The 2008 financial crisis, Log4j predicament, SolarWinds compromises and the global COVID-19 pandemic all have something in common. Besides being newsworthy and destructive across many different environments, they are classic examples of systemic shocks with global consequences.
Think of systemic risk as the single flame that starts a wildfire. A report from the Carnegie Endowment for International Peace and the Aspen Institute defines systemic risk as “the possibility that a single event or development might trigger widespread failures and negative effects spanning multiple organizations, sectors or nations.” In short, one point of failure can have a far-reaching and devastating ripple effect.
To better understand systemic risk and its potential implications for chief information security officers (CISOs) navigating today’s threat landscape, we turned to Lucia Milică, Proofpoint’s Global Resident CISO, for insight. In a recent Q&A, she discusses systemic risk management, its definition, and more.
Q: What is systemic risk?
I love that question because we do not have a consistent definition. The recent report from the Carnegie Endowment for International Peace and the Aspen Institute offers one. However, I do believe that systemic risk is a lot broader than that definition.
Digital Directors Network defines it a bit more broadly, and I tend to agree with that version—that systemic risk is essentially inherent risk within any complex system. Thinking about the complexity of our digital business systems today, and then the overall mesh of software-as-a-service (SaaS) data, risk can come in from any single point. And each one of those points can have a major failure that will have ripple effects—not only on one organization, but multiple organizations.
Q: What are the implications for companies, or maybe cybersecurity in general, in terms of how we have traditionally addressed risk versus the realization that risk is really baked into a lot of things? Also, are there other types of risks built into the broader business infrastructure, not necessarily technology infrastructure?
Absolutely. People as a systemic risk is one example. I think that’s very relevant to every single company across the globe. Another example is supply chain—third-, fourth- and fifth-party supply chain, and our reliance on additional vendors, partners and others.
Thinking more broadly, as we have all continued the digital transformation journey and moved a lot of internal infrastructure to the cloud, the reliance on various different SaaS providers at the backbone of much of that cloud infrastructure is another perfect example of systemic risk.
So, pick your favorite SaaS provider. If something happens to them—they have an intrusion or a system goes down—that can affect all or a subset of all the customers that heavily rely on the platform as a back end. It’s just another example of how systemic risk can be viewed.
Systemic risk is a newer type of risk that’s surfacing, and it’s really born out of the growing complexity of the mesh digital systems we rely on heavily. So, there’s still a lot of room for us, as an industry, to start wrapping our heads around systemic risk management and truly understanding the inherent risk.
I will say a big part of it is focusing on security and privacy by design and, by default, in everything we build. This is something we are all focusing on. We’ve been talking a lot about DevSecOps. But looking at it holistically, is it something that we all need to start doing as we continue to grow these complex systems that we’re so reliant on?
Q: Is there a formal way to plan for and measure systemic risk, or are CISOs just figuring it out?
There are some thought leadership pieces out there. Also, the Digital Directors Network has published a framework around understanding and measuring systemic risk. This is the only framework that I’ve seen for understanding what your systemic risks are within your organization.
As I said, many security leaders are still trying to wrap their heads around the idea of systemic risk. What does it mean for me, especially in a world where we still have foundational cybersecurity challenges that we need to address? Overall, you must be able to address a lot of those foundational issues before you can start thinking strategically and holistically about risk, in my opinion.
But again, I highly recommend looking at the framework from the Digital Directors Network as a starting point for measuring systemic risk in the organization.
Q: How often should systemic risk be brought up to the board?
This is a big topic that should be discussed at the board level. Actually, back in 2020, Delaware Supreme Court Chief Justice Collins J. Seitz, Jr. said, in the context of corporate governance, that boards must be able to demonstrate proactively that they’re thinking about systemic risk management.
So, it’s focusing on systemic risk but also really understanding the inherent risk within the organization—and that’s very much around cyber risk. Cybersecurity risk has already become a board-level topic, which is fantastic. Now, there needs to be more discussion about inherent risk, which is taking cyber risk to the next level and really understanding all its intricacies as opposed to viewing it as an IT problem.
Q: Are there “out of the blue” things that CISOs need to consider when thinking about systemic risks?
We just came through the biggest systemic risk around the globe. That’s the pandemic, and how it impacted us from the illness, and also how it impacted every single company and organization. It also impacted the cybersecurity landscape, right? We’ve seen one of the highest increases in cyber-attacks due largely to the massive transition to the work-from-home environment.
Another systemic risk we’re seeing now is the rise of insider threats. With the “Great Reshuffle,” so many people are leaving organizations and taking data from within the organization with them.
And here’s another example, which underscores why systemic risk management has become a board-level topic: geopolitical tension in Eastern Europe and around the globe. There’s the cybersecurity perspective, like attacks on critical infrastructure, but also the impact on the economy and what every single individual is experiencing in terms of increasing gas prices, interest rates and more.
Those are all ripple effects from one point across the globe. But just thinking back, attacks like SolarWinds are a perfect example of systemic risk—how one thing ended up having far-reaching ripple effects. We saw this a little bit with Stuxnet, too, which is going way, way back. But we’ve had those examples over time, as potential systemic risk implications. We just didn’t label it as such.
Q: When you’re looking across different industries, what is the one thing that would be a risk across all of them? Are there different ways for measuring systemic risk, say for the healthcare industry versus financial services?
Absolutely. You have to think of what’s the core of each one. For healthcare, it’s patient safety and care delivery. So, that’s the primary focus—what is going to impact those core things? For financial institutions, you’re going to focus on financial fraud and identity theft, for example.
But thinking holistically, all organizations really need to adapt their defenses to a challenging systemic threat landscape. That starts with adapting to people-centric controls. The goal here is to move from an ad hoc, inconsistent process to more of an optimized process so that it really minimizes the risk implications to the critical parts of every digital system.
Q: What is one piece of advice you could offer to CISOs on what they should be doing right now to address systemic risk?
Think through your entire environment and the complexity of the business you’re in. Hone in on what could have a catastrophic impact not only for your organization, but for those around you, like your vendors and suppliers.
As tactical advice, start with people. I cannot underscore enough that people are an intrinsic systemic risk within the organization. Every single individual is an attack vector that threat actors will use. And there’s enough data out there that shows the human element is at the core of most data breaches and other security incidents.
So, it’s really imperative to understand who poses the greatest risk within your organization. How is every single person being attacked? Why? What is the likelihood that a specific individual may be compromised? And then, how would that compromise impact a larger system or the organization?
This is a bit tactical, too, but you also need to look at all the areas of your organization, including enterprise architecture, the software development life cycle, the supply chain and vendor community, and the data “crown jewels.” You need to understand all the intrinsic risks for each of those areas.
Visit the CISO Hub for more on this topic.