happened
in our organization.
It’s better to say: for over
we’ve never known that something has happened.
Botnets exist; ransomware exists.
If I’m not cautious in my digital behaviors,
something terrible could happen to me.
So, It’s vital to have “healthy” digital habits.
This is a game of balance,
a game where you should never feel safe enough
that controls just stop making sense, but at the same time,
a game where you have to be mindful about how much you really have to do
just for the sake of having a reasonable cybersecurity posture."
We are thankful to Nicolás for this conversation about our job as cybersecurity professionals. We hope you have enjoyed these insights from the lens of a CISO. Do you want to share your thoughts? Do get in touch with us!
Corporate member of The OWASP Foundation