What's Risk Surface?

Posted by Kelly White on Apr 12, 2019 1:48:14 PM

You’ve likely never heard the term “risk surface” before, but it’s an important concept that captures the way modern enterprises must manage risk. To that end, we’re providing an in-depth definition of what risk surface is so you can begin to expand your understanding of cyber risk management in the current landscape.

The simple explanation is that risk surface is anywhere an organization’s reputation, assets, legal obligations, regulatory compliance, or ability to operate is at risk.

That means your risk surface isn’t limited to digital infrastructure that resides under your immediate jurisdiction but extends to wherever your digital assets may reside or to wherever their availability is dependent. If, for instance, you have engaged a vendor in Des Moines, Iowa, to digitize your customer loan documents, your risk surface now includes that vendor and its attendant people, processes, and technology.

The legacy of on-prem risk management

Information security is burdened by the legacy of the 1980s and 1990s. In the time before the advent of cloud computing, the enterprise’s network, systems, and databases were all dedicated for use by a single organization. As long as the on-prem hardware and software was secure, all the organization’s digital assets would be protected as well. In the old kingdom, protecting the value at risk was largely a matter of guarding the “castle” by building the appropriate fortifications.  

But the rise  of cloud computing and SaaS heralded a digital transformation through which businesses fulfill services through specialized providers. The clear demarcation between one “castle” and the next vanished; now, the castle of one’s enterprise belongs to a vast kingdom of interdependent technologies, servers, and data. In this new reality, focusing on your own systems is beyond insufficient—it’s ignoring risk.

The new landscape demands a shift in cybersecurity risk mindset. It is not enough to protect your infrastructure, people, and processes: you need to follow the asset of value and protect it wherever it may go.  The same level of protection you afford your own network—from employee access to servers to laptops and web apps—should extend to wherever your assets reside. In a very real sense, your information security team encompasses your own internal team and the team of that digitization vendor in Des Moines, Iowa, and every other vendor team that’s protecting the value that you have at risk.

The consequences of ignoring your risk surface

Protecting distant assets in a vendor’s network is uncomfortable. In foreign environments, the people, processes, and systems for protecting your assets are not yours, unlike your internal security program where you have the full advantage of deep transparency and accountability necessary to manage risk well.  That could be why so many organizations have remained focused on protecting value at risk when it resides inside their organization and have ignored the safety of the asset when it resides at a third or fourth party.

Remember, though, that the purpose of cybersecurity risk management is to protect value at risk. If you are only protecting value at risk resident within the systems operated by your organization, then you are only managing a fraction of your risk. In fact, we keep seeing example after example of what happens when the extent of one’s risk surface is misunderstood or ignored:

Consider, for instance, the hack executed by Chinese nationals in May of 2018 that compromised sensitive data from the U.S. government about designs for a supersonic anti-ship missile to be used on submarines. Instead of attempting to hack directly into the Department of Defense’s systems, the Chinese targeted a Navy subcontractor. While the U.S. government had invested untold amounts of money into hardening its own network, that hardening ended at the threshold of the government’s digital domain. When the data was allowed on the subcontractor’s systems, the government should have ensured that server was appropriately secured.

It was an expensive lesson: The Department of Defense’s lack of understanding about its risk surface cost the United States the loss of top-secret information. Similarly, you can’t afford to not understand and evaluate your own risk surface, enabling you to know everywhere you have value at risk. Failing to understand your risk surface puts your reputation, legal obligations, regulatory compliance, and ability to operate at risk. The job of information security risk management is to protect value at risk everywhere value is at risk. Period.

For a recent non-digital risk surface parallel, one need look no further than the Ford F-150 production halt in 2018. The F-150 truck is responsible for roughly 28% of Ford’s total sales and the production halt cost the company about $310 million...and it was all due to a fire in the production plan of a single supplier. Without the engine compartment reinforcement piece supplied by Meridian Magnesium Products, Ford couldn’t produce the Ford F-150. Ford underestimated the size of their risk surface; it wasn’t just limited to Ford factories, but also included Meridian Magnesium Products because Ford depended on that supplier to operate. Ford should have calculated the risk of its suppliers in its operational plans.

In February 2018, Ascension Data & Analytics exposed 24 million mortgage loan documents because their vendor stored the data on a public S3 bucket. In responding to the incident, Sandy Campbell, general counsel at Ascension’s parent company, confirmed that a vendor had discovered the leak, but assured the public that Ascension’s systems were not impacted by it.

Who cares that Ascension’s systems were not impacted by the leak? The compromised systems aren't the point: the value at risk is the point. And the value at risk was compromised. It doesn’t matter where the asset resides, whether it be in your systems, your vendor's systems, or your vendor’s vendor’s systems—you are responsible for protecting the value at risk. You can outsource your systems and services, but you can’t outsource your risk.

The time of myopic information security that focuses on the internal organization is at an end. It’s time to understand risk surface and acknowledge that your risk—both in the digital world and the real world—extends anywhere you have value at risk, from part suppliers to AWS infrastructure to data analytics partners. Furthermore, managing your entire risk surface to protect your high-value digital assets is your responsibility. In this new reality of cybersecurity management, ignorance is loss.

For a preview of the Risk Surface Report and to be notified of the full Risk Surface Report when it's released, click below:

Preview the Risk Surface Report

Topics: risk exposures, risk measurements, Third Party Risk, Risk Surface