A lesson in risk: Your business is a ship not an aircraft

Cyber risk may not be anywhere near your organisation's most critical business risk, if it's even a business risk at all. Do the numbers.
Written by Stilgherrian , Contributor

"For some reason all risk people are obsessed with aircraft," says Eric Pinkerton, director of Hivint, a Trustwave Company.

"They talk about planes and plane crashes and black box recorders, and I never really figured out quite what that is," he told the AusCERT Cyber Security Conference on Australia's Gold Coast last week.

"I think it leads to a style thinking about risk... and I think that it's kind of not quite right."

Thinking about your business as an aircraft means you're thinking about risk as a mountain, he said. You avoid the risk mountain by steering around it, or over it.

Pinkerton prefers to think of your business as a ship. The equivalent scenario would be risk specialists telling you that to remove the risk, you need to remove your ship from the water and put it on high ground.

"Hang on a minute. If I take my boat out of the ocean and put it on high ground, now what I've got is a sloping warehouse with crappy access," he said.

"Your business needs to be enveloped by risk in order to do what it does, and managing the risk isn't about just removing it. It's about thinking about life jackets, and training, and the journey, and the type of journeys you're going to make, and the type of vessel you have and whether it's fit for purpose on the type of journey you're going to make."

Pinkerton's core message was that risk is really about risk appetite -- and that's something you should measure and define.

You need to identify and evaluate your risks using tools like the risk matrix. After that, you need to prioritise how to address each risk by analysing the cost of mitigation against the impact of the bad thing happening.

A risk might be so potentially catastrophic but so unlikely that it's left for the organisation's insurers.

Or a bad thing might be so minor in its potential impact but cost so much to mitigate that it simply isn't worth it.

"Risk isn't about finding and fixing all the issues that are facing your organisation," Pinkerton said.

"It's about acknowledging that you don't have the time, the money, or the resources to fix all the problems, and then creating a defensible position and justification -- not just for the things you do, but some justification for the things you decide not to do."

Risk might also be analysed in terms of the amount of effort it would take to fix, or even the time frame needed. It might be worth dealing with some quick, low-hanging fruit first, even though the potential impact of the bad thing might not be as great.

"Risk appetite is something that will change over time in the different phases of the life of your business," Pinkerton said.

All of this surprises a lot of people in cyber risk.

"They come up with a list of things, they take it, the business decides to do nothing about it, and they think it's because the organisation doesn't understand risk," Pinkerton said.

"But more often than not it's because the cyber people don't understand the organisation, and don't understand that those risks, in the context of the other things the businesses is wrangling, don't really make the list of things to do."

In most organisations, he said, whether it's admitted or not, there's a conceptual dotted line that's the difference between the stuff you do, and the stuff you simply put in the risk register and flag as being acceptable.

And yet there's usually a disparity between what an organisation thinks its risk appetite is, and what its practices mean it really is. Organisations always say they have a low risk appetite, but Pinkerton notes that it's often very different.

"Mate, I've seen your pentest reports for the last three years. If your risk appetite was a sport it would be like naked base jumping," he said.

Your business isn't a cyber

Another angle on cyber risk came from Shane Moffitt, assistant chief information security officer (CISO) for the Victorian state government -- "cyber risk" isn't even a thing.

"You have business risks, or you have things that don't matter," he said.

"A server going down is not a risk. The inability to deliver a service because a server goes down is a risk."

Like his earlier comments about training strategy, it's about expending resources where they will have the most impact.

Pinkerton's AusCERT presentation included two strategies which he clearly does not recommend.

The first was a client wanting to trade risks away. 

"You've given us a medium risk for this. Can we swap that medium for two lows? Because if it's a medium we have to escalate it, and that's really awkward for us. Can you break it down into smaller components," Pinkerton said.

"The other thing I saw happen, which I thought was particularly smart, was [to] raise it as a project risk, and then when the project gets closed down it goes away...

"So there's all these kinds of horse trading, all these underhand tactics for managing risk, and what they equate to is an increased risk appetite because there isn't that consistency. Sometimes you have people lower down in an organisation that are accepting risks that actually are way beyond their pay grade."

For mine, an organisation's risk appetite statement isn't real unless it includes numbers.

Pinkerton's experience is that most such statements are "motherhood statements" and "generally just PR fluff and nonsense", are just organisations saying they will accept only low risks but fail to define them.

Surely a proper statement would set some defined limits, such as accepting only risks that have a certain chance of occurring, or a certain level of impact on the organisations's health.

Related Coverage

Digital transformation increases cyber risk for 8 out of 10 companies (TechRepublic)

Organizations are not prepared to handle cyber breaches due to gaps in IT security and basic operations, according to a 1E survey.

Australian National University breached with 19 years of data accessed

Attackers got into ANU systems during late 2018 and were discovered two weeks ago.

New Iranian hacking tool leaked on Telegram

New Iranian hacking tool is named Jason and can be used to brute-force Microsoft Exchange email servers.

Employees beware: 33% of CEOs will fire you if you cause a cybersecurity breach (TechRepublic)

Despite the risks, 90% of business leaders said they lack the resources to defend against a cyber attack, according to a Nominent report.

How to protect your organization's online data: 5 tips (TechRepublic)

The wrong use of SMB, FTP, and other file storage technologies exposed 2.3 billion online files globally over the past year, according to a Digital Shadows report.

Editorial standards