Does your company have hidden cyber security risks?
Cyber security risks are often severe. Planes can fall out of the sky, you could lose lots of money or your company could face severe reputational damage.
The problem with risk management in organisations is that programme managers need to be open about the impact before they act upon it. If the risk has an unacceptable impact – because it’s clearly not something the organisation would want to tolerate – you then need to do something about it. Yet, you might not have the ability or budget to do this yet, so exposing the risk makes you look bad.
Naturally, therefore, programme managers often don’t want to talk about severe risks, especially if the project needs stakeholders to approve more funding.
Unfortunately, it’s all too easy to hide risks if effective management isn’t in place. Two techniques for hiding risks are Bury and Deny.
Deny
Deny is where managers simply refuse to accept that the risk exists. It’s a form of gaslighting. A classic case of this is where spokespeople say things like ‘our network is secure’ or ‘there is no threat to the public’ from a nuclear waste site. To anybody who understands IT networks or nuclear waste, these are obviously false statements but it’s surprising just how well they work with non-experts.
The problem with denying risks, however, is that if you do get caught, it can mean prison time or at least career-limiting embarrassment. If managers are worried about this, then a much better strategy can be Bury.
Bury
Rather than outright deceit, Bury is a form of obfuscation. Some of the best examples of buried risks can be found in security documentation ostensibly there to provide clarity. In NATO countries, for example, these are often called RBCs (Risk Balance Cases). The trick here is to keep the risks at a technical level and to leave out the business impact. The result of this is that you can convert every tiny technical vulnerability – the more obscure the better – into a risk. This generates thousands of so-called ‘techinical risks’ in a large programme. No senior leader can ever be expected to read all that so they end up saying something like, “You sound like you know what you’re talking about, so carry on.”
Hiding risks also aggravates siloed working. It leaves project managers to get on with the project and cyber professionals to produce reams of documentation, without either bothering the other or straying out of their respective comfort zones..
Where Bury becomes more difficult, however, is when it comes to getting approval to operate or accreditation. Indeed, stopping this behaviour was the whole point of MOD accreditation or other approvals processes. A Bury strategy becomes a huge gamble that a programme leader can effectively carry off the obfuscation or bluster their way through. Historically, this hasn’t been too much of a risk in many Defence programmes, as accreditation staff always had too much work to do and they could often be easily defeated by timing them out. Alternatively, programme managers could bully accreditation through, e.g. by blaming security for programme delays. This is much easier if there’s an urgent need for the capability you’re delivering or if there are already huge sunk costs in a programme.
Risk Management Frameworks
So, how can organisations ensure that risks are managed properly and transparently? One way of doing this is by implementing a formal risk management framework, such as NIST 800-37.
MOD is already doing this as formal risk management forms a key part of Secure By Design. This is being applied to all new MOD programmes, from July 2023. Although it will take many years to bed in, it’s a major shift and will require new skill sets at all levels, from technical experts to Defence boards. It also needs changes not just to how programmes are managed internally but also changes to the demand signals from senior leaders.
To help Defence clients to navigate this new world, bee.net has produced the Cyber Design Accelerator. This helps you with the practical steps you need to transition to Secure By Design.