39:32

Episode 08: How Risk Management Can Help Companies Strengthen Cybersecurity and Prevent Cyber Attacks with Alyssa Miller of S&P Global Ratings

March 17, 2022

Companies hire cybersecurity analysts and managed IT security services to protect their vital assets. But that’s not how it works. Cybersecurity specialists cannot shield anyone’s data and privacy; instead, they can walk you through the best ways to manage risks and avoid cyber threats. After all, nothing is 100% safe now, and no one can guarantee foolproof protection.

In the new episode of Dr. Dark Web, Chris Roberts welcomes Alyssa Miller, the BISO at S&P Global Ratings. They have an exciting chat about cybersecurity, the modern perspective on intelligence and information, and the importance of understanding that businesses should know the truth about their cybersecurity, no matter how harsh it is.

Listen on SpotifyListen on Apple Podcasts

Guest-at-a-Glance

💡 Name: Alyssa Miller

💡 What she does: Alyssa is the BISO at S&P Global Ratings.

💡 Company: S&P Global Ratings

💡 Noteworthy: Alyssa is a life-long hacker, a published author, and a cybersecurity professional who’s not afraid of challenges.

💡 Where to find Alyssa: LinkedIn

Key Insights

When it comes to business or information intelligence, focus on the intelligence piece of it. 

Alyssa believes that when talking about business intelligence or information intelligence, the idea of ‘intelligence’ is most important. However, it’s often underappreciated. “When we say ‘threat intelligence’ or ‘information intelligence,’ I think the key factor that we miss most often is the ‘intelligence’ part of it. We get a ton of data. And we look at it, and we give it to a bunch of people and say, ‘Here, go through this.’ But intelligence comes in. And how do we apply that?”

Great information is nothing without intelligence.

Companies may have important information about their security and the processes within their organization, but it is irrelevant unless intelligence is applied to it. “You may have great information, but it doesn’t mean anything if you can’t make that jump from what is important to the CEO, CFO, or the COO because this is what regulators or shareholders are asking you to know about. Connect to that. And that’s how you start to create intelligence in your threat intelligence program.”

Stop trying to paint rosy pictures where they don’t exist.

Alyssa is a firm believer that businesses should know the truth about their cybersecurity, whether it’s good or bad. “Another thing we need to be, in cybersecurity, is honest. Stop trying to paint rosy pictures where they don’t exist, but also, paint a good picture when it does exist.”

Episode Highlights

Organizations Can Do a Lot Better with Their Cybersecurity

“It comes down to the two key things that I don’t think we do as much as we could do, or where organizations can do a lot better. And one is the age-old conversation about knowing what you have. Because knowing what you have, what your assets are, and what are the most critical assets for you, is so part and parcel of anything and everything we’re going to do. If I’m going to secure something, I have to know what it is first.

[…]

The other facet of it is understanding your threat model, and you can’t understand your threat model if you don’t understand your assets. That’s a part of it. And when I say threat model, I’m not talking about sitting here with a stride and all these crazy frameworks that I beat up on all the time. It’s just understanding what is most critical to you — that’s the asset part — and then understanding what to do about that. Do I need to defend? Or what’s the worst thing that could happen? And I don’t think we do that well, organizationally, because it’s not easy. It requires cybersecurity to not just talk to the business [side] but also to understand it and be able to do those translations and say, ‘I’ve got this intelligence coming in. I’ve got this information coming in.'”

Understanding Cybersecurity as a Risk Management Function

“Nowhere is cybersecurity the most important part of any business, unless that is your business. If you’re a consulting firm or something, sure. If you’re making products, maybe. But at the end of the day, you’re selling something. You can run a business and be very successful without having a CISO, without having a cybersecurity team, without doing any of the cybersecurity things. So, we have to understand cybersecurity as a risk management function. We’re a subset of a subset of risk. So you’ve got all the risks that the CEO’s thinking about — ‘What is the market doing? Where are we positioned financially?’ But one of them is IT risk. And they stick cybersecurity underneath IT risk as a subset. I don’t think it belongs there, but that’s where it ends up. And we have to understand that we are not the big picture. We are a very small component of the big picture, and we’re there to do a specific thing to defend that big picture.”

There Is No End Game in Cybersecurity

“I was on this call with a number of CISOs, and a couple of them started talking about their approach to risk and risk tolerance, and they were like, ‘We’re working toward zero tolerance for cyber risk.’ That doesn’t exist. You’re never going to get there. All you’re doing is setting the idea in the minds of your business leaders that there comes a point where we’ve hit the end game on this. There is no end game. A board member asked me when we can stop spending money on cyber.  [The answer is that] we get there when technology stops changing. Until then, you have no hope of it. 

So, you have to be focused on how to be resilient and how to minimize the ‘blast radius.’ If we get compromised, make sure it doesn’t hit our critical assets and understand the idea that it’s not if but when. And when it does, this is how we’re gonna react to it. That’s the thing you need to be talking about, not giving them this hopeless picture that there’s nothing we can do to stop them from getting breached.”

The Software We Buy Is Never Going to Be Secure

“None of the software we buy is ever going to be secure. […] I’m not going to stand here and tell you that any vendor’s secure. I’m not going to stand here and tell you that our networks are secure. But I’m also not going to stand here and tell you it’s not secure. But I’m going to say, ‘We have some risks, here’s what they are, and here’s how we should be looking to address them. Here’s what we’ve done already to mitigate them. Let’s have a mature conversation. Here’s where we were five months ago, and here’s where we are now in terms of that risk.’ Because if I’m good at cyber security, I’m actually measuring that stuff.”

Final Thoughts

“I’ve been in contact with a few different governmental and world agencies, and I’m hoping to get my voice in a couple of spaces there. As for the book, I just submitted the last revisions, and that should be going into production soon. But, I’m staying active in our community because what matters most to me is how we continue to be stronger and how we continue to influence. The advice I’ve been giving to a lot of people who have management or leadership aspirations is that if you want to get into cyber security management, especially at a higher level, the best thing you can do is go out and learn some MBA concepts. Sit down, read, and start to learn some of those ways of communicating because, if we get better in cybersecurity, it’s going to be because we learn how to talk to the other portions of the business and communicate in ways that mean something to them. […] That’s how we’re going to get better in cybersecurity. If you care about seeing us get better, we’ve got to be better at talking to and influencing the business.”