@ISACA Volume 18  4 September 2019

Apocryphal Risk Management

By Jack Freund, Ph.D., CISA, CRISC, CISM

Oftentimes, stories are widely circulated in organizations and serve as a source of truth. For instance, it could be an enterprise’s belief that an organizational apocalypse will occur if the website goes down. Versions of these stories abound, ranging from claiming losses of millions of dollars an hour to mass customer desertion. These stories exist for other parts of the confidentiality, integrity and availability (CIA) triad as well, for example, “If we suffer a data breach, our customers will never trust us again.” Sometimes, these stories may even be more nuanced and complex. Perhaps the organization’s story prophesizes how regulator action would mean the end of the enterprise or how the loss of a key customer would set off a chain reaction of customer loss in the same region or industry.

There is no limit to the human mind’s ability to think negatively. (It is why there are no books in the library about how to think negatively.) Paradoxically, there is much social science research about how we very often overestimate our ability to succeed. It is in this space that there are certain risk management obligations that must be undertaken. First among them is that enterprises cannot rely on organizational storytelling to define risk management programs.

I recently had the opportunity to speak to some risk management professionals at a large retailer. At a certain point during the conversation, one person recounted an organizational story that was widely regarded as true but had dubious authenticity. This person had investigated the details of the story (a version of the website-outage story outlined previously) and gathered hard data to support the assertion that it was not true. Apocryphal stories like this can negatively impact an organization’s ability to manage risk effectively. Indeed, it contributes to one of the worst results of poor risk management: misallocation of resources. Instead of placing money, time and people on problems that can truly cause damage to the organization, relying on these stories for prioritization results in enterprises chasing ghosts.

This means cyberrisk management professionals have an ethical obligation to tell the truth. I contend that this is more than a simple charge to not misrepresent facts. Voltaire, French Enlightenment writer, historian and philosopher, is credited with saying that “It is dangerous to be right in matters on which the established authorities are wrong.” How true that still is today. Power often defines truth. In the context of testing and challenging apocryphal organizational risk stories, this requires a 3-pronged approach on the part of the cyberrisk professional. Blending the 3 modes of persuasion—ethos, logos and pathos—is necessary for success.

The ethos, or speaker credibility, is where the root of the apocryphal stories lies. Indeed, it is often people with organizational rank or decades of experience from whence these stories originate or are propagated. As a result, it is important not to ignore one’s own ethos in this endeavor. In these situations, it is best to be aligned with people in the organization who can help provide air cover (sponsorship) if things go wrong. Timing is also important. Newcomers to an organization sometimes can challenge the status quo, but this soon passes, and the desire to assimilate quickly follows. Many organizations find that hiring outside consultants to tell this story absolves them of having to deliver difficult messages to those with significantly more ethos than them.

The logos, or logic and reasoning part of the argument, can best be enhanced by using a cyberrisk quantification (CRQ) methodology, such as Factor Analysis of Information Risk (FAIR). It provides the framework and language to prepare quantitative arguments that help to outline the metrics that trigger a risk event and what the fallout will be. In the example related previously, the risk professional gathered online sales numbers to bolster his assertion about the impact rating. These metrics showed that the opposite of the apocryphal story was true: Certain doom was not inevitable. It was not a complete refutation of the story, but it certainly went a long way in downplaying the story in favor of other more perilous events.

Pathos represents the listener’s emotions in this situation, and that is where a tactful recitation of the facts presented in logos arguments is most valuable. Emotional intelligence is an often-underrated skill in risk management. Society prefers the cold hard facts of the logos argument. But that alone will not be enough to successfully challenge a spurious organizational story. Indeed, it is important to practice the presentation of the facts in various ways to appeal to different audiences. Apocryphal stories such as “We do not know where our data are” when the facts show that the IT asset inventory is quite accurate can be adapted to say, “We need to better understand where data duplication exists so that we can have a single record of truth.” Digging deeper into the audience’s understanding of the problem and then extending their belief beyond its barriers to where the logos argument indicates the real problem lies is necessary.

Blending elements of each of these 3 modes of persuasion is important to successfully test and challenge apocryphal risk management in an organization. I told the aforementioned risk professional at the large retailer that what he did was brave. Indeed, it is often dangerous to be right when the established authorities are wrong. However, the risk profession requires communicating the truth to those in power. Successful risk management can happen only when decision-making is completed through analyzing facts, not relying on questionable storytelling.

Jack Freund, Ph.D., CISA, CRISC, CISM, is director of risk science for RiskLens, a member of the Certified in Risk and Information Systems Control™ (CRISC™) Certification Working Group, coauthor of Measuring and Managing Information Risk, a 2016 inductee into the Cybersecurity Canon, an IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.


Complying With New Laws and Regulations Around the World


Source: Canan turan;
Getty Images

The EU General Data Protection Regulation (GDPR) inspired the US states of California and Washington to enact similar privacy laws, and many more states and countries are expected to follow suit. Privacy regulations are in the forefront not only in Europe and the United States but also in Australia, Brazil, the United Arab Emirates and more. As more regulations are implemented globally, organizations are struggling to comply.

Learn to review fundamental privacy requirements across a variety of regulations to help streamline the key elements to meet compliance in the “It's a Compliance World—New Standards for Global Privacy Requirements and Regulations” webinar presented by ISACA and SecurityScorecard. In this webinar, which takes place on 12 September at 11AM CDT (UTC -5 hours), SecurityScorecard’s vice president of compliance, Fouad Khalil, will outline best practices aimed at streamlining compliance, how to minimize compliance operational costs and what is coming next in the world of regulations. ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Khalil is responsible for internal and external compliance programs, auditor education, alignment with industry best practices, and global sales support. He has extensive experience in the technology space with more than 25 years spanning disciplines in software development, IT support, program and project management, and IT security and compliance management, including supervising compliance with the US Sarbanes-Oxley Act 2002 (SOX), Payment Card Industry Data Security Standard (PCI DSS), US Health Insurance Portability and Accountability Act (HIPAA), and US Health Information Technology for Economic and Clinical Health Act (HITECH). He will use his experience to help you ensure compliance with global standards throughout your organization.

To learn more about this webinar or to register for it, visit the It's a Compliance World—New Standards for Global Privacy Requirements and Regulations page of the ISACA website.


Secure Your Network’s Perimeter


Source: Wutthichai
Getty Images

Gaining perimeter access to networks can easily be accomplished via physical or proximity means. Some easy ways to thwart nefarious actors are to turn off your phone Wi-Fi when you leave your work or home and to never pick up a misplaced universal serial bus (USB) drive on the sidewalk. Threat actors can manipulate your network through Internet of Things (IoT)/Industrial Control Systems (ICS) devices, physical-enabled remote access, radio frequency (RF) geolocation and profiling.

Attend ISACA’s “Radio Realities: Wi-Fi and Physical Access Techniques” webinar to gain insight into and learn to mitigate possible threats to networks via physical and proximity access. This webinar takes place on 18 September at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Dustin Brewer, CSX-P, CCSP, CEH, CHFI, manager and product platform developer of cybersecurity at ISACA, will present the webinar. Brewer has 17 years of experience in the IT field beginning with networks, programming and hardware specialization. He excelled in the cybersecurity field with computer incident response teams and as a senior test engineer while serving in the US military; specialized in computer networking security, penetration testing and training for various US Department of Defense (DoD) and commercial entities; and currently, in his role at ISACA, develops innovative training programs to best prepare cybersecurity specialists for the future in this dynamic field. He will use his experience to help you secure your personal network.

To learn more about this webinar or to register for it, visit the Radio Realities: Wi-Fi and Physical Access Techniques page of the ISACA website.


Innovating to Make a Difference and a Profit


Automation has allowed machines to take over many jobs people used to perform, freeing humanity up to innovate and pursue more purposeful, meaningful careers. In this Off-Stage and Off-Script episode of the ISACA Podcast, EuroCACS/CSX Conference 2019 keynote speaker Jon Duschinsky discusses why people and organizations should be excited by this new professional environment.

In this episode, titled “Innovating With a Purpose,” Duschinsky explains that for today’s professionals, making a difference in society and making a profit should not be mutually exclusive. Millennial and digital natives entering the workforce today are increasingly trying to both make a difference and make money, and Duschinsky thinks the 2 go hand and hand.

This podcast episode, along with dozens of other podcasts on governance, security, risk and audit, can be streamed on the ISACA Podcast page of the ISACA website, Apple Podcasts, Google Play, SoundCloud and Stitcher.


Join ISACA for a Global Day of Service on ISACA CommunITy Day


Source: Hero Images;
Getty Images

ISACA is committed to giving back and hopes to give ISACA members around the world a chance to make the world a better place during this new event, ISACA CommunITy Day on 5 October 2019. This inaugural event exemplifies ISACA’s purpose, promise and values with a day of volunteer service.

With the passion, dedication and strength of ISACA professionals around the world, the goal is to improve the lives of people in many communities. Many chapters have enthusiastically joined this initiative, contacting charitable organizations and setting up opportunities for member participation. For example, on 5 October 2019, you will find ISACA staff teams packing seeds for Feed My Starving Children; participating in a 5 kilometer (5K) run/walk for AIDS research; sorting and stocking donations for ReStore, a home improvement warehouse that supports Habitat for Humanity; and much more. Some chapters have already decided to get involved in their own local 5K walks, animal shelter support and digital academic projects.

Visit the ISACA CommunITy Day page on the Engage website and download the participant instructions to learn how you can get involved. ISACA will track the hours served, people participating, opportunities offered and places helped. To follow the activities on social media, use #ISACACommunITyDay and post your own photos and videos. Questions? Contact volunteer@isaca.org.