What is the single greatest threat that your organization faces? SolarWinds-style attacks? APTs? The answer is not what many initially think and the reason is primarily based on the sensitive nature of the answer. Based on years of observations that span multiple industries, it is clear the single greatest threat that many organizations face is the dysfunction of its own management team. This is not meant to be cynical or comical, but point out the nature of a legitimate cybersecurity and data protection threat that is often manifested by the inability of weak, ineffective and/or incompetent management to (1) make a risk-based decision and (2) support that decision. I am joined by Ryan Bonner from DefCERT to shed light on this understanding of threats, how that impacts an organization’s security/compliance efforts and what can be done to remedy the situation.
This bold statement about an organization’s management team being its greatest threat may sound harsh, but it is a defendable position when you assess what natural and manmade threats are and how that relates to risks:
In practical terms, weak, ineffective and/or incompetent management practices are a manmade threat that exposes an organization to significant risk (see further down this article for a listing of these risks). The reason for this is risks and threats are directly tied to controls, so if management inaction or interference leads to (1) an absence of a required control or (2) a control deficiency, this means that the control execution has been negatively affected and this exposes the organization to those risks associated with the specific control deficiency.
Unlike an Advanced Persistent Threat (APT) from China, Russia or Iran, an organization’s internal management dysfunction is a “persistent threat” that should not be overlooked as part of a threat assessment process.
What Is Driving The Need For Risk Management?
Recent, high-profile hacking incidents have led to more regulatory pressure at the state, federal and international level for maintaining secure practices from both a cybersecurity and data protection (privacy) perspective. This has directly led to greater scrutiny of organizational practices from partners and clients. No one can manage risk if the concept of risk management is ethereal and ever-changing, so it is the role of the leadership team to:
- Formalize a viable risk management program;
- Clearly define risk that is specific to the organization;
- Identify the risk management roles and assign individuals with responsibilities for their role in managing risk; and
- Apply those accepted risk management principles uniformly across the organization and its supply chain.
This concept of “management threat” has evolved from affecting individual organizations to an entire industry. Starting 1 January 2018, the Defense Industrial Base (DIB) was obligated to protect Controlled Unclassified Information (CUI) according to National Institute for Standards and Technology (NIST) SP 800-171. Due to the abysmal adoption of secure practices by the DIB to protect CUI, the US Department of Defense (DoD) was obligated to invent the Cybersecurity Maturity Model Certification (CMMC) to implement an independent, third-party assessment program. Fundamentally, CMMC is directly the result of management failure within the DIB to adopt secure practices and implement contractual obligations to protect its client’s data.
Risk Blindness & Personal Bias
In the government contracting space, management often suffers from a kind of “risk blindness” stemming from the way risk is communicated in the supply chain. For decades, unclassified information was poorly categorized, marked and managed, while classified information was treated with reverence and highly-structured processes. With the US government’s focus on protecting regulated data (e.g., CUI) without clear definitions, this has created creates a scenario where contractors often lack the background information needed to understand and prioritize risk. Without a clear understanding of what needs protecting, managers within the DIB are often left with “gut feel” determinations (unfounded, qualitative risk analysis) and their own personal experience (subject to bias) to manage risk.
Cognitive bias worsens the myopia associated with risk management by allowing management to drift towards mental structures that have adequately served their organization and its operations up to this point. This can include personal leanings such as:
- Survival bias (“ransomware hasn’t killed us yet, and so it never will”);
- Availability bias (“during my years as a network admin, I learned that the only thing truly stopping attackers is a well-tuned firewall”); or
- The Dunning-Kruger Effect (“Building a response team can’t be that hard. It’s basically just picking up the phone when something happens!”).
These kinds of bias further ingrain emotionally-driven, qualitative analysis into the risk equation, meaning that risk is “downplayed” instead of evaluated and mitigated based on objective management practices.
False Sense of Risk Management
There is clearly a fiduciary aspect to leadership and management roles, where decisions must be in the best interest in the organization, rather than act in their own interest. An example of this is a case where a “leadership team” consisting of a Chief Information Security Officer (CISO), Chief Information Officer (CIO) and Chief Financial Officer (CFO) refused to provide quantifiable criteria (e.g., risk thresholds) that are needed to assess risk as part of a formal risk management program. Theses quantifiable thresholds exist to help categorize an incident as low, moderate, high, severe or catastrophic so that the appropriate level of management would be involved in the assessment of and approval of risk management decisions. Management refused to take a stand and define thresholds, when directly asked for authoritative guidance that only their roles could provide. This management inaction directly made the organization’s risk management practices nebulous and unquantifiable. The result is a “paper tiger” risk management program that appears impressive, but is ineffectual and not capable of being operationalized.
In situations like the one described above, where the overall approach to risk management is poorly defined, it creates an impediment to legitimate risk management practices, including the traditional 3 Lines of Defense (3LOD) model. 3LOD becomes useless and will create a false sense of risk management, since it incorrectly assumes a viable risk management program exists that clearly defines risk, who can manage it and what options exist for risk management. For those not familiar with the 3LOD model:
- First line of defense (1LOD) – This function is provided by front line staff and operational management. This is where operational risk decisions are designed to be made.
- Second line of defense (2LOD) – This function is provided by Governance, Risk Management and Compliance (GRC) functions. This is where oversight and advice exist to support 1LOD in identifying, managing and monitoring risks.
- Third line of defense (3LOD) – This function is provided by an Internal Audit (IA) function. This function provides a level of independent assurance that the risk management and internal control framework is working as designed.
The traditional 3LOD model misses the need for “0LOD” or the genesis of the organization’s risk management program where the leadership team explicitly establishes and enforces the criteria needed to identify, manage and monitor risks. 1LOD, 2LOD and 3LOD are all negatively impacted by unclear risk management guidance from an organization’s leadership team.
Examples of Management Dysfunction
Fear is a common denominator for these observed management failures within risk management:
- Failing to support an established policy, standard or previous decision by wanting to avoid conflict among the organization’s lines of business (e.g., violate risk management principles for political reasons);
- A desire to “save face” by sticking with a false narrative of the cybersecurity program, since they may be viewed as lying or being incompetent for previous positions;
- Fear of having to ask senior management for money to properly support the program;
- Failing to appropriately understand the situation by not asking questions to avoid “looking dumb” to peers, subordinates or senior leaders; and/or
- Exhibiting an inability to make a decision, by either hoping the situation goes away or that someone else will make the decision.
Risks Associated With Weak, Ineffective and/or Incompetent Management
When you look at the possible risks from the threat associated with weak, ineffective and/or incompetent, it clearly illustrates this as a significant threat (courtesy of the SCF’s Security & Privacy Risk Management Model (SP-RMM)):
- Inability to maintain individual accountability - a failure to maintain asset ownership and it is not possible to have non-repudiation of actions or inactions.
- Improper assignment of privileged functions - a failure to implement least privileges.
- Privilege escalation - access to privileged functions is inadequate or cannot be controlled.
- Unauthorized access - access is granted to unauthorized individuals, groups or services.
- Lost, damaged or stolen asset(s) - asset(s) is/are lost, damaged or stolen.
- Loss of integrity through unauthorized changes - unauthorized changes corrupt the integrity of the system / application / service.
- Business interruption - increased latency or a service outage that negatively impacts business operations.
- Data loss / corruption - a failure to maintain the confidentiality of the data (compromise) or data is corrupted (loss).
- Reduction in productivity - user productivity is negatively affected by the incident.
- Information loss / corruption or system compromise due to technical attack - malware, phishing, hacking or other technical attack compromise data, systems, applications or services.
- Information loss / corruption or system compromise due to non‐technical attack - social engineering, sabotage or other non-technical attack compromises data, systems, applications or services.
- Loss of revenue - a financial loss occurs from either a loss of clients or an inability to generate future revenue.
- Cancelled contract - a contract is cancelled due to a violation of a contract clause.
- Diminished competitive advantage - competitive advantage of the organization is jeopardized.
- Diminished reputation - negative publicity tarnishes the organization's reputation.
- Fines and judgements - legal and/or financial damages result from statutory / regulatory / contractual non-compliance.
- Unmitigated vulnerabilities - unmitigated technical vulnerabilities exist without compensating controls or other mitigation actions.
- System compromise - system / application / service is compromised affects its confidentiality, integrity, availability and/or safety.
- Inability to support business processes - implemented security /privacy practices are insufficient to support the organization's secure technologies & processes requirements.
- Incorrect controls scoping - there is incorrect or inadequate controls scoping, which leads to a potential gap or lapse in security / privacy controls coverage.
- Lack of roles & responsibilities - documented security / privacy roles & responsibilities do not exist or are inadequate.
- Inadequate internal practices - internal practices do not exist or are inadequate. Procedures fail to meet "reasonable practices" expected by industry standards.
- Inadequate third-party practices - third-party practices do not exist or are inadequate. Procedures fail to meet "reasonable practices" expected by industry standards.
- Lack of oversight of internal controls - there is a lack of due diligence / due care in overseeing the organization's internal security / privacy controls.
- Lack of oversight of third-party controls - there is a lack of due diligence / due care in overseeing security / privacy controls operated by third-party service providers.
- Illegal content or abusive action - there is abusive content / harmful speech / threats of violence / illegal content that negatively affect business operations.
- Inability to investigate / prosecute incidents - response actions either corrupt evidence or impede the ability to prosecute incidents.
- Improper response to incidents - response actions fail to act appropriately in a timely manner to properly address the incident.
- Ineffective remediation actions - no oversight to ensure remediation actions are correct and/or effective.
- Expense associated with managing a loss event - financial repercussions from responding to an incident or loss.
- Inability to maintain situational awareness – an inability to detect incidents.
- Lack of a security-minded workforce – the workforce lacks user-level understanding about security & privacy principles.
What Can Be Done To Address This Threat?
Organizations need to take the concept of management being a potential threat seriously by:
- Developing and publishing a risk management program with authoritative guidance on risk management activities;
- Distributing risk management activities across the 3LOD model for risk management to insulate risk decisions against personal bias;
- Providing training for those in management roles to adequately support the organization’s risk management program; and
- Conducting 360 peer reviews specific to risk management practices.
For organizations, it may mean removing unfit individuals from management roles by transferring them to a new role or terminating their employment, since that individual is a liability to the organization.
Employees and contractors need to understand their responsibilities and options:
- Reduce “technical jargon” and provide solutions in a business context that non-technical people can understand; and
- Work with your leadership team to “manage up” by anticipating needs and providing solutions to manage risk.
As an employee, if those legitimate efforts fail to work, the organization may be a lost cause and it is time to self-terminate your employment to find work at an organization that both appreciates your skill set and takes risk management seriously.
About The Authors
If you have any questions about this, please feel free to reach out.
Tom Cornelius is the Senior Partner at ComplianceForge, an industry leader in cybersecurity and privacy documentation. He is also the founder of the Secure Controls Framework (SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements.
Ryan Bonner is the CEO of DefCERT, a firm providing DFARS, NIST, and CMMC consulting services for government contractors. In addition to private consulting engagements: DefCERT works extensively with NIST Manufacturing Extension Partnership programs, economic development organizations, and managed IT service providers.