Guest post by Sam Kassoumeh, COO and co-founder of SecurityScorecard. A seasoned cybersecurity professional, he has been the Head of Security and Compliance at Gilt and led Global Security at Federal-Mogul. Sam has over 10 years of experience leading security teams. In this guest blog post, Sam offers a critical perspective of how CISOs should approach security.
The average total organizational cost of a data breach has grown to $7.01 million, according to the 2016 Ponemon Institute report on the cost of a data breach. The cost of lost business has risen to an average of $3.97 million per breach. Brand name after brand name are feeling the effects. Target, Sony Pictures, Anthem Health, LinkedIn, Dropbox, Yahoo, and a number of government organizations are unfortunate case studies of exploited security that has damaged their business and reputation. Companies that have not yet been attacked are worried they could be the next company in the news.
These high profile breaches have made security a top level concern for CISOs as well as CEOs, CFOs, COOs, and Board of Directors who are paying attention to the business impact of security. This apex-level concern for security has also given CISO’s a voice at the executive board level. This benefits CISOs as they can strive to align security and corporate strategy, and potentially drum up support for growth and expansion.
The bad news is that while the security conversation is becoming more strategic for the business, the confidence in the ability to stop attacks from occurring is weak at best. In a 2016 PWC Global Economic Crime Survey, over 88% of CEOs are concerned with cybersecurity and in a Deloitte Survey on Third Party Risk Management, over 73% of respondents believed that third parties will play a highly important or critical role in the year ahead. Unfortunately, despite the concern, over 90% of respondents have low to moderate levels of confidence in the tools and technologies used to manage third party risk. It is clear that security needs an updated approach to match the modern risk hackers and the third-party ecosystem are bringing to organizations and enterprises.
New approaches and strategies by all members of the C-level are needed to reorient the mindset of business units, technology teams, and the security behavior of employees. Here are three shifts in approaches CISOs can use right now to affect change.
Adapt From Within and Expand Security to the Partner Ecosystem
CISOs are inevitably accountable for the protection of data in their respective company. Traditionally, data lived only inside the four walls of our fortress, behind firewalls and 2-factor authentication, protected by encryption, monitored by systems and full-time employees which we trusted to hold the keys to the kingdom. The entire data center was under our control and our protection.
In today’s partner-based ecosystem, commerce isn’t executed in the isolation of the fortress, but thrives on the massively complex, interconnected, sometimes symbiotic network of B2B relationships. Business departments are taking advantage of the cost efficiencies and turn-key conveniences from cloud, mobile, and other innovative technologies. Developers carry around their company’s entire production source code on their laptop, and the mobile workforce now operates in a fully distributed model— no longer shackled to the cubicle.
This provides security leaders with a challenge, as they do not have the transparency, tools, and visible reach into the new security landscape beyond their four walls. How do you ensure that the third party partner ecosystem uses the same security standards that you use inside your corporate fortress? If a hacker has non-intrusively exfiltrated your data from a third party network, how can you find out and how do you respond?
The emerging operational habitat is decentralized, so we have to adapt. Data is now in systems that we do not own, cannot see, and cannot access. How can the CISO protect what they cannot see? Visibility is needed and collaboration is paramount.
Adopt a ‘Not If, But When’ Mindset with Security Breaches
One of the most striking discoveries from the 2016 Verizon Data Breach Investigations Report showed how quickly attackers accessed and exfiltrated a company’s data and how old the most commonly exploited vulnerabilities were. The report cites that in over 80% of breaches, attackers were able to infiltrate a target within minutes. And the most exploited vulnerabilities were originally published in 2007, showing that organizations aren’t keeping up with their security updates. To save face, security owners may not want to publically admit the difficulty in preventing a breach or successful attack, and many discover a breach only after it has occurred.
Digital operations are more dispersed than they have ever been, introducing new flaws, vulnerabilities, and security behavior stemming from a distributed third party ecosystem that you cannot control.
- How do you effectively achieve an accurate risk profile and risk mitigation strategy?
- How do you apply controls that see and understand the context of the decentralized habitat as it interacts with your partner ecosystem and internal infrastructure?
- Once a breach incident occurs and an intruder is inside your network, what are the steps to identify and isolate an intruder while also preventing them from obtaining your most valuable and sensitive data?
If an intruder leaks intellectual property, customer data, or employee data it may put you in jeopardy with regulators while also adversely affecting your company’s revenue targets or shareholders.
Protective layering, a technique of using multiple security measures and controls to achieve comprehensive security, helps but it might not be enough when authorized credentials bypass that layering. The volume of interconnected technologies and systems from external, third party sources combined with poor security behavior from your average employee make a hacker’s job of exploitation easy. After all, you’re only as strong as your weakest link.
Even with amazing fortress-protecting perimeter technologies supplemented by highly-competent security team talent, breaches are occurring at rates much higher than 10 or 15 years ago. The surface area of organizations has grown exponentially and CISOs need thick skin to accept this reality and shift their team’s mindset from complete prevention to rapid detection and remediation, a challenging endeavor. Companies need to educate business departments and employees, implement documented procedures, and establish rapid breach response protocols. And this needs to be accomplished actively and collaboratively within the company and with partners.
Recalibrate Security Communications for the Executive Audience
After the next major, highly publicized data breach of a major company, you should expect the CEO or executive board to ask the following question: “How secure are we?” Security tools are distributed, highly specialized, and communicate in a very technical language making security risk questions an incredibly hard question to answer in layman’s terms.
It is our duty to find an approach that executives can understand in a vocabulary and format that relates to larger corporate strategy and goals. Executives want business metrics that tell a story. How is our security posture compared to our peers? What are the historical security trends for our industry and ourselves? How secure were we a month ago versus today? How secure are our business partners that we are connected to? It’s important to be able to answer these questions without getting too technical.
Here are some concrete communication ideas CISOs should deploy:
Themes to Deliver
- Advocate for security awareness and education for employees and the company as a whole
- Jointly define and refine the acceptable risk threshold
- Highlight deltas between current posture and risk maturity level goals
- Establish cyber risk preparedness
- Instill C-level security ownership
- Review cost-effective security technologies
- Be transparent about current posture and future goals
- Show actions being taken to improve risk posture
What Not to Deliver
- A false sense of security
- Reports and messages full of FUD (fear, uncertainty and doubt)
- Technically-heavy messages or jargon filled communications
- Messages about vulnerabilities or risks that do not show the business impact
We as CISOs are very good at tracking and presenting our own security operations through technical metrics, security KPIs, and the like, but they do not tell the kind of story that executives are expecting to hear. We can begin by comparing ourselves to our industry and competition, and benchmark ourselves to our peers. CISOs who understand this have learned how to put the right business lens on their reporting and communications, and use it to their advantage to secure budget and stay aligned with company priorities. CISOs should target the biggest security concerns and state any business risks clearly.
Information such as the cost of lost customers, damage to share price, and other risk-based factors that will help executives understand security as a business issue should be included. The goal of a CISO should be to provide perspective, insight, and actionable information to the board.
SecurityScorecard is a continuous risk monitoring and security ratings platform that allows users to understand the security risk of doing business with any organization. To request a demo of the platform, click on the button below.