Posts By :

Axio Global

update secs new cybersecurity risk guidelines

UPDATE – SEC’s New Cybersecurity Risk Guidelines

UPDATE – SEC’s New Cybersecurity Risk Guidelines 1200 628 Axio Global
UPDATE – SEC’s New Cybersecurity Risk Guidelines


SEC’s New Cybersecurity Risk Guidelines

by Axio

October 25, 2018

As we noted in our recent piece “What do the SEC’s New Cybersecurity Risk Guidelines Mean for You as a Board Member?”, the Commission is increasingly focused on cyber risk as it pertains to disclosure requirements.

The 2018 guidance addressed one of the criticisms of the original 2011 guidance – namely, that it lacked the teeth of enforceability – and statements by Chairman Clayton and others left little doubt that cyber disclosures were near the top of the SEC agenda. Perhaps it shouldn’t come as a surprise then, that on April 24th the SEC reported a $35 million agreement with Altaba (formerly Yahoo) for a multi-year delay in reporting a 2014 data breach.

This is the first enforcement action of its kind following the new SEC guidance. There is no doubt that a message is being sent to reporting companies with this action. As Jina Choi, Director of the SEC’s San Francisco Regional Office, commented, “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” We suspect this will be the first of a number of similar actions, but stress that appropriate and comprehensive cyber disclosure practices are readily achievable.

key cybersecurity trends in the utility sector

Key Cyber Security Trends in the Utilities Sector

Key Cyber Security Trends in the Utilities Sector 1200 628 Axio Global
Key Cyber Security Trends in the Utilities Sector

Key Cyber Security Trends In The Utilities Sector

by Axio

March 20, 2018

At Axio, we are committed to helping companies quantify the impact of a potential cyber event. What would it mean to a company’s bottom line? What vulnerabilities exist in an enterprise’s security controls and insurance programs? And from an investment standpoint where does it make the most sense to effectively reduce cyber risk?

For all these reasons and more, we are extremely pleased to announce a new strategic partnership with North Highland, a global management consulting firm. We will be providing North Highland’s energy and utilities clients with our unmatched technology and services, all geared to addressing and protecting against cyber security events.

Our partnership with North Highland focuses on delivering:
· Exposure Quantification. Understanding the types and scale of financial impacts that could arise from a complex cyber event.
· Cyber Program Evaluation. Measuring the current maturity of the cyber security program, establishing a targeting profile, and building the plan to achieve higher maturity.
· Insurance Analysis & Stress Test. Understanding the organization’s ability to recover from a complex and costly cyber event, and how the insurance portfolio will respond.

North Highland Vice President Stephen Kinney notes the importance of the utilities industry to the world —and why, therefore, it’s critical that utility companies take a risk-based approach to cybersecurity—in his latest post, Key Cyber Security Trends in Utilities Sector:

Utilities are evolving fast through digitization. More assets are getting connected today than ever in order to become agile, customer focused and innovative. This leaves the sector vulnerable to cyber attacks, as has been witnessed throughout the world in recent years.

Stephen Kinney

6 cyber risk insights from aig axio executive risk summit

Six Cyber Risk Insights From AIG and Axio’s Executive Risk Summit

Six Cyber Risk Insights From AIG and Axio’s Executive Risk Summit 1200 628 Axio Global
Six Cyber Risk Insights From AIG and Axio’s Executive Risk Summit

Six Cyber Risk Insights from AIG and Axio’s Executive Risk Summit

by Hanno Ekdahl And Jeff Luther

March 15, 2018

Idenhaus recently attended AIG and Axio’s Executive Risk Summit, which brought together a panel of insurance experts to discuss Cyber Risk management. Cyber exposures are expanding rapidly as businesses move their IT systems to the cloud and adopt the Internet of Things (IoT) and Bring Your Own Device (BYOD). These changes introduce fundamental new threats to businesses of all sizes and shapes. This half-day conference cited recent examples to identify these threats and shared how businesses can mitigate risk with technology, insurance, and training.

Broader questions that were discussed included:

  • How is the insurance market responding?
  • Are current policies providing adequate coverage? If not, where are the gaps?
  • Have businesses considered the impact of a breach that causes significant business interruption?
  • Have they considered the need to more closely evaluate their partners and vendors to ensure they are compliant with best practices?

The panel was moderated by Forrest Pace and featured the expertise of David White , Founder and Chief Operating Officer of Axio; Guenter Kryszon , Head of Large Limits & Terrorism Property, AIG; and Garin Pace , Cyber Product Leader – Financial Lines & Property, AIG.

Here are 6 insights from the Cyber Risk discussion at the Executive Risk Summit at TechSquare Labs in Atlanta, GA:

1. The number of cybersecurity intrusions and breaches has grown exponentially in the past year.

Equifax  is a case in point. The breach affected at least 143 million consumers and is still making headlines with the former CIO being charged with selling $1 million in company stock  prior to the breach announcement in September 2017.

TRITON/TRISIS  represents the first-ever malware to infect safety-instrumented systems (SIS) equipment. Industrial sites such as oil, gas, and water utilities typically run multiple SISes to independently monitor critical systems to ensure they are operating within acceptable safety thresholds, and when they are not, the SIS automatically shuts them down. This malware was clearly designed to harm people and property and was not about making money, representing a new rationale for creating malware that raises the risk profile. Weaponized malware has created a new set of threats that organizations are just beginning to understand.

Losses like these may not be covered under traditional insurance programs because they may be classified as an act of terrorism, or fall under property coverage. Panelists discussed current ambiguity over property coverage for cyber-related risks and ways to find solutions that clarify appropriate coverage for buyers.

  • Property programs are complementing cyber policies and are part of managing the business’ cyber exposure.
  • GOAL: Stability in the insurance program so that rates do not fluctuate wildly and coverage is adequate.
  • Look at 2017 from a threat perspective, particularly events such as Reaper Petya  (Eternal Blue), and WannaCry.
  • How can companies quantify the risk?
This is not an IT problem, it’s an enterprise problem.

Garin Pace

2. This is an enterprise issue, not just an IT concern, and insurance underwriting must take this into consideration.

The enterprise needs to understand the impact as it is incorporated into the insurance underwriting for the business. This is best considered based on scenarios the enterprise faces. This includes concerns with:

  • Business continuity
  • Availability
  • Confidentiality
  • Integrity
  • Possible financial loss to the enterprise

 3. The more connected we become, the more risk we introduce.

  • Electronic Medical Records are now being attacked.
  • The Internet of Things was not designed with a security-first mentality .
  • There are chips in everything.
  • What is the cost and time to restore business when continuity is interrupted?

4. We lack clarity on the long-term effects of business interruption.

What happens when just-in-time manufacturing and supply chain is interrupted? In particular, just-in-time manufacturing has significant financial penalties for late/missed deliveries. What is the restoration process? How can the recovery be faster? We need to understand the entire process by reviewing various scenarios and utilize stress tests to understand the bottom-line impact to the balance sheet.

5. Risk managers need to make new friends in the business.

Risk management has a broader scope than just physical and cyber security.

6. The scope of cyber risk insurance must plan for attacks of never-before-seen magnitude.

  • An area-wide event is possible, especially given the fragile US infrastructure, e.g. the power grid. This overwhelms insurers due to the scope and impact of the attack.
  • Terrorism will touch cybersecurity and must be accounted for in insurance programs.
  • 60 nations are actively creating cyber weapons. Once these weapons are released they cannot be controlled and, once on the grid, they are there for anyone. What happens if they fall into the wrong hands?
  • Sophisticated malware released into the wild is now available for the average hacker to use for nefarious purposes. What happens when an irrational actor gains control of a cyber weapon , or when you pair a sophisticated tool with an irrational actor?
This is a manageable risk with proper oversight and governance.

Forrest Pace, Moderator

We continue to see major cybersecurity breaches impacting a wide variety of industries. When addressing cybersecurity in your organization, here are three items to consider.

  1. This is an enterprise-wide problem and cannot be addressed in isolation by a standard risk approach. These risks go far beyond data breaches, where records are compromised or credit card information is stolen. Risks today include company safety systems, networks, supply chains, and business continuity. This is not limited to your organization but the organizations with which you do business, especially if you provide just-in-time materials or services.
  2. The best way to address risk today is with a holistic approach. Bring together the principal stakeholders and/or functions within your organization, such as Human Resources, Security, IT, Facilities, and Treasury. Consider bringing in your insurance broker or provider to conduct industry analysis and offer guidance on change risk issues. You may also want to include parts of your supply chain in this group.
  3. Scenario testing is the best way to understand the risk impact. Outline and define the different business scenarios that could compromise your organization and test them from end-to-end. This would include people, process, and systems .

To summarize, organizations must stress test their insurance portfolios, think holistically across cyber and physical security, look at the whole supply chain, and understand that cyber is now a critical component of the business.

This article was co-authored by Hanno Ekdahl  and Jeff Luther .

what do the new cybersecurity risk guidelines mean for you as a board member

What do the SEC’s New Cybersecurity Risk Guidelines Mean for you as a Board Member?

What do the SEC’s New Cybersecurity Risk Guidelines Mean for you as a Board Member? 1200 628 Axio Global
What Do The SEC’s New Cybersecurity Risk Guidelines Mean For You As A Board Member?

What do the SEC’s New Cybersecurity Risk Guidelines Mean for you as a Board Member?

by Chris Amery, VP Professional And Financial Services

February 26, 2018

This week, the Securities and Exchange Commission (SEC) published updated interpretive guidance on cybersecurity disclosure requirements for public companies.

Following significant post-breach reporting delays from SEC-regulated entities, including Yahoo and Equifax, the Commission clearly desires to standardize cyber disclosure practices surrounding impactful cyber events. As noted in the interpretation , “[T]he Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.” The investing community and public at large should welcome this standardization as a step in the right direction for fair markets.

The more interesting component of the SEC guidance, however, is the following: “Companies should consider the materiality of cybersecurity risks and incidents when preparing the disclosure that is required in registrations statements under the Securities Act of 1933 … and the Securities Exchange Act of 1934.” Here, the SEC is speaking to general ongoing risk factor identification as opposed to specific post-incident disclosures. The Commission believes that firms must identify and disclose possible risk events even if they haven’t suffered a breach. This is a sea change in the regulatory view of cybersecurity. The SEC is pointing out that it’s no longer good enough to purchase technology controls and meet compliance mandates. By forcing companies to identify and publish their ongoing cyber risks, they are elevating cybersecurity to a risk-based duty of care model, requiring an understanding and articulation of best practices at the Board level. The Commission is pointing squarely at the Board of Directors and elevating cyber program management from the IT department to the highest levels of the corporation.

Axio’s CEO, Scott Kannry, wrote about this just last October:


Cybersecurity should be at the top of every upcoming executive and board of directors meeting.  Rather it must be: the reality is that serious cyber events are inevitable, because technology is not failsafe, humans are fallible, and a host of other reasons in between.  But the appropriate discussions and retrospectives on these events should not be entirely focused on patching every single vulnerability and demanding at all costs that “something similar must never happen to us.

Scott Kannry, Axio CEO

What must board members understand about the new disclosure requirements? First, the good news – they are not technology based. This will not require board members to become tech experts in the latest cyber security technology. They are ‘risk-based’, which means that they require a more holistic approach, and that the current paradigm of assessments, technology controls, and compliance frameworks is clearly not enough to satisfy the SEC guidance. Maintaining accurate risk disclosures requires a dynamic cyber risk management program. In our view, the following four components of a cybersecurity program allow companies to meet this hurdle, and Board members to confidently sign off on these disclosures:

  1. Quantify your exposure in financial terms. As the SEC notes , “The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude…[and] also depends on the range of harm that such incidents could cause.”
  2. Evaluate the caliber of your current cyber program within a maturity-based framework. This approach recognizes that cyber risk and maturity is dynamic and allows a company to evolve continually as the cyber landscape changes. Compliance standards can act as a floor, but they do not appear sufficient to meet the SEC guidance that “[w]here a company has become aware of a cybersecurity … risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities.”
  3. Maintain adequate insurance and reserves to recover from a cyber incident. This goes hand in hand with required public disclosures, as firms utilizing this approach will naturally manage their financial risk to appropriate levels on an ongoing basis. Steps one and two inform the proper levels of financial defense on a dynamic basis.
  4. Benchmark your performance against your peers. Cyber risk management is ultimately in the public interest, and the ability to measure your current program against both an internal target state and your peers will be a significant input in determining whether a Board has met it’s duties with respect to cyber risk.

When these four key components of cyber risk management have been employed on an ongoing basis, a Board can confidently say to the public markets, “We know what our risk profile looks like, we have an updated analysis of our program maturity, our financial controls are adequate to survive a cyber incident, and our overall program is in the top 10% of our industry group.”

We applaud the SEC guidance and look forward to a world where Boards, executive teams, risk managers, and technologists embrace this comprehensive risk- and maturity-based approach to cyber program management.

External Documents

cybersecurity supply chain risk management

Cybersecurity Supply Chain Risk Management – Deconstructing the Root Causes Behind the Spectre and Meltdown Vulnerabilities

Cybersecurity Supply Chain Risk Management – Deconstructing the Root Causes Behind the Spectre and Meltdown Vulnerabilities 1200 628 Axio Global
Cybersecurity Supply Chain Risk Management

Cybersecurity Supply Chain Risk Management

Deconstructing The Root Causes Behind The Spectre And Meltdown Vulnerabilities

by Dan Phillips, Director of Cyber Risk Engineering

January 22, 2018

It has been nearly two weeks since the disclosure of the Spectre and Meltdown vulnerabilities . Here at Axio, we have been quietly monitoring the research community’s discussions about the severity of these vulnerabilities as well as user experiences in applying mitigation measures to fix the issues.

Make no mistakes folks, these are serious vulnerabilities that impact nearly every computer and device with a modern computing processor; and there is a particular concern for virtualized or cloud based systems because of their ability to bypass memory isolation controls. In the coming weeks, many security leaders will be asked to make decisions about when or whether to patch the vulnerabilities on company assets. When we consider that the patches are degrading performance of certain software functions anywhere between 5 to 25% causing unwanted reboots, and the vulnerability is present in billions of devices, it seems likely that we will be living with components that are vulnerable to Spectre and Meltdown for quite some time.

Several of the articles and blog posts that I have been reading touch on the reasons that these vulnerabilities were overlooked for such a long period of time. But what I find missing from these discussions is a really honest conversation about why we keep having major hardware/software vulnerabilities like these pop up every few years. If we are being honest with ourselves, we should acknowledge that as consumers, we are often complicit in creating these vulnerabilities. Too often, we fail to recognize the true cost of rapid product development in the value chain; we don’t ask the right questions during product design and procurement, we don’t recognize the hidden costs of remediation, and we often make value judgements that emphasize lowest cost over security.

I have been working on cybersecurity supply chain issues for years, and I have yet to discover an easy solution to this problem. We have had tools at our fingertips for some time now that would help the community to better manage cyber supply chain concerns – Common Criteria Standard NIST SP-800-161 , and DOE procurement language .  But the problem with these tools, is that there is often not enough appetite or cohesion at the consumer level to leverage them effectively. To focus product improvement efforts, large portions of the customer base need to be on the same page about their expectations for disclosures, security features, and security testing. We also need mechanisms to discourage free riders. There are ways of dealing with the scalability and free rider problems through regulation such as FERC’s recent notice of proposed rulemaking on cyber supply chain standards and DFARS regulations . However, most industries lack an appropriate vehicle to coordinate consumer and vendor behavior.

At Axio, we find that education is often the best tool for managing cyber security risks. Our experience has shown that to manage cybersecurity supply chain risk effectively, organizations must:

  1. Understand the nature of their exposure to supply chain and third-party cyber security incidents and,
  2. Understand their security program’s capabilities to address these types of risks.

Using tools such as the Cybersecurity Capability Maturity Model (C2M2) the NIST Cybersecurity Framework (CSF) , and peer benchmarking data, we have been helping our clients to develop roadmaps to mature their cyber supply chain risk management practices.  The best solutions often involve a combination of the following:

  • Procedural controls (e.g. secure patch delivery processes, contractual obligations)
  • Technical controls (e.g. technology enforced vendor enclaves, functional testing)
  • Financial controls (e.g. insurance policies)

It is my belief that we can greatly reduce the number/severity of critical vulnerabilities in the future by encouraging technology consumers to use simple, risk informed strategies during the procurement, design, and system integration stages of the product lifecycle. By articulating our security expectations early and often to our suppliers, we can ultimately incentivize suppliers to give equal weight to performance and security as they design and integrate new products.

one thing your utility cybersecurity program is missing

The One Thing your Utility Security Program is Missing

The One Thing your Utility Security Program is Missing 1200 628 Axio Global
The One Thing your Utility Security Program is Missing

The One Thing your Utility Security Program is Missing

by Jason Christopher, Axio Chief Technology Officer

January 12, 2018

Ever since the Federal Energy Regulatory Commission approved mandatory cybersecurity standards for the nation’s grid, self-proclaimed gurus and experts have been making a headache of things. The Critical Infrastructure Protection (CIP) standards are one of the few compliance requirements that can monetarily penalize asset owners/operators for poor cybersecurity hygiene. And all the cool kids want to be CIP “ninjas.” But how do hiring managers, engineers, or IT peers know that the person they are talking to is really a CIP master?

Late last year, SANS announced a new certification for electric grid stakeholders interested in verifying their CIP chops—the GIAC Critical Infrastructure Protection (GCIP) certification ( ). The multi-hour exam tests participants on all the necessary knowledge and skills needed to execute a successful utility security program, including:

  • BES Cyber System identification and strategies for lowering their impact rating
  • Nuances of NERC defined terms and CIP standards applicability
  • Strategic implementation approaches for supporting technologies
  • Recurring tasks and strategies for CIP program maintenance

The exam is great for life-long CIP experts and newbies who want to take that next step in their career. Moreover, it covers the entire CIP universe—so you know any GCIP certified personnel will be a well-rounded security professional with an understanding of compliance, technical aptitude, and all the various components to not just be compliant, but to be secure.

The certification is accompanied by a course from SANS, the foremost leader in security training, which I also teach—ICS456: Essentials for NERC CIP ( ). The course is not a prerequisite for taking the certification, but the amount of information we give you over 5 days (and 25 hands-on labs!) will definitely help out any one looking to prove themselves with the GCIP.

The GCIP officially goes live in February, just in time for my next run of ICS456 in Anaheim, CA ( !

nist updates for critical infrastructure security

NIST Updates Guidance for Critical Infrastructure Security: What You Need to Know

NIST Updates Guidance for Critical Infrastructure Security: What You Need to Know 1200 628 Axio Global
NIST Updates Guidance for Critical Infrastructure Security What You Need to Know

NIST Updates Guidance for Critical Infrastructure Security: What You Need to Know

by Jason Christopher, Axio Chief Technology Officer

December 18, 2017

NIST releases the Cybersecurity Framework V1.1 Draft 2 with new guidance.

In February 2014, the US National Institute of Standards and Technology (NIST) released the first version of the Cybersecurity Framework (CSF), as directed from Executive Order 13636. Later that year, Congress passed the Cybersecurity Enhancement Act and solidified NIST’s role with critical infrastructure owners and operators, through support and facilitation of cybersecurity risk frameworks. Over the past three years, NIST has held multiple workshops and collected comments across industry, academia, and government agencies.

Axio has worked alongside this team in many ways over the last three years. Several members of our team, including Dave White, Nader Mehravari, Lisa Young, and Pamela Curtis, participated in the original NIST CSF drafts and workshops for transportation, healthcare, and financial sector perspectives across industry and academia. At the time, my role at the US Department of Energy was to ensure the NIST CSF would not conflict with existing efforts, like the mandatory compliance with the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards or the voluntary Cybersecurity Capability Maturity Model (C2M2) efforts. Moreover, I collaborated with industry members across the electric and oil and natural gas sectors to ensure the CSF would work for their operating environments, regardless of size, function, or ownership. This critical work led to the Energy Sector Implementation Guidance document for using the NIST CSF.

Over nearly four years, industry has grown with the CSF. We have seen its adoption across multiple sectors, especially finance, healthcare, and water. While we have personally seen great success with measuring the CSF through the C2M2, many organizations have adopted different methods for assessing their adoption of the CSF. Moreover, we have seen more organizations talk about CSF functions when working across their cybersecurity supply chain, including asking suppliers to provide evidence that they are meeting contractual cybersecurity obligations. Critical infrastructure cybersecurity programs have matured as a result of the CSF dialogue since the first version was released.

The latest draft update attempts to codify some of the lessons learned since the release of V1.0, including:

  • Self-assessment guidance for measuring an organization’s cybersecurity program improvement;
  • Using the CSF for procurement and other supply chain decisions;
  • Examining a “cyberattack lifecycle” to provide further context to the CSF;
  • New subcategories (and informative references) for authentication and coordinated vulnerability disclosure; and
  • A roadmap of additional discussion topics.

These new additions are meant to augment the existing CSF, meaning there is no gigantic overhaul for organizations that want to incorporate the new recommendations. That being said, without a preferred method to self-assess to the CSF, most organizations will need to either create their own metrics program or leverage a facilitator or third-party tool.

There’s a lot to consider with this new update. Axio will be working with our clients to ensure industry benefits from clear, concise, and actionable guidance. In the coming weeks we will examine the latest draft and provide our thoughts on some of the key topics, including security metrics and supply chain considerations.

Until then we’re here to help— and if your organization has any questions about the latest draft, feel free to reach out to us at .



In February 2014, the US National Institute of Standards and Technology (NIST) released the first version of the Cybersecurity Framework (CSF), as directed from Executive Order 13636. Later that year, Congress passed the Cybersecurity Enhancement Act and solidified NIST’s role with critical infrastructure owners and operators, through support and facilitation of cybersecurity risk frameworks. Over the past three years, NIST has held multiple workshops and collected comments across industry, academia, and government agencies.

isaca tips

ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach

ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach 1200 628 Axio Global
ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach

ISACA: Tips for Moving From a Controls-Based Approach to a Risk-Based Approach

by Lisa Young, VP of Cyber Risk Engineering

November 1, 2017

Reposted Content from ISACA Newsletter @ISACA Volume 22

In today’s modern and dynamic environment, the audit profession must evolve continuously and synergistically with the business and technology changes that occur every day. Professionals who are innovative, forward-thinking and fearless in the face of mental model adjustments will be the leaders of tomorrow. Mental models are the paradigms, or lenses, through which we view the world, and they can serve to limit our thinking if we are not receptive to hearing new views or thinking critically about our current practices.

At the North America and European CACS Conferences, ISACA holds 2 invitation-only IT Audit Leaders Forums and publishes the results for those who were not in attendance. This article contains my interpretation and guidance in applying one of the IT Audit Leader forum’s discussion topics to your enterprise. Challenges in the audit field are not only limited to the audit field; they are shared across many other disciplines and professional domains. If you are a security, governance, risk management or IT professional, consider these tips and how this challenge applies to your enterprise. The first challenge is moving from a controls-based, or checklist, approach to a risk-based approach:

  • The controls-based approach — This approach is well-defined in the audit and assurance discipline. Audit and assurance roles are focused on the inspection, verification or conformance to a set of practices or controls to ensure guidance is being followed, records are accurate and effectiveness targets are being met. I know there are some nuances between types of engagements, but for the purposes of this article, it is assumed that audit and assurance professionals are tasked with ensuring and evaluating that things are operating according to a prescribed or bounded set of criteria. Many of the criteria that are audited or for which assurance is provided have already occurred, meaning that we look to the past to evaluate what has previously happened. This means that the online transaction has been performed, the security control is implemented and operating, or the financial statement has been attested to. There is no uncertainty in the result of the transaction (pass or fail), if the control is implemented or not, or if the financial statement is finalized. The primary risk in audit and attestation is in reaching an incorrect conclusion from the engagement or the risk of noncompliance if controls and practices are not operating as intended. Organizations spend a lot of time and money on implementing and testing controls rather than managing risk.
  • The risk-based approach — This is a forward-looking view of uncertainty. In the landscape in which an organization operates, there are many things that impede an enterprise from accomplishing its objectives, achieving its financial or operational targets, or meeting its mission. A risk-based approach is best paired with a strategic view of the organization to understand which potential uncertainties or risk factors have the highest potential to prevent the organization from meeting its intended targets, objectives, mission, etc. A thoughtful risk assessment will consider the general things that can affect all organizations (about 80% of an enterprise risk) and will also consider those things that are specific to your individual type of business or organization (about 20% of an enterprise risk). The reason there are so many compliance regulations, control catalogs or best practices is that many organizations do not perform risk assessments with the rigor, depth or thoughtful analysis (qualitative and quantitative) that is needed to really understand where to focus the appropriate resources to manage the uncertainties that may materialize in a given day.

Implementing a set of prescribed controls or compliance regulations will generally protect an organization from about 75-85% of the risk in the environment, and it can be put into effect without the benefit of a comprehensive risk assessment. It is far easier to report on gaps in controls, security incidents or phishing attempts as risk events because they have already happened. Reporting on the uncertainty of what might or might not happen is a discipline that takes an investment of education, time and resources to report to management in a way that improves decision-making and does not rely solely on guessing, previous audit findings or reporting realized risk.

So, in the absence of a mature risk management program and process, the organization can be generally effective in preventing realized risk with a robust compliance or controls program. However, to ensure that you are managing the risk factors that have the most relevance to your organization, thoughtful risk identification, risk analysis, risk management and risk monitoring processes must be defined, implemented and measured for effectiveness. In general, an effective risk management process is comprised of the following components:

  • Establish the organizational context — What are the mission, objectives and strategy?
  • Identify risk — To meeting the objectives, mission and strategy
  • Analyze risk — Qualitative and quantitative; not guesswork
  • Evaluate and prioritize risk — Based on analysis, not on what is in the news
  • Respond to or treat risk — With projects that are managed to completion
  • Measure and control the risk management process — By defining the processes and procedures and using standard templates and measurement scales

Here is one example to sum up the recommendations in this article:

  • Conclusion: Looking backward, as a result of [audit finding], the company lost US $3 million in revenue during the third quarter.
  • Risk: Looking forward, without a strategic plan to correct [audit finding], the company could potentially lose an additional US $3 million in the fourth quarter and US $4 million in the first quarter of the new year.

If you are interested in learning more about risk management, there are many quality ISACA publications that cover the topic in more detail. I will also be delivering a workshop on risk assessment and risk management at the upcoming 2018 North America CACS in Chicago, Illinois, USA.

Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.

understanding the impact of the krack attack

Understanding the Impact of the KRACK Attack

Understanding the Impact of the KRACK Attack 1200 628 Axio Global
Understanding the Impact of the KRACK Attack

Outrunning the Bear

A Cybersecurity Assessment Boards Actually Care About

by Brendan Fitzpatrick, VP of Cyber Risk Engineering

October 25, 2017

I am writing to give you the skinny on KRACK, the attack, and to provide some of the “facts” along with some recommendations for what to do now. The bottom line is that your devices ARE vulnerable to this newly discovered attack. Practically every WiFi enabled device is affected. Computers and mobile devices will likely get updates in the near future, though IoT and embedded devices may be a different story. You will want to update your devices as vendors release patches. You may also consider getting in compliance with your backup policies now to save frustration later.

What is the KRACK attack?

  • KRACK is short for key reinstallation attacks
  • The vulnerability is within the WPA2 protocol which means all WiFi enabled devices utilizing WPA2 are vulnerable
  • WPA2 is short for Wi-Fi Protected Access 2 and is how the connection to your WiFi access point is secured
  • The attack relies upon the 4-way handshake negotiation at the beginning of WiFi sessions
    • An attacker needs to be physically in range of a particular Wi-Fi network to carry out the assaults
    • The attack must take place during the 4-way handshake
    • The attack does not reveal the WiFi passphrase and does not allow the attacker to join the network
    • If the attack is successful they can potentially decrypt traffic between the victim client and their access point
    • Currently, the attack is focused only on the client side of the handshake
    • The researcher discovered the vulnerability in May, informed vendors in July, and made it public very recently
    • Most vendors are working diligently on patches
    • The researcher has not released a toolkit or script for the exploit
    • There are no known uses of the attack in the wild

What can you do?

  • Update your devices as vendors release patches
    • Microsoft claims that an update is already available for currently supported Windows versions
    • Apple claims that their update for all currently supported devices is in Beta and will be pushed to the public soon
    • Google Android and other Linux based devices may be the most affected and updates are still being developed
  • Changing your Wi-Fi password or getting a new router won’t protect against Krack attacks, but are never bad ideas
  • Protect sensitive company and client data according to your company policies
  • Enterprise users should ensure you use the your company VPN when on public WiFi and use https enabled websites whenever possible
  • Consider tethering your phone when WiFi networks do not play nice with your corporate VPN, as cellular connections are encrypted


Researcher’s site on KRACK
Research paper on KRACK
Great article for the non-techie 1
Great article for the non-techie 2




Copyright 2018 Axio Global, Inc.

Axio360 NIST CSF

The time has come for you to take control of your cyber risk.