Risk-Based Cyber Reporting Best Practices

Good afternoon everybody. So I wanted to kick off this afternoon with risk based cyber reporting and to introduce you to it. It's more like on a focus for reporting how we can achieve better reporting and then utilize a risk-based approach to elevate our reporting to support our business as well as o it begin with, I brought a fancy graph with me about cyber incidents, business interruptions, pandemic outbreaks, so risks which we cannot really control but we can kind of plan them and we can see here some fancy numbers, right? We have to cyber incidents with 44% risk on our assets.

But does it really help us to know that this specific incident type or risk type do target 44% on businesses in general or is it like more a nice step to have and doesn't really help us at all? I would say it does help us, but we need to take it in control and to take it into account. If you look for example on the pandemics, it has like different impacts on our business. It can have some re regulatory impact on our business.

So we have to have like shifts in our business and just one half can go to, can go to the office, the government might have to close our offices down and therefore we have to enable our employees to work from somewhere else. Supply chains might be affected as well. So as well there is another risk and the work vector which we need to take into account workers as I mentioned before, are impacted here as well. So maybe we introduce work from home, work from everywhere. So bring your own device might be a very nice topic to have.

And then in the end, we really need to have to enable our business in long term. So if a pandemic for example breaks out, we have to have resilience to have at least some kind of operational level still in place that our business at least works at a minimum level to at least achieve working business here. But how can we really enable our business that we really know what assets are affected by, for example, an pandemic or something else. We need to take account all different kind of threats which target our business and then we somehow need to classify them.

But how can we classify threats at all? Usually we take risk score, risk scores kind of more or less easy to establish, right? So we can say we have a likelihood of risk which can occur or, and then we have the severity of the risk. So if we can calculate it, then it's a little bit more easy to say, okay, we have different risks, the target, our business and therefore we have a standardized setting to say, okay, well we need to cover the one or the other risk. For example here, line tapping might be an issue for a database, right?

So if you think about it, how likely is it that line tapping occurs to our database? Let's assume it's not too likely. So we categorize it down here in the bottom, but if it happens we say okay, that's a catastrophic failure for our database or at least for our business.

Therefore we put it all the way up to the right and we get a score of five since we are just multiplying the bottom and the upper right square and then we get five and in the end we just calculate the different scores and we have to define some threshold where we can say, okay, one to five for example, or one to three is a low risk for us up to five is medium, up to 10 is or up to 12 is critical and then everything is high and everything up 12 up from 12 is a critical risk for us.

So if you see for example, software vulnerabilities or as errors, it's like it's possible that they occur and the impact is quite major on us or if you see a misuse of authorization, we have good staff so it's unlikely that it will be misused but still can happen and the impact is moderated since well it is. And then in the end for for example malicious software, it's likely and the impact is quite major. So it's a critical risk for us. So how does us help this graph or this threshold to to set, okay, we have the risk and now how can we utilize it at risk is risk.

So we can apply it to to a effort for example, for for our asset database A one as an example. It has high confidentiality, high integrity and the availability needs to be high as we stated. Risks without any safeguards will be high for this specific database and we have a description for it and evaluation and description, it not it's giving more context to the, it's not too importantly, but where I want to lay some highlight is the frequency of occurrence. If it frequently occurs, some we need to apply additional safeguards, right?

And if the, if the effect of some threats are quite considerable for our effort, we should think about applying some mitigation actions. For example, we could install some software and therefore we do a risk reduction for this effort and then we can risk reduce for a specific threat which comes in with a high value down to a low value through software or mitigation actions. For example, governance or processes. Same thing for misuse of authorities. We can apply policies there and therefore we come from a medium risk level to a low risk level. What does it help us?

Well in the end we do have assets, we know our assets and we do know our threats to the assets as an it, but the business usually don't know too much about the IT itself. They know their business processes, they talk money, but as an asset you come there with your effort and you you have your reporting on on threats and vulnerabilities and the impact maybe you don't even have the impact.

What it has is you just know the the threats and the vulnerabilities but you can't really define the impact and therefore you really need to assess each and every effort and go through it and say okay, we have a likelihood which the threat could appear as well as an impact on the business which really translate into money or can at least translate into money, which I will talk later on. So as I said before, we have different shapes of threats which can occur on our assets. Example fire would be one and then we can classify them into impacting our core world youth, right?

So fire does have an impact on availability line temping for an example which attack the confidentiality of of our assets and as I said before, we have this asset and four different vector thread vulnerability impact and likelihood. But in the end what really counts is much more so here we have some assumptions on our asset. So how important is it for the business or which tools and procedures apply to the asset? What is our risk appetite in general? So it's nice to have risk assessment on an asset and say okay, we have high risk but in the end we don't have any risk appetite at all.

So if you don't combine those two statements together, it's really hard for us to take value out of risk assessment and as we saw before in the table, we could reduce the risk for each and every asset or at least the threat for each and every asset. And then the combination of it reducing the threat for the whole asset as well. So as I said, really having a risk assessment for each and every asset kind of helps to understand at least what the asset does, how important it is for your company. But you really need to consider the combination of in which process taking play takes it place.

So is it just an effort which is maybe reported as a critical effort with high vulnerability and so on, but in the end it just a vacuum cleaner which automatically cleans the floor. It's not that important for our business, right? It doesn't pay into our value stream. So how can we figure out if we have the risk assessment for each and every effort if it's really a core asset of our business or as it's not?

So therefore we we do business impact analysis to see okay, we have our business processes which are core for our business and each and every core business process does apply to some assets or at least rely on them. And then we can have a combination of our most critical assets since they are taking place in those business processes, which means we have an two-sided approach here. We come from the right side for the risk analysis in a general more IT focused way.

So we know our risks, we know our vulnerabilities and the impact as an it and then we come from the business side, we have our business processes and then we need to combine them and then we really see our impact here where we can say okay, we have those assets which take place in our most critical processes and therefore we need to or we should focus at least on them and not just like random efforts which lie around and are in some asset inventory. So the most critical questions which need to be be asked are which IT systems, cost. Cost.

So in the end we need to apply, we need to elevate our business with our IT and therefore we need to reduce costs on our IT side and it's fairly easy to say, okay, just having random IT standing in our basement which is not really used anymore, could have been maybe decommissioned already bearing maybe some high risk on them since they are not Updated anymore and therefore we really need to check on them which assets do we need and which apply to the most critical processes.

As I said, which systems are critical, which IT systems are critical and as well, which I business processes are critical and in combination we can really figure out which processes and which IT systems are critical for us. And usually you go from the business side, right? Which does give give me value for my company, where is my revenue stream and which IT systems are critical for those revenue streams. And then maybe we can check which business processes need more support.

So can I enable processes through my, my assets through other software which might bring in other risk as well or can I exchange software to reduce my risk? So those are questions which which really need to taken into account here.

So, so we want really to optimize our measures and our visibility to support business here In the end we start from maybe scratch or we have a baseline already sentence but set. But we really need to think about, okay, just because I said once my risk for an effort, does it really say that we saw a pandemic occurs, doesn't need to be a pandemic?

No, it can be some new threat factors come into place, right? They are developing their cyber techs, new malware will be on the market. So our risks or might differ from time to time. So we really need to take into account, okay our asset inventory, what assets do we have and then we have to update them regularly on regular biases. If the risk stays the same, maybe it will be reduced since there was some patches and security issues were fixed or new malware is on the market and therefore the risk score goes up.

Maybe there are new regulations, GDPR for example, and penalties on them are quite substantial for us. Wasn't two years ago maybe, but today it is and therefore we really should focus on it. Same thing is maybe the risk appetite of our company changes before we were quite slack on on the risk appetite to call it that way. So we really didn't care too much about our risk. We said okay, our revenue stream is quite good, GDPR doesn't account for us so let's go with it. That's okay. Now we have GDPR and maybe our business isn't working that fine anymore.

We need to really to cover them up and we want to save money here and therefore we check on it and the risk appetite lowers and therefore we need to take measures to reduce risks on some assets. But in the end, asset classification or business process even identification is everything fine and good and it's very helpful to determine where I am and which risk applied to my assets and my critical business processes.

But as we already know the gap between business and it was already quite substantial through the communication between those two we're lacking in some sorts and therefore we have reporting that really can report those issues either to the business or from the business to it and also from asset owners for example to management.

So in the end management does that's really decide on maybe what is our risk strategy, what is overall overall strategy and therefore really need to promote our transparency on our assets Because if the management doesn't know what we have and what our risk is, they cannot really decide. Also, they cannot help us if we say okay, we have this risk, we know this risk but we need help. We don't have the money, we don't have the people to to to take take measures into account. We really need help from the management and we need to have somebody who says yes we do.

Usually they talk money as I already said. And it's easy for them to say, okay, why should I fix this database? I don't know what this database does for me and I don't know what the real risk behind it is for me. But if you state them, okay, you burn potential risk of $10 million for example, and the fix for it would be 10,000 or 1 million.

Then they really understand it and they say okay, it costs me maybe to some degree of a percentage in likelihood 10,000 or a hundred thousand or 10 million but the costs are quite lower and therefore you really can can promote such changes to your system and to get money from the management to apply those measures for them. So it's also providing help for the management to decide but also get help from the management to get money or resources to apply those changes.

For this we really need to showcase the right information to them to mitigate difficulties as well as adjust to changes as we spoke before, if there are like changes in the regular regulation, we might have to have changes in it as well as sponsoring improvement. Maybe we have a business process which is working fine, the risk is okay, but we could be more efficient and that's also part of the reporting to say okay, the risk is okay, but we can have this and that solution for it to really reduce risk, save money and be more efficient.

So we don't go in in a management presentation with a showcase of a blurry gray box which shows kind of nothing but just some information which is well not really understandable to really promote something clear and structured to give them overview. Okay, this is something I do understand, this is something everybody understands and everybody recognizes it and really can work with those information. For this we need to establish an efficient but very trans but also very transparent reporting structure. So we really want to define our scope and our objectives and our reporting.

So it's not only our risk which we are reporting, it's also like translating our risk into a value which everybody understands and we really want to also translate it into a coverage of our of our business. So saying, okay, we have this and that asset and this is our risk, but we just know 70% of our efforts doesn't really help. We really need to have a holistic view on it. What we really want to avoid is our pitch work solutions for our reporting.

Who doesn't know those five different kinds of reportings which we get, we are getting, the first one is a PowerPoint, the second one is an Excel and maybe we get a PDF or a Word document. Everything looks different. Some are text form, others are maybe graphs, maybe pictures, they're speaking of numbers or different stuff which can be understood for those who wrote them but not necessarily from from somebody who just gets the report and wants to inform himself.

We really want to enhance the consistency of those reports and really want to give a structure and on a more up and up to date level of information. So as we know what does this help us six months ago to know if we spent 100,000, $1 million we could have avoided the cyber attack which occurred two weeks ago. Doesn't help us if you know and if you have the most recent information, we really can work with those information and therefore our reporting needs needs to be more and more up to date. And why should we shift to a risk based based approach here?

Well, as I said before in it we really want, we really can translate our assets in some kind of risk, right? We can say what are the threats, what is the likelihood? And maybe we also check in the wild which threat vectors were exploited in in the market and therefore we can calculate some kind of likelihood which also applies to our company even though we didn't have this, but really can take it into account. It's not to exclude it and to save us and to exclude crisis from our company, but we can plan with it.

And utilizing a shift risk based approach here is really to, to have a risk which we might can translate into monetary value to say okay, we have this risk on those assets and this risk we can translate it. For example, in gdpr, if this risk occurs or the threat occurs to our company, it costs us $10 million but the measures will cost less. Therefore we can spend the gap between the IT as and and the business to say we have the risk which translate into money and money is understood by the business and the risk is understood by the it.

So we have really to spend the gap between those, those two parties in the end to to get a concrete structure of of reporting which which is understood of both parties here. So what we really want to do here, first of all, we have to define our risks. We need to know what is, what are our risks? What do we, we need to know about them and how can we imply them to our business?

Of course we need to test them, we need to secure them, we take measures for them and we check if those measures are taking place and if the effects of those measures are really those effects, we like to have same thing accounts for the risk value which we are giving those efforts. We need to test them. Do they occur after two or three weeks? Maybe? Yes. After three months, maybe after one year, probably not. We need to prioritize them. So most important is to keep our business alive, to keep the revenue grow going and therefore we need to have our business processes going.

Therefore we have our business processes, applied assets and those we have the risks for. We need to have good practices like cyber hygiene.

So as, as I stated already, a lot of assets which are not used, not patched bear a lot of risk. We need to get rid of them or at least update them on a continuous basis. We need to know Who are our participants who really consumes in the end our reports. So We need to know is it the business, is it the management, is it the it, should it be understood by everybody Most likely, yes. And then we really need to know who we do we need to take into account to. So is it just our business or also our supply for example, There are a lot of metrics which we can apply risk based reporting on.

It's not only our business assets, it's also supply assets if you take it exclusively for our business if you want to. And then we have a clear brief and structured communication, as I said, a standard way of communicating everything that everybody can understand. It doesn't matter if you introduce it to the slide or to the metric or to the report itself. If you can give this report to everybody in the company and she picks it up and understands what is on that, it really helps to elevate each and every task.

Therefore we need to have a proper communication and therefore reporting is one important thing if it's done properly. Okay, The key points here, which I want to give you in the end is we really want to enable everyone to understand the matter. It doesn't matter which topic it is. In the end, everybody should look at our report and say, okay, I do know what you want to say. I do understand the topic and I do know what you want to tell me and I can help you or I cannot help you or at least I can forward you to somebody who can help you.

First point of it is providing an overview of the company's risk and suggested solutions. So don't just provide risks or problems in your report. It doesn't have anybody to to have just the problem. You are the subject matter expert. So in the end you should have a solution by hand. If you don't, you need to look for help of course. But in the end, the reporting really is there to have somebody take a decision on it. Utilize risk matrix to visualize and enable easy understanding and format. As we said before in the matrix, it's easy to calculate with it a risk score in a UniFi formed way.

So if you apply every time the same logic behind the risk, it's easy to compare each and every risk together and not just say, Well I think it's a very important metric and therefore the risk is very high. Or I say, well my boss doesn't like to have a lot of risks so I just downgrade it because I can. So utilizing the risk matrix gives us a uniform way to, to promote those risks and keep them comparable. Report on a standard procedures for uniform holistic risk assessment of your assets and create a common understanding and acceptance of your risk appetite.

It's very important that everybody has the same understanding of your risk appetite and to know which risk are you willing to take and which not. It really matters in terms of resource spending on measures on different risks. Know and highlight your critical processes and involves the business to set the actual risk. Utilize one reporting form so the information will displayed in unique and recurring format.

Everybody knows the same report format, knows where to find what and it's easy to understand if you are watching or looking at the same report over, over again, get the information and the place which you expect them to be. Thank you very much. Thanks Kai. And judging by one of the reactions in the audience here today, it sounds like it's all too common that the common or the the favorite way of managing risk is just to downgrade it.

I think there's no risk to to worry about, We don't have any online questions at the minute just to remind our online audience that you can put questions through the platform. Do we have any questions in the room?

Yes, Please. So I work for a large enterprise, very large enterprise and one of the things we have a problem with the business, we're great at identifying what the impact is going to be because the regulators have told us a lot of times what the impact is gonna be. Yeah. But what our real issue is, is coming up with the likelihood because everyone seems to think things are much more likely to happen than they actually are. So what you wind up with is everything is high, so therefore nothing is high and you can't prioritize.

Is there, I'm, I'm, I'm trying to find a methodology or something where we can apply this enterprise wide because yeah, I'm more likely to get hit by a bus going to the office in the morning than 90% of 95% of these cyber attacks happening. So yeah, Well likelihood is some kind of mysterious way to said, right? As you said, there are ways to, for example, use the market and check which exploit have been taking place there and compare for example, same businesses with you and how they are like exploited. But then you have really to dig into the details. Are they really comparable to me?

Just because if I'm a bank doesn't mean the other bank is like me because maybe the structure is a little bit different. They, they use other assets. So a lot of details taking into place and in the end, yeah, the likelihood is if I report I'm, I'm free, right? Because I reported there's a risk, I say it's very likely that it might occur. And then even the statement is it's very likely it might occur, it feels wrong because likely admire, it's like I'm happy to be sad.

And so it feels very, very hard to give you a blueprint to set the likelihood which we, which we were like seeing a lot as like comparison in the market and try to, to have a big enough data sample to really dig into the likelihood of a general threat on, on the specific asset. So if it's database, you can look at the market not on your asset company comparison, more like an asset comparison. So you use this database and somebody else uses the same database, hundreds of under are using the same database as well and they had the likelihood to be exploited at 2% for example.

Then you have to market at least, and then you can combine those things with, for example, statistics about exploits for banks or financial sector or industry or whatsoever. And then you really get a complicated construct of calculating your likelihood and it really comes to just Back, It's, it's not like guessing since you have like the metrics from from the market, right? But in the end you really need to have a good gut feeling about how likely it is and therefore you have to have the experts of course who are using and utilizing the likelihood.

But yeah, Sorry, in the interest of time, I'm afraid we're gonna have to move on there because gee, I'm really sorry, but I mean Guys from the German government, you cut Dims the breaks. It's, I'm, I'm happy to cut later. But yeah, so please grab, grab Kai in the breaks, he'll be here and that'll be great. Thanks. So thanks so much Ky.