The National Cyber Security Center (NCSC) is a part of the UK’s Government Communications Headquarters (GCHQ). If you are like me, you may have only heard about GCHQ in an unflattering context, that of working with US intelligence agencies to spy on foreign heads of state and hack foreign agencies.
As a UK intelligence organization, they seek to keep its citizens safe. Through the NCSC, it provides advice on cyber security.
I am going to reference two pieces of NCSC guidance. The first is great and the second terrible.
In December 2017, the NCSC published The fundamentals of risk.
Here are some excellent insights from that publication:
- Risk management exists to help us to create plans for the future in a deliberate, responsible and ethical manner.
- The purpose of risk management is to enable us to make the best possible decisions, based on our analysis of future events and outcomes. The future can be anticipated, but within limits defined by our uncertainty in our analysis.
- This requires risk managers to explore what could go right or wrong in an organisation, a project or a service, and recognising that we can never fully know the future as we try to improve our prospects.
- Risk management is about analysing our options and their future consequences, and presenting that information in an understandable, usable form to improve decision making.
- Risk Management often requires a relationship between people who analyse risks and people who make decisions based on that analysis. Communication between these two groups must be clear, understandable and useful. If the people who make decisions can’t interpret the analysis they’re presented with, then there is little point in doing risk analysis at all.
This is consistent with what I have said here and in my books.
Risk management has to help those in leadership make informed and intelligent decisions. That requires using business language rather than technobabble and presenting information about risk in a way that is actionable.
For example, provide information about cyber risk that enables executive management and the board to determine whether it makes more sense to invest in addressing that risk, a new marketing program, an acquisition, or in hiring additional product developers.
Saying that a risk is ‘high’ does not help management. Should they invest limited resources in mitigating something that might happen with some level of pain, or in a revenue-generating initiative that is seen as highly likely to succeed?
The second publication is from September, 2018: Board toolkit: five questions for your board’s agenda. It says that “the NCSC have identified a range of questions which will help generate the right discussions between board members and their CISOs and increase awareness of key topics in cyber security”.
The five questions are simply wrong. They are down in the weeds instead of addressing the big picture:
- How do we defend our organisation against phishing attacks?
- How does our organisation control the use of privileged IT accounts?
- How do we ensure that our software and devices are up to date?
- How do we make sure our partners and suppliers protect the information we share with them?
- What authentication methods are used to control access to systems and data?
I can barely see question #4 on my list of top ten or so questions to ask.
Here are the top five questions I think the board should be asking about cyber risk. (There are obviously more depending on the answers.)
- How could a cyber breach affect our business? What business objectives might be affected, by how much, and what is the likelihood?
- What’s the worst that could happen and how likely is that? How likely is it that a cyber breach would result in an unacceptable level of harm and how do you define that level of harm?
- How confident are you in your assessments? Who is involved in making them?
- Are you satisfied that we have a reasonable level of investment in the prevention, detection, and response to a breach? If not, what are you doing to bring cyber-related business risk to a level that is acceptable?
- How do you consider cyber-related risks in your strategic and tactical business decisions?
I would want the CEO to answer and not defer to the CIO or CISO.
What do you think?