Compliance vs True Cyber Risk Management
by Gary Phipps
Two dudes walk into a bar and the first dude says, “hey bro, the assessment your company completed says your physical security is horrible.” The second dude says, “nah bro; we’re a consulting company working inside your building.”
As farcical as this may sound, it happens all the time (sans the intended surfer-dude persona). I’m a big fan of using analogs to demonstrate concepts and I think that this analogy hits home. Ensuring against the possibility that this analogy may have escaped some of my readers, let me further explain. Sending a self-assessment questionnaire to a vendor and asking them to agree to be contractually bound to address all “No” answers within the first 90 days of the contract period might be accurately described as ‘compliance’ but it is certainly not ‘risk management’.
Why the former happens: Risk management – in our case, third-party cyber risk management – is a discipline where context matters. Unfortunately, regulatory statutes get handed down (most heavily in the financial services, energy and transportation industries) with the assumption that the first lines of defense are oblivious to their responsibilities regarding consumer protection or are morally ambiguous. As such, regulations must rule out opportunistic interpretations. Furthermore, in order to rule out ‘opt-in / opt-out compliance’, it’s best to just throw everyone in the same bucket. The bank/airline/power provider can afford it, right?
Since the infamous Enron scandal, compliance measures have drastically changed. The sweeping regulations ran boutiques out of business, as the cost to comply was simply too great. How then will we interpret this flurry of privacy regulation? Should a ‘one-size-fits-all’ approach to the evaluation of compliance risk be applied to anything containerized within the definition of a ‘covered entity’? And will simply checking the compliance boxes truly protect you from risk, or cyber risk?
Hoping the problem statement is properly beaten, how then can we avert the promises of this and these tales of caution? Contextual analysis. It’s the difference between simply complying versus truly managing risk.
What is the context of your relationship with this vendor, lender, partner, venture, etc. Do you allow it access to your network, intellectual property, customer data, building, stuff? And if so, to what degree? Here is my point. The conventional self-assessment standards available in the market typically come in two sizes; Big and Little. There doesn’t seem to be a ‘shmedium’ or baby-tee among them. Second act for the small broker/dealer includes furlough for the inability to comply with the tenants of the most nebulous of due diligence lexicon (cyber). “My contract was not renewed. My core competency as a service provider is knowledge of actuary and demographic tables in my region. Unfortunately, I was not aware that ‘end-point protection’ could be satiated by my nine-dollar antivirus program or my MacBook’s remote wipe function or my small business’ procedural instruction which reads menu>tools>protect document>generate complex password>etc.
Furthermore, while the impact of a compromise might be significant, what is the likelihood that your smallest business partner in Poughkeepsie will fall victim to the laptop thief? The majority of my clients (who are CISO’s) are doing everything they can to strike a balance between meeting internal SLA’s with the ‘business’ to facilitate safe and speedy onboarding of strategic vendors which will drive the necessary time-to-market existential to any B2C and most B2B sectors in this era….and actually doing her/his job.
Discreet mathematics and non-linear equations are not required to determine the level of due diligence and requisite granularity that should be applied to assess the risk associated with a new business venture. Think of your house. For most people, the home is the most financially significant investment you make. When you have a contractor come into your home to repair a leaky faucet, your due diligence is comparable to the impact of a faucet that continues to leak. Should your home be in a flood plain, your insurance provider determines the amount of risk to take on given the likelihood of a flood.
Call to action – act like an insurance agent. What is the likelihood of a breach given the context of your dealings with this proprietor? How bad would it be if that happened? Is there another proprietor that offers a more secure product? If not, how much insurance do you need to satisfy your corporation’s aversion to risk? In 1988, R.L. Keeny wrote that “when presented with two options and no further normative data, the path will be clear.” Context will shift your common-sense gears.
