You Must Understand Your Organization’s Risk Management
Do you want support and funding for your ICS security initiatives? Then you need to understand what executives view as high, unacceptable consequences that believably could be caused by a cyber or cyber/physical incident. Go to executives claiming a calamity for something that is considered a non-desirable, but acceptable consequence and your credibility will be damaged.
A recent article, Cybersecurity Risks Loom Large In Hospital Networks, is a great example of not understanding an organization’s view and management of risk and consequence.
With new threat vectors emerging every day, healthcare organizations are facing an unprecedented level of challenges to their security … The bigger hospital networks reported an average shutdown time of 6.2 hours at a cost of US$21,500 per hour
Most hospital executives would gladly sign up to losing only $133,300 due to cyber incidents in a year. This is a tiny financial blip to them when you consider that uncompensated care is approximately 6% of hospital costs, net patient revenue is $2B to $4B. A $133K loss to a company of that size is a grain of sand.
If the executives entertained the discussion of additional spending to address this potential financial loss, they might ask how much it would cost to eliminate the risk. Are you the brave (foolhardy) person that is going to give a number to “eliminate” the risk? How does your number compare with $133K and how much likelihood reduction will you claim to achieve?
Beyond the financial impact, hospitals, or any business, need to deal with the impact of full or partial outages due to weather issues, power issues, employee/labor issues, supply issues, and yes, cyber incidents issues. 6 hours annually is likely not one of the larger causes of patient care outages.
Covid has been an actual large consequence event for many asset owners. The cold wave in Texas was an actual large consequence event for the power industry there. Real incidents with real impacts are being dealt with every day by executives with risk management responsibility.
This is not to say that ransomware in hospitals, or other real and potential cyber incidents in other ICS sectors, are not risks that have potential unacceptable consequences from an organization’s risk management standpoint. They can be. What the security professional needs to do is:
- work with the right people in the company to quantify the impact of an incident in the various risk management consequence categories (financial, customer impact, safety, reputation, etc.)
- see where this impact fall in the organization’s risk matrix or other vehicle used to manage risk. If this impact or consequence falls above the risk acceptance level, then
- identify a number of defensible options to reduce the consequence or likelihood of the incident (multiple options because executives like to make decisions not be told what to do ht:PatrickMiller)
- present those options to the executives with risk management responsibility and let them decide what to do
Do your homework to understand and use your organization’s risk management program before standing in front of your executives and making your case that something needs to be done.