Smarter thinking on cyber-security risks
Two weeks ago, I attended a cyber-attack simulation exercise presented by PwC, which has turned to ‘gamification’ in its consulting practice to help clients better understand what they would be dealing with if targeted for a cyber-attack. Craig Stronberg, a director with PwC who helped create the simulation – called Game of Threats – using his experience in national security affairs at the Pentagon and Defense Department, described the exercise as a ‘union of gamification and game theory’.
The premise is simple: executives get the opportunity in 12 rounds lasting 60 seconds each to use critical decision making to defend against a staged cyber-attack in real time, using a limited budget to either invest in new intelligence or cyber-security capabilities or take action to stop the attack. Then the same executives play a second game, taking on the role of the threat actor, which usually teaches them much more about the kinds of risks their companies are vulnerable to. And, true to life where attacks are launched by nation-states, the threat actor starts the game with double the financial resources the company has.
‘We want companies to strategize about how much they’re willing to spend to combat attacks,’ Stronberg explained.
Another point the game tries to make is that despite the ‘35 percent of total IT spending [going toward] cyber-security, companies have a hard time taking that intelligence and turning it into action,’ said David Burg, PwC’s global and US cyber-security leader.
So far, PwC has trained key executives at roughly 30 companies in the game. Participants ‘have come to realize in the course of a game some critical gap [in their cyber-security infrastructure] and have left the room talking about it because they all saw it at the same time,’ Stronberg said.
In January the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a paper written by Deloitte, entitled ‘COSO in the cyber-age’, that reinforces some of the points PwC hopes to drive home. Most publicly traded companies are now transitioning to COSO’s revised framework for evaluating and improving their internal controls to protect themselves from a range of threats, including cyber-attacks.
For example, the COSO paper points out that investment in cyber-security begins with the risk assessment process itself. Apparently, that’s often overlooked by companies that are focused on the results of the risk assessment to inform how they allocate resources toward control activities that prevent, detect and manage cyber-risk. ‘An organization has finite resources and its decisions to invest in control activities must be made upon relevant, quality information that prioritizes funding to the information systems that are most critical to the entity,’ COSO says.
During PwC’s simulation exercise, Burg stressed the importance of guiding cyber-security investment decisions with knowledge of what the company’s strategic priorities are and which assets are most critical to those priorities. ‘What’s happening in cyber is to link what’s happening technically with what management is doing strategically,’ he said. ‘Really sophisticated companies are doing this. Most aren’t.’
COSO says, ‘Many organizations do not spend enough time gaining an understanding of what information systems are truly critical to the organization; they also may have difficulty understanding where and how the information is stored. This can lead to attempts to protect everything, which leads to overprotecting certain information systems and underprotecting others.’
The idea of using gamification to put executives inside the heads of hackers to better understand how they operate (and the tools they deploy) is also in sync with COSO’s advice. ‘Through careful evaluation of the motives and likely attack methods and the techniques, tools and processes the attackers may use, the organization can better anticipate what might occur and be in a position to design controls that are highly effective in minimizing the disruption of potential cyber-attacks and keeping highly valued assets secure,’ COSO says.
With 43 percent of respondents in PwC’s latest CEO survey saying they’re more worried about cyber-security than economic or other risks, and yet still planning to do more technology-enabled business, maybe it’s time for companies to consider a quicker transition to COSO’s new framework.