This morning, under a lovely London sky, a diverse group of Cybersecurity professionals gathered for a breakfast roundtable at The Exchange, a charming private room at the Andaz Liverpool Street in The City. Our purpose? To delve into the intricacies of the Cybersecurity Human Risk Management (CHRM) framework. This is the first in a series of many such work sessions. The room buzzed with energy as representatives from various esteemed organizations took their seats. Among the participants were BAE, Murphy Group, The University of the Arts London, Wawanesa Insurance, KPMG, and OutThink. The discussion was robust, fueled by steaming cups of coffee and flaky pastries.
We dissected the challenges faced in Human Risk Management, sharing insights, anecdotes, and innovative approaches. We reviewed the CHRM Framework that we’ve been building with industry participants, complete with its own maturity model. As part of this review, we touched on topics such as measuring cyber-risk exposure of personnel, quantifying the value (or ROI) of a security program, and convincing non-Security people to take ownership of the cybersecurity problem at least to some extent.
Good metrics help all employees and executives understand progress on such an abstract topic as cyber risk. Some of the key takeaways regarding metrics were:
- Complex Metrics are a Challenge: Describing intricate, high-maturity metrics to the board remains a hurdle. Simplicity wins! It’s easier to explain completion rates and phishing simulation clicks.
- Company-Wide Exposure Metrics: Focusing on broader company-wide exposure metrics provides a clearer picture of risk.
- Hotspot Identification: We emphasized pinpointing hotspots—those critical areas where risks converge. Actionability stems from precise targeting.
- General Awareness: An intriguing idea surfaced—one practiced by a large services firm—a counter in their lobby displaying the number of days since the last incident (not necessarily cyber-related). A visual reminder for all.
Another challenge we covered was the business case for investing in CHRM. How to put a value on having lower risk exposure. One of the participants uses a sophisticated model to value risk using Monte Carlo simulations of potential Cyber incidents, and the likely cost of such incidents as cyber-resilience improves. Another participant described a model by which to value the impact of poor cyber hygiene on company revenue. We all know revenue gets everyone’s attention!
Lastly, the enormous issue of ownership and engagement from all employees, from the board to management to line workers. The consensus was that most of the companies we work with are full of people who don’t “get” why security is important. Examples of people bypassing controls are plentiful. There are companies among us that have been breached the same way multiple times. Each time there’s a breach, one would think behaviors would improve, but so often they just seem to revert to the mean. Getting the business engaged in the problem, that is to care, still remains the biggest obstacle to tackling that elusive human layer of our defenses.
The next installments in this discussion are being planned for the week of May 13th in NYC and then back in London the week of May 20th.
