Cyber security leaders rely on a risk matrix to make investment decisions, then quantify that data when they present their budget request to the CFO. Historically, we see organizations attempting to qualify risk in terms of likelihood and impact, following the NIST 800-30 framework. The results typically follow a bell-curve, with some risks ranked as High, but a majority designated as Moderate (or Medium), and the remaining as Low. Serious events — like hackers, malware, ransomware and theft of patient data — are traditionally ranked as High risks, given that the impacts involve a measurable financial loss and some risk to patient care.
Unfortunately, we have seen significant grade inflation over time, leaving little room for catastrophic impacts that could result from a cyber war. For example, organizations have serious concerns about their backup strategy to recover from a ransomware attack. The thought of not having recoverable hardware to even restore data on is an impact outside the typical risk impact axis. During this session, learn how we can alter the current risk matrix to effectively introduce tertiary/ancillary risks that may be overlooked in the current model. I think we have to take a “whole picture” look and not get pigeon holed into risks that can be truly quantifiable from a CISO perspective.
For this reason, we need to reset the risk matrix, then explore options based on a more realistic impact continuum. This analysis would drive a deeper conversation around cyber resiliency, specifically focusing on incident response and what happens “after the boom.” The potential for cyber war is higher than ever given the current political environment.
At the end of the session, the attendees will be qualified to:
- Identify how a potential cyberwar would impact an organization’s current risk assessment framework
- Justify an increased emphasis on cyber resiliency planning
- Apply a new rubric for measuring adverse impacts to a healthcare organization
- Defend the need for additional preparation across multiple workflows supporting an academic medical center