I performed my first ICS cybersecurity risk assessment in 2000 for a large water utility. Eye opening to the power of automation and lack of cybersecurity and cyber maintenance. In the six years that followed, the Digital Bond team performed numerous assessments and generated many long reports chock full of findings and appendices.
Like many we rated the findings in three risk categories (we called them Exposures, Concerns and Observations) in an effort to help our asset owner clients understand where they should spend their time and money.
In 2007 a client saw the draft report and said … “This doesn’t really help me. There’s too many Exposures and Concerns. Can you tell me what are the top 5 things I should do in 0 – 6 months, and the top 5 things I should do in months 7 – 18.” It was a great suggestion, and we included it in every assessment until we got out of that business in 2018.
Limits are extremely helpful in projects. It forces you to develop a decision criteria and make decisions. Not only were we limited to two sets of 5 actions, but we also had to pick items that were realistically achievable in the timeframes. Realism is important. Early wins and early losses often have long term affects. If an asset owner had success with 3 or more of the top 5 in 0 – 6 months, they had significant risk reduction and momentum.
The criteria we used was Efficient Risk Reduction. Where would the asset owner receive the most risk reduction for the next dollar or hour spent? This, along with the limitation of time, often meant that the greatest risk sometimes wasn’t addressed in the 0 – 6 months list, and sometimes only indirectly / sub-optimally addressed in the 7 – 18 month list.
The popular term Cyber Hygiene is, unfortunately, synonymous with security good practice. There are a large and growing number of security good practices, as there were way back when we began doing assessments. Saying to an asset owner you need Cyber Hygiene isn’t particularly helpful. Neither is saying here are a large list of good practices you’re not following or a large number of vulnerabilities you have.
Your job is to determine what to do next under the actual limitations you face. Efficient risk reduction is one way to do this. You may have another way. The key is to prioritize your risk reduction actions so you can show meaningful wins for the team and company.