1. CROs Must Be Part of the Cybersecurity Solution
Winning the battle requires ERM-type oversight, ensuring that all
risks are being managed
Thursday February 09, 2017
By David X Martin
In terms of cybersecurity today, companies are fighting the good fight but losing
the battle. Chief risk officers need to become a more integral part of the solution.
Here is a plan.

2. Adopt a winning strategy. Most regulators take the approach of “assess the risk
and deal with it.” Most companies deal with it by trying to detect the problem
early and react to it quickly, which is not working well.
There is a better approach called Defense in Depth, which is modeled after a
conventional military strategy and has a much better chance of success. In
Defense in Depth, rather than concentrating all resources at the front line,
defenders can fall back to a series of pre-planned positions from which they can
advantageously attack the advancing enemy. Adapted to cybersecurity, Defense
in Depth strategies would use multiple security techniques and products to help
mitigate the failure of one component, while slowing down the attacker and
buying time to fix the problem.
Become intelligence-driven. The traditional approach to security relies on
prevention technologies. It treats intelligence as a product to be consumed, and
incident response as an exception-based process.
An intelligence-driven mindset is based on the assumption that you have already
been compromised and therefore need to continuously evolve and adapt to
changes in intelligence and incidents. For example, America has an intelligence-
driven model that works well for infectious diseases. Outbreaks of diseases in
foreign countries and hospitals are monitored continuously by the Centers for
Disease Control and Prevention in Atlanta. Once the disease is identified,
remedies are made available to all parties before and during an outbreak.
Treat cybersecurity as a managerial issue. Effective enterprise risk
management involves the strategic implementation of three lines of defense. As it
relates to cybersecurity, the first line of defense is the technology and operational
people who primarily address how to PREVENT incidents. The second line of
defense primarily relates to independent oversight to ensure that risks are actively
and appropriately managed.
One important approach is to use scenarios to determine the potential impact of a
cyber event. Scenarios have limitations: They only address known unknowns
(i.e., things that you can imagine) and consequently do not address the unknown
unknowns that often have to be faced in a cybersecurity event. I would suggest
an innovative approach based on what works in the manufacturing industry to
address unknown unknown risks. In cybersecurity, the second line of
defense needs to address, regardless of the cause, each interruption that can be
created by threats that may get past the first line of defense, The oversight should
assume that each critical point has been compromised, with the objective to
determine if the company can continue delivering service within certain defined
acceptable parameters. In other words, this approach focuses on the impact of
a service disruption regardless of what caused it.

3. To my way of thinking, it can be used to quantify the cybersecurity risk, help
prioritize Level I defenses and the commensurate budget expenditures, and better
integrate the oversight of cybersecurity with operational risk and enterprise risk
management.
Champion the next stages of innovation. The next stage of innovation in
cybersecurity needs to address three major areas of weakness, where solutions
can be accelerated:
(1) Tighter communication and collaboration between business partners and
customers will be facilitated through advances in access management/federation.
New solutions will be developed for better web access management, federated
identity, social and mobile support, application integration,
and adaptive authentication as integrated enterprises extend further beyond the
perimeter of the organization itself.
(2) Dramatic reductions in central points of failure will become possible through
new technologies that distribute data and command/control systems. Most
network architectures today have one central control system, albeit on multiple
computers/layers of computers. New technologies such as a blockchain based
communication system will allow records and data points to be kept
decentralized. Multiple control systems will require consensus mechanisms or
conditionalities, which would make them more difficult to penetrate.
(3) More rapid identification of threats and a faster and more efficient recovery
process will be facilitated using artificial intelligence. Advances in adaptive or
machine-learning algorithms have the potential to identify threats as they occur,
or to identify ever-changing ones. Intelligent security devices — i.e., bots — will
soon have the inherent ability to study patterns, then extrapolate to anticipate
future threats. Rapid responses could then be written into the DNA of companies’
networks to give an appropriate, even moment-by-moment, response if
necessary, minimizing any damage from an attack.
The best CROs are the glue that ensures that all risks are being managed. Why
not be the best?

4. David X Martin (dxm@cybxsecure.com) is a former chief risk officer and was
founding chair of the Investment Company Institute’s Risk Committee. He is an
adjunct professor, author, expert witness, and co-managing director
of CybX. For an earlier article published by GARP, see Risk Radar: Forward to
the Future.
David X Martin (dxm@cybxsecure.com) is a former chief risk officer and was
founding chair of the Investment Company Institute’s Risk Committee. He is an
adjunct professor, author, expert witness, and co-managing director
of CybX. For an earlier article published by GARP, see Risk Radar: Forward to
the Future.
David X Martin (dxm@cybxsecure.com) is a former chief risk officer and was
founding chair of the Investment Company Institute’s Risk Committee. He is an
adjunct professor, author, expert witness, and co-managing director
of CybX. For an earlier article published by GARP, see Risk Radar: Forward to
the Future.