As data breaches fill the headlines, cyber security vulnerabilities and other security issues have become a hot topic within the boardroom. Companies are starting to understand that security is more than a set of boxes to check — it’s a central component in safeguarding the company’s success and prosperity. They’re working to break down the walls that traditionally separate the Chief Information Security Officer from other executives, and start giving them the support needed to keep the business safe.
Unfortunately, there’s a barrier of understanding. Most board and audit committee members do not possess the requisite technology background required to ensure that the CISO is well equipped to perform the job at hand, and many CISOs don’t have the business background to make their case effectively to the board. More than ever, board members need to communicate effectively with CISOs about the security threats the organization faces, strategies to reduce those threats, and how to support the security team and reduce the threat of a significant data security breach.
Cyber Security: What’s at Risk?
Data breaches are nothing new — they’ve been going on for decades. One of the earliest newsworthy data breaches occurred in 1984 when TRW (now Experian) was hacked, resulting in the loss of 90 million records. As businesses have become more connected and digitized more data, however, breaches have become bigger and more common. In 2015, the Identity Theft Resource Center logged 781 breaches in the U.S. alone, breaching at least 177,866,236 records. The true number is probably much higher, as breaches are severely underreported.
Although legislative, compliance and security standards have evolved over time to deal with these new threats, the risks associated with data breaches are greater than ever. Financially speaking, a data breach can be devastating. The combined financial impact of the Home Depot and Target data breaches resulted in losses exceeding $550 million dollars. Given that costs such as lost future sales and brand damage are hard to quantify, the true loss could be far greater.
It’s become clear that data breaches can become a significant distraction to leadership. The Target breach resulted in multiple shareholder derivative lawsuits directed at members of the board, the CEO, CFO, and CIO. The lawsuits were eventually consolidated and ultimately dropped, but we can expect shareholders to increasingly hold c-suite and board members accountable when significant data breaches occur.
What’s the Problem With Cyber Security?
News stories often focus on “advanced threat actors,” who use advanced skills to find an organization’s one weak point, then make their way in over months or years, slowly expanding their reach until they strike. This makes a good story, but it also makes a good excuse — when a company spokesperson exaggerates the skill and persistence of the hackers, it diminishes the responsibility of the company.
Advanced threat actors are real, but hackers don’t have to work nearly as hard as you’d imagine. According to the 2016 Verizon Business Data Breach Report, of the 64,199 security incidents reviewed by researchers, the top three methods employed by attackers continued to exploit basic cyber security vulnerabilities. Leveraging every-day hacking techniques, commodity malware and human fallibility to compromise the crown jewels of more than 2,200 organizations.
What is going on here? If hackers are using basic tricks to compromise organizations, why are Yahoo!, the Office of Personnel Management, the Democratic National Committee and other high profile organizations continuing to announce high impact data breaches almost daily?
You’re Doing It Wrong!
Security can’t do their jobs for one simple reason: they’re not allowed to. They’re given inadequate information, access and resources. Information security governance is almost never integrated into core business practices and decisions, and the CISO may even be kept in the dark.
The 2016 Yahoo! data breach is a great case study in security management failure. Not only did the breach compromise the email accounts, personally identifiable information and hashed passwords of 500 million customers, it also put the company at risk of losing a pending acquisition valued at $4.8 billion dollars.
It’s been reported that the company identified the breach in 2014, but company officials elected to keep Yahoo! customers in the dark, for fear of further “churn” of email users, thus lowering the overall value of the company.
It could have gone differently. Yahoo! had a highly-motivated security team with some of the best professionals in the field. However, the team — called “the Paranoids” by the CEO and key leadership — was often kept in the dark about significant events that they should have been made aware of. The CEO denied requests for basic information building blocks such as intrusion detection and prevention systems. Not surprisingly, key security talent left for better paying and more productive pastures, and the rest is history.
Understanding Your CISO
You’re Asking the Wrong Cyber Security Questions
“What’s the ROI?”
This is the question I’m asked the most, and I promise other security professionals will tell you the same thing. We answer in different ways — with stats about breach costs, case studies, compliance penalties and so on. But there’s no good, concise answer, because it’s the wrong question.
To understand why, imagine you ran a warehouse. It takes time for workers to lock the door and turn on the alarm when they leave the warehouse, and you have to pay for that time. So what’s the ROI on that time?
It could be nothing — maybe you wouldn’t have had a break-in anyway. Or it could be the value of literally every single thing in that warehouse, and all the goodwill you’ve built up with your partners. It depends on who notices you’ve left the door unlocked, and what their intentions are. But either way, you need to lock the warehouse, because leaving it unlocked presents an unacceptable and unnecessary level of risk.
As a board member, you need to understand that the CISO lives in a complex and frustrating world. They have a technically complex job to reduce risk and prevent intrusion, but many of them get sidetracked fighting budgetary battles with CFOs asking the wrong cyber security questions. Yet when the company gets hacked because they can’t get funding or approval for a security initiative that doesn’t produce ROI, they’re still blamed.
Cyber Security Risk: How Your CISO Sees The World
Time and again, I’ve heard executives state that their organization isn’t “interesting enough” to be a target for cyber thieves. Board members need to recognize that, from the smallest of non-profits to the largest of defense contractors, every organization will experience a cyber security data breach of some sort. As long as your data has value, you’re plenty interesting.
If your organization maintains payroll, processes credit cards, stores personally identifiable data, transmits electronic patient healthcare records or is developing the next generation of pharmaceuticals, you have information a hacker could sell on the dark web. Even in the extremely unlikely case that your organization doesn’t maintain any of those things, you are still at risk of attackers using your IT infrastructure to conduct ongoing hacking and botnet campaigns against others.
The investments you make in security and compliance to a large part determine how much damage an attacker could cause your organization. Without understanding this basic measure of risk, it’s impossible to determine what a reasonable information security budget is.
Managing Risk and Driving the Discussion
All robust security programs leverage one of the established security controls frameworks, such as the CIS Top 20 Security Controls, the PCI Data Security Standard, HIPAA and ISO 27002. Each framework provides benefits and drawbacks.
Standards such as the PCI-DSS or ISO 27002 provide prescriptive guidelines to adhere to. HIPAA is intended specifically for healthcare organizations, is more risk oriented in nature, and — whether it was intended or not — provides little in the way of direct compliance guidelines with a few exceptions such as performing daily analysis of all system and security logs.
Your conversation with the CISO should be driven by a good understanding of the coverage of security controls deployed across the enterprise. Overall organizational adherence to whichever framework is used is relatively easy to communicate between both parties, and should provide a metrics driven approach to understanding current security readiness.
Discussions around controls frameworks should be augmented with an understanding of the current security controls maturity in your organization. The CISO should use the Capability Maturity Model to communicate the standardization and optimization of processes within security, from the initial level based on individual effort and ad-hoc, non-repeatable solutions to the optimizing level, incorporating continuous monitoring, feedback and improvement.
Combining these two models, your CISO can articulate the strengths and weaknesses of your current information security posture, and provide decision support to board members and executive staff.
Asking The Right Cyber Security Questions
Now that some context has been provided, it’s time to arm you with some questions to better aid the discussion when communicating with your CISO. These questions are meant to serve as a conversation starter, and should not be construed as an exhaustive list.
- When was the last risk assessment and/or controls review conducted, who performed it, and what were the findings?
- What security controls framework does the organization use, and why?
- What are our current strengths and deficiencies with respect to our cyber security requirements?
- What is our overall capability maturity level relative to the requirements, and how has that changed over time?
- What are the organization’s “crown jewels” and how are they aligned within ALL security controls?
- Does the security team have the necessary technical & human resources required to meet to the rigors of the standard?
- Which activities are best served with in-house staff, and which ones should leverage 3rd party experts or managed security services providers?
- What are the existing roadblocks to being successful with our security program?
- How can the Board be more effective at driving success in this area?
The Strategic Importance of Managed Cyber Security Services is Increasing
When it comes to the Fortune 1,000, a number of these companies are known to employ a dedicated CISO and associated staff to manage all aspects of information security. Many of these organizations leverage partners for various aspects of their security programs, including virtual CISO’s and managed security services partners.
This trend is expected to accelerate, as more organizations migrate to cloud solutions — particularly for IT management and security program requirements such as 24×7 security monitoring that are cost-prohibitive in-house. Indeed, companies moving towards public and private cloud providers are increasingly insisting on holistic Cyber security services as part of their IT management services portfolio.
At the end of the day, no matter whether in-house or external resources are leveraged, board members are responsible for controlling cyber security risks as well as costs. Effective communication between the CISO and the board is fundamental to a strategic and effective cyber security posture.