Maksim Kabakou - Fotolia

Security Think Tank: Is it true you can't manage what you don't measure?

What should be the key cyber security risk indicator for any business?

What you don’t measure you cannot manage – or can you? Is this a controversial view? It has undoubtedly been branded untrue in the past.

I’m not sure there is a title “True Leader” as they come in all “shapes and sizes” and probably fit into the commonly defined categories such as “autocratic”, “democratic” and “laissez-faire”. In standard business practices, true leaders lead teams and companies by instinct and are influenced by previous experiences (both good and bad).

I wonder how risk-averse they really are, or do they rely on gut instinct where they feel comfortable because they have made decisions based on intuition successfully on many occasions. Is there a parallel to betting on red continually until the ball drops onto a black number?

Many cyber attacks happen because business leaders underestimate typical cyber risks: in the end, running a business is all about taking risks. However, “gut instinct” only takes you so far – until the ball drops onto a black number!

The biggest problem with using “gut instinct” to feel cyber security risks is a lack of understanding of adversaries, and underestimating impacts and likelihood of an event occurring. Some might call it wilful neglect by refusing to acknowledge that any meaningful threat exists.

As a result, business leaders, when confronted with a cyber security state of play, dismiss it as fear, uncertainty and doubt (FUD). Did I hear someone say, “wilful neglect”? But let me be clear – it has been fear that has been driving our decisions for millennia. Those who did not fear were more likely to succumb to catastrophic events from which survivors learned.

I therefore strongly believe that “fear” is useful leverage when talking to executives asking to improve cyber security budget.

The key, however, is to bring believable data (eliminate uncertainty and doubt) that compare your organisation with the rest and assesses your exposures to other catastrophic events (i.e. cyber security incidents). Just offering up statistics is relatively pointless. It isn’t until you start talking financial impact that you may begin to gain the executive board’s attention.

The above is my long-winded induction to the conclusion: yes, collect metrics and key risk indicators (KRIs) – but be selective. Now, you are saying, “that’s clever of you, but which ones?” The answer to that question is a typical one: “It depends!”

If you are starting on your cyber security journey, try asking following questions

  1. Are you confident you know all your data stores – including personal computers, test/dev servers, cloud applications, mobile devices and even USB sticks – that could be targeted, causing  serious data loss? Here’s my (not so) secret: most organisations would not or could not be willing to confidently answer “yes”.
  2. Are you able to enumerate all vulnerabilities in all your systems that are present and could be used in current active attacks by adversaries? Answering this question is not as easy as running vulnerability scans. A well-established vulnerability management programme is vital here.
  3. Are you able to detect cyber incidents within hours of compromise? Spoiler alert: most organisations are not, and the mean time to incident discovery is around 180 days!

Only when you can answer the above questions confidently, with complete honesty and good consciousness with resounding “yes”, should you bother with metrics and KRIs. Otherwise, it is a waste of time and resources which you could better use those to change the “no” answers to “yes” for the questions mentioned above.

In summary, please don’t rely on pure gut instinct: good leaders will make full use of the specialists they have, to provide the necessary information to help make the right decision.

Read more on Hackers and cybercrime prevention