A CISO's 4 pillars of a cyber-secure business risk management plan
Digitization is sweeping across virtually all sectors of the economy. Most products and services now have a digital aspect, such as performance tracking of the product or of its user, or linking simple services together like ordering food online that is delivered by a rideshare driver. As businesses integrate digitization into their overall corporate strategy, they need to evolve their risk management and mitigation strategies to assess, plan and protect against a wider variety of risks from the expanded attack surface.
The stakes are high. Cisco’s 2017 Annual Cybersecurity Report revealed that 29 percent of the 3,000 IT professionals surveyed admitted having a cyber event in the past year that cost them revenue, either short or long term. Thirty-eight percent of those said their losses exceeded 20 percent. While a large company can most likely recover from such a big hit, for a smaller company it can be devastating. In companies both large and small, breaches have a huge impact on brand reputation and customer retention, with the research showing a 26 percent hit for both groups.
Consequently, a new approach to risk management is required, and it must start at the top. Thorough situational awareness is imperative for leadership to understand what specific risks an intended business strategy carries. Is the risk carried by one organization, or is it shared with multiple partners’ entities? How could it impact the whole company brand? Which of these risks is leadership willing to take on, and what is the company’s current ability to mitigate them? To answer these questions, those in charge must understand the role of data in their business environment and thoughtfully plan for how different actions can impact their overall business objectives.
The CISO, once looked to solely for back-office issues, now has a critical role in helping to articulate and assess these variables so that leadership can make sound business decisions. Those decisions will guide all subsequent steps in formulating and executing the corporate strategy. They become the North Star of the entire security team, confirming the agreed upon risk profile to be taken for a given line of business or even the whole company. They also form the basis of threat modeling; for instance, what regions are you going into with what products, who there would want to do you harm, what motives do they have, and in what ways could they harm you? Your security strategy can then be designed against those actual risks.
A four-pillar security approach that encompasses partnership, people, process, and technology enables situational awareness for all strategic decision-making and addresses risks across the enterprise.
Partnership
If a CISO does not have the right partnerships, organizational alignment, and support, it doesn’t matter how good you are as a security practitioner – you will fail because what you need to do simply can’t be done on your own. As business strategy moves to implementation, partnership among the CISO and leaders across the business becomes critical; for instance, helping IT to build the right technical platforms or enabling business development to drive the relationships needed for market success—whatever it is that supports and operationalizes the company’s business objectives.
Resonant communication is essential. Whether you talk to your CEO, your CFO or a business unit leader, you must speak in terms that are important to them, and convey how security will help them with their issues – such as time-to-market, legal and regulatory or opportunity risks – not details about particular malware or cybercriminal behavior. Last April’s 2017 Cyber Balance Sheet report, independent research published by data risk consultancy Focal Point Data Risk, confirms the importance of business-level communication. The report, which identifies the most prevalent cyber risk issues resonating in boardrooms, reveals that many CISOs consider interacting with the board to be the toughest part of their job. Yet of the top ten priorities for CISO communication with the board, respondents ranked relating security information to the business number one. Business dialog can be unfamiliar territory for those who have lived only in the technical ranks, but it is necessary to advancing situational understanding and gaining broad support to create a resilient company infrastructure.
People
The second pillar is people, perhaps the most challenging part of the cybersecurity equation. What do business leaders and employees really need to understand about cyber risk to do their jobs securely? It’s best to focus on actionable knowledge that is relevant to their day jobs. Build training and awareness around the risks identified in your threat model, and how users could be vulnerable in those situations. For instance, if software developers are building a particular kind of app, explain the risks already identified with it along with what they can do during development to ensure the company is protected. Other functions or departments should examine their practices and vulnerabilities in the same way.
Phishing awareness training is a particularly useful tool. It is the one thing that everyone who gets emails can learn about to minimize risks from the outside. According to the Anti-Phishing Working Group, a global coalition focused on the private and public-sector response to cybercrime, 2016 phishing attacks reached an unprecedented 1.2+ million, a 65 percent increase over 2015. To help combat this skyrocketing threat, adoption of Enterprise Data Loss Prevention technology as training tools is accelerating. EDLTs enable delivery of simulated phishing emails to employees; organizations can alert staff in advance that messages are coming, and proactively provide education about them. If an employee still clicks on a simulated attack email, he or she gets immediate training on what they did wrong. Raising awareness of what can happen will enable employees to spot such attacks when they do happen.
Building a business-savvy security team is also important. Hire people who have lived in business shoes. Nothing builds understanding like feeling the real pressures of a job. Today, security must be about business competency, skill, and alignment. Role rotations within the organization can be a great way to get up close and personal experience and the understanding that comes with it; even rotating roles within the security team will broaden an employee’s perspective. The same is true in reverse. When a security team member becomes part of a business functional group like HR or marketing, they will foster more security engagement with that group than any leadership information push.
Process
The next pillar focuses on the processes needed to defend your organization against your threat model. We use the “95/5” rule for guidance. All businesses need good security architecture and a set of automated defenses to instantly deal with 95 percent of what could go wrong. The other five percent should focus on effectively dealing with inevitable and unavoidable issues. People make mistakes. You’ll have errors in your system that can be exploited, or there can be errors in the products you buy. That five percent must be able to actively and quickly identify anomalies and do something about them. Budget-wise, a mature program will be closer to 50/50 spilt.
Product development is a great place to start. When building digital products, environmental hygiene is critical to managing risk. Standards and processes that ensure quality checks and controls will help you find errors and vulnerabilities and do the quick maintenance, repairs, and updates that will keep the environment current and safe. Security teams must be able to deliver security as code and to operate with the agility and speed needed to keep pace with the business. Not meeting that bar will harm the company’s ability to compete in today’s lightning-paced market.
Other functions across the business must be similarly prepared to spot and address problems in their domains. This competency links back to the partnership pillar, but also requires a formal process. A good practice is to establish a data protection committee that brings together senior-level delegates from across the company who are guardians of their function’s business data. Through that forum, delegates can participate in ongoing dialog and process around what data is available, who owns it, what obligations are around it, who are its consumers, and what collection and protection processes are being used. Because all of those delegates participate in designing the security policy and technology requirements needed to protect their data, they’re part of the process. That partnership brings buy-in when security comes forward with a proposal to manage their risk.
Privacy is also critical. The data a CISO is charged with protecting can be about things or people, so what do you need to protect most? Privacy engineering should be thought about up front – what data do you have, how can you use it, how can you communicate the right visibility to your customers about what is being done with their data, and what controls do you have? You can’t separate people from the apps, systems, and data they’re using every day, but those practices leave an endlessly growing digital trail and set of artifacts. Going forward, carefully evaluate what the privacy risks and impacts are and will be as ever more digital data is collected. Consider leading-edge practices like Privacy by Design when developing any new system or process.
Technology
The fourth but equally important pillar is technology. For the security team to meet the obligations and requirements of the business strategy, you must have a comprehensive and integrated security architecture. With the interconnectedness of the modern digital experience, we can no longer rely on disparate tools to try and secure email, web browsing, website hosting or other domains in isolation.
How do current attacks usually work? An attacker sends an email that contains a link to a dangerous website from where victims download something malicious onto a laptop. That one interaction involves email, web outbound, and web inbound protection. Traditionally, security might purchase three separate tools requiring manual intervention. But today’s integrated experience must now work in a more seamless fashion. That automated, comprehensive protection and integration will address the 95 percent problems, so you can have the bandwidth to focus on the other five percent.
In the era of digitization, cyber risk is inherently and inextricably linked to business strategy. Today’s CISOs must up their game to keep pace with the escalating threat landscape while guiding the organization’s risk profile in a way that advances business strategy and competitive posture.
By incorporating the four pillars of an effective security strategy – partnership, people, process, and technology – companies can create a culture of risk awareness that permeates the entire organization. Ultimately these four pillars will empower business leaders to make well-informed, sound decisions about business strategies that balance benefit and risk, with the understanding and engagement of the entire organization behind them.
About the Author:
Steve Martino is a Vice President and CISO for Cisco Systems. He is responsible for insuring the protection, integrity, confidentiality, and availability of information and computing assets globally while minimizing the impact of security policy and procedure on business productivity.