Visionaries and innovators, historically, must find a common language to support their futuristic ideas. Long recognized as a financial innovator, Alexander Hamilton was also a technological visionary. In his 1791 Report on Manufactures, Hamilton argued that enabling the manufacturing base would benefit the agricultural community by creating a demand for an increased food supply. Hamilton’s report additionally reflected on the global economy manufacturing created through international trade. His report described an ecosystem in which stakeholders rely on one another for goods and services. His innovative approach to technology as a catalyst for an economic ecosystem security mirrors the information security community’s approach to cyber resilience. Security professionals, like Hamilton, need to find a way to bridge the knowledge and skills gap by creating a shared vocabulary that fosters cybersecurity improvements across an entire ecosystem of organizations.
Why Does the Board Use a Different Language from Security Practitioners?
The Board of Directors approaches security from a business perspective not a technological one. Security professionals, like Hamilton, need to find the point of entry for their boards. When Hamilton approached Congress, he began by arguing that agriculture's importance was undeniable but that manufacturing would prove to support farmers rather than harm them. He fostered the relationship by approaching his audience using their language and then explaining how technology would enable them. Farmers used manufacturers for textiles, and manufacturers used farmers for food. These technologically focused supply stream issues have always existed, just the threats and language evolve.
CISOs must become the Alexander Hamilton for their boards and c-suites. CISOs who create and foster relationships with the rest of the c-suite can help develop the shared language that supports protecting the organization. As a CISO, I regularly scheduled informal lunch appointments with our General Counsel. These conversations established a personal relationship creating a shared vocabulary which allowed us to help each other achieve our professional goals. As a result, he created a checklist for reviewing contracts that made his job easier and ensured that the security team reviewed vendor contracts which helped mitigate third-party risk.
How do you foster dialogue within the ecosystem?
Within the ecosystem, the shared vocabulary becomes more important. Your board of directors and c-suite recognize the risks to their environment and protect it; however, the supply chain of vendors poses new risks. Large, established organizations may have more resources to protect data assets, but lean startups may provide a better business solution. Large organizations may be more likely hacker targets, but agile iterations may lead to vulnerabilities throughout the application development process. Different vendor business solutions, sophistication, risks, and mitigation capabilities make conversations between internal and external stakeholders difficult throughout the third-party life cycle.
In security, we know to “trust but verify.” Open-Source Intelligence (OSINT) allows an organization to look at their vendors from the outside. By reviewing the publicly available information about a vendor’s information environment, organizations can verify their vendors’ controls to mitigate external threats. Unfortunately, OSINT inherently comes with two problems. First, it requires reviewing individual IP addresses which proves cumbersome as you add more vendors to enable business operations. Second, the language of OSINT makes conversations within the ecosystem difficult.
For example, a CISO may note that a single IP address is sending a large number of packets to a vendor’s firewall. The Chief Risk Officer and Compliance Manager need to hear that the IT department noticed a malicious attacker trying to gain access to data which could lead to over $2 million in remediation costs and $20,000 in regulatory penalties. Bridging the language gap means your vendor compliance manager can contact the vendor to request remediation to maintain the contractual relationship. This builds stronger vendors and stronger ecosystem security.
“Security ratings” bridge the gap between security professionals and business leaders by helping them find a common vocabulary. Security rating services focus on analyzing publicly available information about an organization and assigning a rating to the company’s security posture. For example, analyzing an organization’s landscape can show outdated software that hackers can exploit or open ports that indicate a firewall malfunction. Security professionals need to know the specific issue to alert the vendor’s IT department. Business leaders need the risk associated with that vulnerability, not the details of the technology. By assigning an easy to understand metric to a risk type, security ratings translate technology to business. An organization that scores below average for updating software is at an above average risk for a data breach.
As more CISOs use security ratings, their boards and vendors will recognize the value of security ratings in easing the conversation barrier. As more decision makers and visionaries share the enabling language, the use will spread. Security professionals, therefore, need to start the conversations to enable a universal security business vocabulary.
Like Hamilton, security leaders seek to lead the information security revolution by enabling all organizations, regardless of size, to bridge the language and skills gaps that lead to data breaches. Ultimately, their leadership may benefit the entire ecosystem by improving the cybersecurity health of many organizations.