Compliance, Risk and Uncertainty: Why We Have Failed at Stopping Cyberattacks

Chadi Hantouche, Head of Cybersecurity & Digital Trust Asia-Pacific, Wavestone

Chadi Hantouche, Head of Cybersecurity & Digital Trust Asia-Pacific, Wavestone

For 25 years, companies have been taking care of their information security but have not been able to stop attacks from happening. In the last 10 years, the rise of massively destructive attacks and major data leaks have brought institutions, governments and lawmakers to issue a number of guidelines, standards and compulsory requirements. Thus, cybersecurity has become, in addition to a technical topic, a topic of regulatory compliance.

This is true everywhere, but maybe more in Asia: companies with a regional footprint have to face between ten and twenty regulatory authorities for cybersecurity only (national security agencies, privacy commissioners, monetary authorities, etc.). For numerous organizations in the region, being compliant becomes an objective per se, prioritized above the fact of actually being secure. That mindset put Asia behind the curve in terms of cyber-resilience.

In order to catch-up, organizations in the region need to embrace a risk-based approach. That won’t be enough, though: they will also need to prepare for uncertain events. Compliance does not Mean Security

The activity of compliance has always been a safeguard to organizations, by forcing them to align with best practices described in standards or regulations. It is necessary, but far from being sufficient, to ensure an adapted level of security. As far as cybersecurity is concerned, compliance has not been a proof of excellency in any way.

For instance, certification to ISO/IEC 27001 (one of the globally recognized standards) is not meant to demonstrate a “good” security level. Rather, it demonstrates the people, processes and technologies that will make this level improve with time.

The credit card data breach that hit the American retailer Target back in 2013 became a textbook case. The organization was certified against PCI DSS, the demanding security standard issued by the payment card industry. That did not prevent a massive breach that affected tens of millions of customers.

Compliance is often a black-or-white exercise; you are compliant, or you are not. You do not try to be “more” compliant. You can extend the scope, improve the maturity against a framework. But organizations end up spending less time and effort doing than reporting what they have supposedly done.

Initially envisioned as a minimum set of controls to prevent going off the rails, compliance has become a tick-the-box exercise. In Asia, it is common to meet teams who strive to reach compliance with standards, without understanding (or caring) for their actual content.

“It never Happened, therefore it will never Happen”

Over the last 20 years, what we have accomplished is managing risk. Organizations have grown to identify the possible issues, assess them, and implement mechanisms to mitigate them.

Most organizations have put a risk management framework in place. They identify their risks, assess and prioritize them, get a risk appetite stance from senior management and mitigate them. The more advanced companies have several lines of defense, which may include a first line that enforces the mitigation measures, a second line that controls them, and a third line (usually internal audit or an external authority) to measure actual efficiency.

This risk-based approach has allowed organizations to make a leap forward in terms of risk understanding and preparation. Unfortunately, in Asia, a passive push-back still exists against it. The notion of, “If nothing bad happened in the past, nothing bad will happen in the future,” is still a widespread mindset. It is even worse than the eternal “demonstrate security ROI”, because it fails to even acknowledge the existence of a threat.

However, Risk Management prepares you for the known risk, that is to say—to use insurers’ vocabulary—a risk for which distribution is known. You can estimate a likelihood and an impact. For instance, we know today that skipping the penetration testing phase in an IT project will inevitably lead your system to hold vulnerabilities, and we foresee pretty accurately which ones.

Risk, of course, needs to be addressed, but it will not be enough anymore. For the last decade, the cybersecurity industry has embraced the idea that incidents will eventually happen: you will not be able to simply prevent them, you have to be ready to detect them, and respond.

You Now Need to Manage Uncertainty

Cybersecurity has always been inspired by the armed forces. The principles of “DMZ”, “defense in depth”, and “kill chain” were not invented by computer scientists!

It is now time for the cybersecurity community to fully embrace another military concept: uncertainty management. This is the concept of handling risk that is not well understood, and for which the distribution is not known.

The difference between risk management and uncertainty management is comparable to peace time versus war time. In the former, you manage your level of crime, you know which actions will lead to which effects, and you can keep accurate statistics about the crime rate. In the latter, which in the cyber space would take the form of a major attack, the course of action is different: you want to avoid chaos and destruction, and face any possible “strategic surprise”.

Over the last decade, the more advanced companies in terms of cybersecurity have launched a number of initiatives that can all be considered as part of a new wave of “uncertainty management”. These strategies include threat intelligence and information sharing, red teaming, and the now popular cyber-crisis drills. While gaining momentum, far too many organizations still confuse risk and uncertainty management. Risk management requires clear rules, proper procedures, and managers to enforce them; while uncertainty management requires providing more autonomy to teams encouraging the use of common sense, and growing strong leadership.

Cyber Peace, Cyber War

A number of companies in Asia are solely focusing on doing the bare minimum that is required by law. To these, we say: wake up, you are probably already under attack and refuse to see it. Risk management is not an option anymore, and it is not done by “being compliant”. The latter will clear regulatory duties (and maybe your conscience) but not keep you safe.

Organizations have started preparing for uncertainty management with diverse levels of maturity and means, as the field is still relatively new.

In these times, one of the many roles of a Chief Information Security Officers will become to tell their Senior Management if the organization is at peace or at war, and how to prepare for the latter.

For this, the armed forces teach us one last lesson: the two types of scenarios to focus on are 1/ the most likely and 2/ the worst. Prepare for these, and you might be ready for everything in between.