My employer, HALOCK Security Labs, just gave away our highly valuable intellectual property. For years, we have been developing and improving a method for assessing cyber risk that acts as a universal translator for executives, regulators, judges, attorneys, and subject matter experts. The method, "Duty of Care Risk Analysis" has been very advantageous to us as we described our services to our clients. None of our peers -- our competitors -- do risk analysis the way we do. So, once we described the benefits of our methods, most organizations selected us over others.
This intellectual property not only helped us distinguish ourselves… it also meant that we were also able to select our clients. We found ourselves doing business with organizations that wanted to be better at cyber security, not just check a compliance box. These clients wanted to address both regulations AND security. They wanted executives to see that business interests and the interests of the public were in balance when budget line items and priorities were requested.
Our pitch was hard to ignore.
For our clients who were trying to get executive buy-in for security programs, their risk assessments created a balanced approach to investing in security that would not be overly burdensome to the bottom-line or strategic plans. For clients who suffered a breach and attracting undesirable regulatory attention, our risk analysis helped them draw their own line for "reasonable" security, and regulators have understood and agreed to those lines. We helped our attorney clients develop lines of inquiry in post-breach law suits; we provided non-technical advice about risk management that the judges included in their decisions.
When you are the only security consultancy that has this "duty of care" formula, you're in an enviable position.
But we gave away this advantage.
The reason we gave away this advantage is rooted in a lawsuit in which a hacked company was being sued by our client. The defendant explained to the judge that they knew about the vulnerabilities hackers used to steal millions of records. However, the vulnerabilities were not protected because securing them could have blocked essential business communications.
When the judge asked for my opinion on the matter I didn't give a technical explanation. I just described the "multi-factor balancing test" that judges use to determine whether due care was applied. I informed him that cyber security practitioners are supposed to use the same analysis, but that we just call it a "risk assessment." The defendant had not performed a risk assessment to make their decision about leaving the vulnerability open, so they didn't in fact know whether they were being negligent or applying due care.
Upon seeing the defendant's face, she looked as if she had been beaten down. While I had done the right thing for my client, I thought about what the defendants' lives must have been over the past many months. Having been victims of sophisticated hackers, having suffered public humiliation, sleepless weeks, countless haranguing and self-doubt. Now they were being attacked again, but this time by one of their own; an information security practitioner.
HALOCK represented our client's interests well that day, but we did not do the honest-to-goodness victim any favors. They were negligent, for sure, but nobody had explained to them what risk assessments are supposed to be, or how to avoid negligence. HALOCK is in the business of protecting organizations, not punishing victims.
We decided we were going to show everyone how to analyze risk to protect their systems and information and to reduce their liabilities.
We are giving away this intellectual property. We needed to provide every detail of our method and, most importantly, we needed the right partner. Duty of Care Risk Analysis is a process for evaluating risk in a way that is very similar to what we have seen in the profession. But if a few extra steps are carefully taken, the analysis can become a sort of universal translator between many professions that have something at stake with cyber risk. If practitioners don't follow these steps carefully, they could end up with a meaningless list of problems with unsuitable solutions. As a result, we wrote every detail down and illustrated step-by-step instructions that anyone could follow.
As for finding a partner to market and distribute the method -- without charge -- that was the easy part. CIS (Center for Internet Security) had already been freely providing the CIS Controls (sometimes called the "SANS Top Twenty" or the "Critical Security Controls"). And their roots were in supporting the cyber security community with hardening benchmarks for network equipment, servers, and applications.
CIS' mission is service to the public. Their leadership (both on staff and volunteers) have spent their careers in service. The CIS Controls themselves were developed much like Duty of Care Risk Analysis. They were formed as a collaboration among professionals who saw that some security methods worked better than others and slowly built in improvements one version at a time. Once they were tested, tried, and true, the CIS Controls were released to the public. This was the trajectory we wanted for our risk assessment method.
As CIS was preparing Version 7 in 2017, HALOCK and CIS agreed to join forces and created CIS' version of the Duty of Care Risk Analysis method and named it "CIS RAM." After exhaustive work, and carefully developed instructions, templates, and descriptions, CIS RAM is set for launch on April 30, 2018 -- free of charge and available to the public for their use.
Our peers and clients are more than a little surprised at our move. When you have an advantage this strong, why let it go? Going back to the word "service," HALOCK sees its role as helping secure organizations, ultimately to protect the public by using our specialized skills. We know that managing risk and security is the most constant challenge in preventing the bad actors from succeeding at their efforts. If we can give organizations the most effective tools we have for managing risk, and in a way that regulators and judges understand, then we've done something good.
What is CIS RAM and DoCRA?
To see what the CIS is, and to understand the principles that make Duty of Care Risk Analysis work, sign up for the CIS RAM launch webinartaking place on April 30. You can download CIS RAM and resource documents now.
If you are with a standards body that is still not addressing what regulators and judges call "reasonable" safeguards or "due care" then view the DoCRA Standard at DoCRA.org and reach out to the Board of Directors. It may be time to incorporate the methods in your standards so your constituency can address both compliance and security.