Poor risk management leads to a slippery slope of weak prioritization, wasted resources, and unaddressed security issues. Most businesses don't know how to quantify and manage risk, and their failures lead to repeating the same security problems and facing new, major ones.
All this comes from the FAIR Institute, a nonprofit focused on advancing risk measurement and management. The institute polled 114 professionals who identify as CISO, cybersecurity specialist, risk officer, risk analyst, and C-level exec. Its goal was to learn about the current state of risk management maturity.
The top four scores came from businesses in the health, finance, consulting, and insurance industries. While the financial services industry scored highest overall, says Jones, even the top 25th percentile of scores were relatively low -- a sign risk management is immature overall.
Most cyber risk management programs are "going through the motions" on risk management, says FAIR Institute chairman Jack Jones, who is also cofounder and executive vice president of R&D at RiskLens. It's common for organizations to make decisions about people, processes, and technology without ensuring these choices are properly informed and executed.
"The industry has historically focused on best practices checklists … rather than effective risk measurement and prioritization," he says. Much of this is due to a weak understanding of risk. Decision making and execution are both low across industries, suggesting both are problematic.
While compliance checklists aren't harmful by nature, people assume compliance achieves risk management objectives, Jones says. Many businesses fail to prioritize issues due to inaccurate terminology, broken mental models, and insufficient skills among those who rate risk.
One major weakness is a "huge reliance" on mental models for rating risk instead of formal analytical models, Jones explains. Forty-three percent of survey respondents claimed their Model Quality was "Weak," as they rely on the intuition of risk practitioners to evaluate risk.
"Mental models are notoriously inconsistent and unreliable in problem spaces as dynamic and complex as cyber, which significantly increases the odds of inaccurate risk information for decision-makers," he continues. "This affects prioritization and solution selection at both tactical and strategic levels.
Organizations also fail to motivate business leaders to take risk management as seriously as revenue goals, deadlines, and budget requirements. "As long as this is the case, non-compliance with internal policies and/or external regulations will continue to be a problem," says Jones.
Citing previous root cause analyses he has performed, Jones explains how more than 75% of non-compliant conditions (bad passwords, missing patches) exist because other enterprise imperatives like deadlines and budgets are prioritized.
"Risk imperatives need to be placed on equal footing with other business objectives," he emphasizes, suggesting that business executives have part of their compensation tied to specific risk management goals each year. Objectives would be agreed on by the execs who will be held accountable, he adds.
Jones advises businesses reset their understanding of risk and normalize their terminologies, mental models, and measurement practices for risk. They should also put more careful thought into who is responsible for rating risk, he adds.
"Just because someone is a great auditor or security engineer doesn't qualify them to understand or measure risk reliably," Jones explains. "Risk measurement is an analytic process that requires specific, and relatively uncommon, capabilities such as critical thinking skills, an understanding of basic probability principles, calibrated estimation skills, and an ability to use formal analytic models."
When businesses can't manage risk, it has a broader effect on the whole organization. Major issues go unaddressed and resources are wasted on smaller problems. Businesses end up treating the same issues over and over again, Jones says.