“We passed our last security assessment! Why are you asking for more resources?”
CISOs often feel like they are on a treadmill – fighting fires, adjusting security controls, adding new technologies, and constantly asking for additional funding. There appears to be no rest as threat actors continue to exploit vulnerabilities, steal data, and disrupt services.
Every year, the CISO’s trip to the chief finance officer or executive suite has the risk of contributing to the perception the CISO is not spending funds wisely, or worse yet, is not the right person to lead the organization’s security initiatives. In good times when everything is funded, attacks still seem to happen and occasionally cause damage. For some other organizations, things really get out of hand and the organization makes the news – something that can be a career limiting event. All of this leads to uncertainty, job insecurity and stress.
To address this, it may be time to change the message surrounding the annual ‘groveling for dollars’ show that takes place every budget cycle. By refocusing the discussion from a product or staff wish list to a risk mitigation conversation, it is possible to articulate the need for additional investments to reduce the organization’s security risk.
Vulnerabilities change, even in stable environments
Resetting senior leadership’s cybersecurity expectations should start with an explanation that new vulnerabilities are constantly being identified at the same time that old vulnerabilities are being compromised when new exploits are released into the ‘wild’. For the former, a trip to any RSA or Black Hat Conference provides tangible evidence that researchers are constantly identifying new ways to attack systems. Recent successful attacks have exploited these “Zero Day” vulnerabilities to bypass anti-virus and malware protection technologies.
In addition to these newly discovered vulnerabilities, older software vulnerabilities are being compromised when threat actors develop new exploits. When this happens, we see alerts and patches from the various vendors. A review of patch notes will validate that many vendors are closing gaps that have existed for months or years, but sometimes it takes a published exploit to get their attention.
CISOs have more to worry about when new vulnerabilities and new exploits are disclosed prior to the various vendors making patches available. In many industries, larger complex software systems including human resource, enterprise resource management, electronic health record, and supply chain applications have operating system interdependencies that prevent new patches from being deployed until the application vendor releases updates. In these instances, the CISO must worry about implementing compensating controls to address newly announced vulnerabilities. This could range from blocking specific ports or implementing new monitoring tools to see if any of the new exploits have been used.
Environments change as companies grow
A second reason for security changes is the uncertainty caused when new products and services are introduced into an environment. This could be from a merger, introduction of a new product line, or a sea change when moving technology into a Cloud environment. Any of these events should automatically trigger a new security risk assessment which will identify new vulnerabilities and risks.
In some instances, security, privacy, and compliance issues are afterthoughts when business decisions drive organizational change. When this happens, the deciding investment factors may overrule what would be prudent from a security vantage point. CISOs are then put into a catch-up mode to secure something that doesn’t fit nicely with the strategy and architecture. New security solutions may be needed, or at a minimum, licenses will need to be reviewed to ensure that security control points are being monitored.
Impacts change as the business model adopts new technologies
Since risk is a function of both the probability and impact of adverse events, the risk model must also be reviewed after the business model adopts new automation. Specifically, when technology supplements a manual process and that technology is not available due to a cyber-attack, the adverse impact can be mitigated through labor. When advanced technology replaces much of a manual business process, something that happens a lot when data is moved into the Cloud, the impact following the loss of that technology becomes much greater. This changes the risk equation and will require additional controls, including better downtime procedures.
CISOs should ensure that the business teams conduct a thorough Business Impact Analysis, or BIA as the new technologies are introduced into the environment. This BIA will likely discover the impact of a technology disruption is much greater. The key is that the impacts of downtime are much more disruptive today than they were just five years ago.
Changing the paradigm, and cutting the Mobius loop
When the CISO adopts the lexicon of risk when speaking to the executive suite and the chief finance officer, the conversation shifts in their favor. Rather than trying to justify individual projects, it is time to focus on the increased risk to the organization and the need to help mitigate it back to an acceptable level. This refocusing the discussion presents an opportunity to document organizational risks and then challenge executive leadership to either reduce the overall risk or go on-record to accept the risk – something that most executives are not comfortable doing.
About the Author:
Clyde Hewitt is Vice President of Security Strategy for CybergisTek.