AUSTIN -- Don Freese said infosec professionals lead with fear and emotion too often when discussing security issues...
when they should be speaking a language that C-level executives and board members understand: risk.
Freese, deputy assistant director of the FBI and former head of the bureau's National Cyber Investigative Joint Task Force (NCIJTF), spoke Monday morning at the (ISC)2 Security Congress about the importance of cyber-risk management and how the lack of proper practices is hurting enterprise security postures.
"When we start to use emotion and fear to drive the conversation – and often times it's said in the security game that our worst problem is people – we're failing in that fundamental message," Freese said during a keynote discussion with Brandon Dunlap, senior manager of security, risk and compliance at Amazon.
Trying to spur executives into action through fear isn't effective, Freese said. Instead, security professionals need to identify and measure the various risks to an organization and determine which ones are most pressing and need a portion of the organization's limited resources in order to be mitigated. "That's the way we connect with the business world," he said. "We want to talk about increasing the rigor in how we manage risk."
Good cyber-risk management starts, Freese said, with enterprise security teams distinguishing between a risk and a threat. However, Freese said that "regrettably, …often times we conflate the two [risks and threats]," which lead to every conceivable risk being viewed as an impending threat.
"That's simply not a good way to communicate what we're trying to do. It's not giving us traction in the world about how we prioritize our resources against those particular threats," Freese said, adding that it confuses the message. "We're crying wolf."
Instead, security teams must delineate between what cyber threats are possible (pretty much everything, he said) and what's probable (a much smaller and more manageable pool) while analyzing the intent and capability of the potential threat actor, the frequency of the threat and the potential impact of a successful attack.
"If we can start the conversation with not only probability but describe the frequency and the magnitude of the impacts based on the intent and capability, then we start to set up a much more understandable paradigm," Freese said. "And let me pause and say it's difficult to do, and that's why we're not doing it yet."
Cybersecurity insurance: not the answer, yet
Dunlap asked Freese about the growth of the cybersecurity insurance market and if it could help organizations with cyber-risk management. "Cyber insurance hasn't really settled in as a real robust mechanism yet. It's still mostly business insurance, but that's because we don't measure the risks very well," Freese said.
However, Freese said insurance actuaries are working on the issue, and there is potential for collaboration between the two fields. "There are several different actuarial groups that are looking at cyber risk to measure that in a way that's quantifiable for pure insurance purposes," he said.
Still, he said organizations must at least start moving toward a defined cyber-risk management plan. Freese said in his role at the FBI, he's worked with companies across the globe on addressing cybersecurity issues and threats, and he stressed that the companies that are successful and don't find themselves in a data breach headline all had one thing in common.
"They're managing risk in a very measurable, very incremental and consistent type of way," he said. "They know what's going on in their networks and they know what type of data they have."
Learn more about adapting cyber risk management strategies to modern threats
Opinion: Is the private sector pulling its weight on cybersecurity?
Read about how the politics of cyber attribution threaten private industry