The two speeds of thought
The current COVID-19 context is putting enormous pressure on companywide budgets including information security. Many of us have already made quick decisions to safeguard our colleagues, keep operations running while preserving cashflow, and reducing costs in the short term. In this context we engage our ‘system 1’(1) fast thinking, i.e., our 200,000 year old reptilian brain, by default: when in danger, we don't think twice and make rapid decisions.
Thinking, Fast and Slow: system 1 and 2(1)
We now need to address the medium term and consider what actions should be taken to maintain the appropriate level of IT Security while optimising our 2020/2021 budgets. This is when we need our ‘system 2’(1) slow thinking, which is more time consuming but less prone error. This type of thinking allows us to put things into perspective and look for hard facts to improve our understanding of a given situation and improve our decisions.
While most of us have stayed home in an effort to keep safe during the pandemic, IT environments have become more exposed to cyber incidents due to increased remote working combined with an increase in threats. CISOs must be asking themselves which 2020 activities should be resumed? Which should be accelerated? Which can safely be stopped to contribute to the savings their organisation so badly needs.
Transform how you model, measure, and manage cyber risk.
Our FAIR-certified experts will help you prioritize your IT security investments, improve governance and increase your organization's cyber resilience with our risk-based CRQ Solutions.
How to maintain the appropriate level of IT Security while optimising 2020/2021 budgets?
The challenge in making these tough calls is finding balance. Balance between relying too heavily on intuition and experience on one hand and overthinking threats, vulnerabilities and every other aspect of your InfoSec strategy on the other.
To help with these decisions, we believe your organisation needs to take a fresh look at the risks it is most exposed to. Information Security impacts the entire business and the CISO/CRO should engage all of the organisation leadership to agree the types of cyber and operational risks it is exposed to and how to treat them.
Ordinal scales and red/amber/green heatmaps are often misleading
Traditional risk assessments using ordinal scales and producing red/amber/green heatmaps are often misleading when having discussions with business leadership. In fact, rather than helping decision-making, they can introduce confusion and lead to incorrect understanding.
Scientific evidence (2) backs this up and ISO 27005 (3) documents this shortcoming. What is needed is a defendable, more objective financial measure of cyber risk.
You have more data and statistics require less data than you think
Intuition leads most people to assume that quantifying cyber risk requires lots of data, expertise and time, which most organisations lack in this time of crisis. Think again - scientific research (4) demonstrates that less data is needed than you thought, and a little effort from a few key stakeholders can greatly improve risk assessments and provide a degree of precision which vastly improves decision-making. Equipped with an objective list of top cyber risks, an executive team can decide which risk scenarios need to be stopped, treated or transferred. Business leadership can also decide which information security investments are immediately required versus which may be deferred or cancelled altogether.
Annex
(1) Thinking, Fast and Slow - Daniel Kahneman 2011
(2) Problems with scoring methods and ordinal scales in risk assessment – 2010 D. Hubbard & D. Evans (IBM J. RES. & DEV. VOL. 54 NO. 3 PAPER 2 – May 2010)
(3) ISO 27005:2018 Section 8.3 and Annex E.2
(4) Superforecasting – the Art and Science of Prediction by Philip Tetlock and Dan Gardner - 2015
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.