In the evolving landscape of cybersecurity, DoCRA (Duty of Care Risk Analysis) is challenging traditional methods by highlighting the public policy implications of cybersecurity risks. Organizations often focus on self-centered risk evaluations, neglecting the broader impact of their decisions on others. This oversight can lead to accepting risks that affect the public without proper consideration, a mistake that cybersecurity experts and consultants may inadvertently reinforce for profit. The DoCRA framework encourages a more responsible approach by aligning risk assessment with legal and security standards, ultimately aiding decision-making for both executives and technologists.
TRANSCRIPT
I’m going to describe DoCRA by first describing what DoCRA is replacing.
I’ll do that by telling you an obvious fact followed by a common mistake and then a failure in the cybersecurity industry.
The obvious fact is this.
Cybersecurity risk is a public policy issue. When an organization suffers a security incident, they’re not the only ones affected. The public, who may be customers, students, patients, or anybody, are also harmed.
So cybersecurity risk is a public policy issue.
The mistake is that organizations neglect that obvious fact. They evaluate cybersecurity risk as a self focused concern. They ask, how much money would this risk cost me? How much would this safeguard cost me? Then they decide to accept risks that they are fine with, but they forget that they’re also accepting risk that others may suffer. It’s not a company’s role to accept someone else’s risk, but they do. That’s the mistake.
The failure is this, so called cybersecurity experts get paid lots of money to tell their clients to make that mistake. Then they say, good job. You did that right. Now pay me my fees.
There’s a current fad among cybersecurity consultants to score their clients using maturity models. Scores of one through five are supposed to assure us that our controls may start weak, but they’ll get strong.
Then the consultants pretend that their clients’ peers are scoring three point two or three point four, setting a target for your performance.
Why those scores? Well, because they look like they’re more than half. Three is right between one and five. They’re trying to give you an impression that they that you should be doing something more than average, but not too much. These consultants want to be hired back next year, so they don’t want to appear too harsh.
But the law is asking for something that looks more like a maturity score of four. That means you’re testing and correcting your controls. That seems pretty obvious. So how much are you paying your security consultants to tell you to aim for less than what the law tells you to do?
Worse than that, why are you being compared to your peers who are getting hacked?
Why are you trying to achieve the maturity of that kind of organization?
Instead, DoCRA is telling you to do these three things.
Assess risk to yourself and others, reduce risk risk so they would not require a repair, and the burden of safeguards should not be greater than the risk.
DOCRA helps you think in terms of risk the way the law and security standards bodies require. It helps you make decisions that executives understand, that technologists understand, and that the law requires.
To learn more about duty of care risk analysis, you can read the DOCRA standard at docra.org. You can speak to your account executives at HALOCK Security Labs at Reasonable Risk, or you can read CIS RAM at cisecurity.org.