How to improve cyber resilience by evaluating cyber risk

Cyber Security Hub speaks with Miguel Clarke, GRC and cyber security lead for Armor Defense and former Supervisory Special Agent (SSA) for the Federal Bureau of Investigation (FBI) about how companies can effectively evaluate cyber risk and improve cyber resilience.

Cyber Security Hub: What is cyber risk management, and why is it so important for effective cyber security? 

Miguel Clarke: Cyber risk management is really kind of discovering everything that will impact your business. Risk is the gap between what you expect to happen and what actually happens, and it is typically unfavorable. So, you are trying to close that gap between your expectations and the actual events as they unfold. That is your risk management.  

In that process you should be thinking about what risks you can completely avoid. For example, this morning I was drinking coffee while wearing a white shirt. As opposed to putting on a cover or something like that, I just took my shirt off so I could avoid that risk completely. You have to start thinking about how you manage that risk and mitigate the effects. Continuing with the analogy, if I do happen to get coffee on my shirt, what tools do I have available to me? How much time do I have? You also have to think about what you consider to be an acceptable risk – I would not want to drink coffee through a straw, for example, so I would put my coffee in a spill-proof mug. 

Risk management is looking at the entire scenario of things that could impact your business and just really trying to minimize that risk.

CSH: How can cyber risk management help organizations guard against emerging threats, for example, ransomware?

MC: I have a little bit of a different take on it.

In risk management, we focus a lot on avoiding risk and mitigating and managing risk and most of our efforts are around protection. You have to be 100 percent right all the time when protection is your strategy. You have nothing else that you can do. To go back to our spilling coffee analogy, I have a suit that is stain resistant, which is another way of mitigating risk, as opposed to wearing a white shirt. If I spill coffee on my white shirt, I need to come up with a plan of how to respond to it. 

There may be some risk that I cannot avoid at all, and so maybe I have to opt for a different setup that would allow me to be a little bit more stain intolerant. Most of the things that businesses are focusing on currently are providing better protection, but businesses can never be 100 percent protected against cyber security incidents, unfortunately. The way I see us being able to help is to start to focus some of the efforts on resilience.

There is always going to be ransomware or even the next cyber threat that has not been invented yet. So, what am I going to need to do as a business?Well, I am going to need to see the problem, understand the problem and then be able to react to it quickly. So, we need to put more effort into seeing and understanding. That is where a company might come up with some type of extended detection and response (XDR), which will enable them to see what is going on in their network, and place this in context so that they can understand the threat better. This will allow them to kick off whatever their plan is to remediate that threat. 

This is the way that I see us being able to help is to get folks into the mindset. Protection is one portion of it, response is another and another portion of it is starting to balance out your efforts, your time and your prioritization somewhere between the two of those things. The most important thing that risk management can do for an organization is say ‘these are the threats that you are going to face and at the end of those threats, if you do these things, you are going to be OK’.

That, to me, is the point of risk management. It is getting to the point where you can say, ‘if these things happen if I do these things, it is going to hurt, but I am going to be OK. Most importantly, the business will continue to operate profitably’.

CSH: What would you say are the most important elements of a cyber risk management strategy?

MC: I think that depends on the inherent capabilities of the organization. What is important in terms of cyber risk management for a small firm that has a lot of intellectual property that they leverage to make money, will be different than what is important to a larger organization that has more resources.

So, I think you have to look at your organization and your own capabilities, because what is going to be easy for you might be difficult for someone else. If we think about it in terms of athletes, a marathon runner is not likely to be good at throwing shotput. 

It is the same for cyber risk strategy. The conditions that you find yourself in are going to be largely dependent on your own inherent capabilities as an organization. If we look at Sun Tzu's The Art of War, it says you must know yourself first, then know your adversary and then know where the conflict is taking place. When you do those three things, then you will be able to say what are the most important factors. For example, if you are manufacturing physical goods, then what is important to you may be protecting your physical inventory and your supply chain.

Your risk posture going to look very different than that of, say, an online gambling company where if they lose access to the Internet, they cannot make any money and they additionally suffer reputational loss because the business is entirely online and they have been taken offline.

You must match the importance of what needs to be resilient to cyber attacks with the capabilities of the organization.

CSH: How can cybersecurity teams create the best environment to effectively evaluate and manage cyber risks that they might see within that environment?

MC: Anyone who has been in a car accident, did not wake up, lay in bed before their coffee and say, ‘I think I might get into a car accident today’.

Tragedies like these surprise us all the time. I think the ability to deal with that surprise effectively is the most important thing that teams can do. 
Surprising occurrences happen all the time. The ability to deal with that surprise effectively is the most important thing that teams can do and the ability to recover gracefully is what makes the difference.

If you have an organization with a really good cyber threat mitigation strategy plan that is making all the right choices upfront, people will respond differently to it suffering a cyber attack.

You can see this by comparing the approaches of companies when they do experience cyber security incidents. For example, PayPal had a data leak at the start of 2023 and made a notice saying that 34,942 accounts were affected, as compared to MGM Resorts which suffered a cyber attack recently where the organization has said ‘we are not really sure of the impact’.

So, you tell me: where would you feel more comfortable actually putting your money if you had to invest it? With an organization that says: ‘This is exactly what the impact was, these are the specific number of accounts that were affected, this is how it happened, and these are the steps that we took’, and lays all the information out clearly, or one that does not take these steps?

The aim is to get to a point where a company can say: ‘This is what our plan was, this is how we handled it. This is what we expected. That was reasonable for us to expect that we practice for this day. We were able to execute on 85 percent of this plan, so next time we are going to attempt to increase this to 90 or 95 percent.’

That is a much different story than what we hear in the news for most breaches.

CSH: What are the biggest challenges that cybersecurity teams face when they are attempting to evaluate and mitigate cyber risks? And how do you think that these challenges can be overcome?

MC: The biggest challenge in evaluating cyber risk is that we always underestimate it. The impact is almost always worse than what was estimated. A lot of us are professional risk mitigators and managers, and we still get it wrong. Going back to the MGM Resorts cyber attack, I refuse to believe that MGM believed that their ransomware breach was going to cost them US$1 billion in between lost revenues, lost valuation and loss of confidence from both the market and customers.

That, to me, is the biggest issue. There is a huge gap there. Even though there are a lot of numbers surrounding the cost of a data breach, they still all significantly underestimate it. So that to me, I think is the biggest area.

CSH: Looking at these kind of cyber attacks, do you think that they may inspire malicious actors because of the sheer scope and disruption caused by them?

MC: I disagree, I think that they are already inspired. Industry experts estimate that the cyber crime economy is predicted to make $8 trillion in 2023. You need to think about it not as a cyber crime problem or as an organization. It is its own economy in as much as any other organization, any other company and, as an economy, is the third largest in the world by GDP.

It is worth more than the entirety of the global narcotics trade, which is predicted to be worth between $426 billion and $652 billion.  If you look at the cost of every single natural disaster combined – a cost of $313 billion in 2022 - it is still more than 10 times the size of that.

CSH: What threats or technologies do you think will pose the biggest cyber risk and how should organizations be preparing for them?

MC: I am going to sound like a broken record here because everybody else is saying ‘these are the technologies that will have the biggest impact’, but because of my time in the FBI, I tend not to think too much about technologies, I do not think about weapons. Whenever we had a bad guy, our job was to stop the bad guy. So, I did not think about whether or not they had a pistol or a knife as my focus was on stopping the bad guy, not his equipment.

We are spending a lot of time talking about the tools that these actors use, whether it is artificial intelligence (AI), ransomware, hacking, national security threats and so on. To make an impact against this threat we must focus on resilience and what you can tolerate, then understanding what you can withstand and what conditions you can withstand them under. Then you block off the factors that would affect your cyber resilience and do whatever needs to be done technically to block these things off. 
 
You are also going to need to be able to observe your problem, which involves looking at your XDR capabilities and working on being able to understand them. So, you will have a security operations center (SOC) and then this will enable you to look at aspects like security automation, orchestration and event management as well as the policies and procedures that need to be put in place. This includes what to do when a cyber security incident happens. You need to have a plan and practice that plan.

We cannot control how many bad guys there are out there or how many people have bad intentions, but we can make ourselves resilient.

These are the things that I think we need to focus on like shifting some of our efforts toward developing a resilient mindset and placing more emphasis on how the business can recover from incidents. If we all build cyber resilience in that it will be the antidote to the cyber crime economy. It is not going be a [single] technology, it is going be a mindset. It is going to be setting aside time to build skills so that you can develop a skill set that will allow you to protect yourself.

Finally, you will be able to look at the tools that are going to enhance your skills so that you can execute your skills along with the mindset.

Miguel Clarke’s responses have been edited for conciseness and clarity.