Book of the year: Cyber Risk

The winner of Risk.net’s inaugural Book of the Year award, Cyber Risk, will be out of date within two years, editor Michael Woodson believes. “It’ll be sooner rather than later,” he says. “Cyber risk is evolving at a very rapid pace. With cloud computing and the Internet of Things, we are going into new territory.”

Cyber Risk tackles the most rapidly evolving and dangerous risk now facing the financial sector, covering the nature of the threat, techniques for measuring, modelling and responding to it, and the outlook for cyber risk in the future. Judges were unanimous in their conclusion that the book not only tackles a highly relevant topic, but also adds something new to the operational risk canon.

“Michael Woodson has collected together an interesting roster of authors to provide a book that deals with technical information such as new threats and where they arise from, but would also help a user with little or no prior knowledge of cyber risk to build a complete, relevant framework,” says one judge.

The spread of mobile technology has increased the potential attack surface that cyber risk professionals must now defend. And a growing problem, says Woodson, is the use of outdated technology. In May 2017, the UK National Health Service was brought to its knees by the WannaCry ransomware attack, largely because so many of its computers were using outdated versions of the Microsoft Windows operating system.

This problem will only worsen with the growth of the Internet of Things, as many internet-enabled appliances will be intended to operate for decades, and may be difficult or impossible to upgrade and patch, but could still provide weak points that an attacker might choose to penetrate.

“Where old meets new, that creates cracks, which become holes, which become craters,” says Woodson. The final chapter of Cyber Risk, written by Soltra Solutions chief executive Mark Clancy, examines the future of cyber risk in more detail, warning that “the discipline has evolved in response to external incidents and has been playing catch-up”. He highlights the danger of an attack sponsored by a nation state, such as the 2014 hacking of Sony Pictures by a North Korean group, for which very few corporate IT security departments are prepared.

There is already extensive technical literature on cyber security aimed at IT professionals, but in Cyber Risk, Woodson has aimed at a slightly different audience. “We were focusing on senior management,” he explains. “This is where we are, what we’re dealing with and where we have been, and we alluded in the last chapter to where we are going.” A second edition would be aimed at board members as well, he adds, as they also need to understand the issues facing the business.

Focusing on a target audience in senior management brought the spotlight on to issues of measurement and management, as well as threats and countermeasures. RiskLens’ Jack Jones, who wrote the chapter on quantifying cyber risk, warns that cyber risk professionals face a “highly complex and dynamic cyber risk landscape”, and they often lack the mature approaches and tools to address it.

“We need to do a better job of coming up with metrics that tell us what these risks are as the threat landscape changes, and as people’s demands and services change,” Woodson says. “If I had to pick one chapter [where we had trouble], it would be metrics.” A second edition of the book would delve deeper into the development of qualitative and quantitative metrics for cyber risk.

Security information management systems require skill and experience to interpret and monitor external threats. As new vulnerabilities emerge, banks and other financial institutions may be forced to place much greater reliance on machine learning software to handle the data analytics required to monitor and measure cyber threats.

Risk officers will need to get used to a much faster pace of change in cyber security, Woodson predicts. “We have to get into a prevention mode and prepare for unknown threats and that’s where machine learning comes in. We need continual monitoring via modelling, and analysing and adjusting the risk and defence posture accordingly; it might be on a daily basis.”

Risk professionals also have to widen their scope, he says: a second edition of Cyber Risk will have to look more closely at the risks inherent in the use of social media, especially when combined with a bring-your-own-device policy. As well as looking at the security of devices, risk managers will need to consider the security of social media applications, and the risks that their employees’ social connections bring to the firm. “It comes down to awareness training – it is a huge issue,” says Woodson. Managers will also have to pay even more attention to third-party risks, and to the potential for reputational loss and damage.

And finally, he predicts a change in terminology and personnel. The growing overlap between risk and security could lead to the rise of the chief information security and risk officer, and even to the merger of information security and physical security responsibility, as advances such as the Internet of Things and ‘smart buildings’ blur the lines between the physical and digital realms. Technology and privacy issues could also overlap, with a ‘chief security officer’ or ‘chief information risk officer’ reporting directly to the board, rather than to a chief information officer.