Cybersecurity has traditionally been a subject only a few executives were expected to understand. However, as additional security concerns are spreading across businesses, cybersecurity now concerns all members of the C-Suite. For example:
The chief financial officer needs to ensure secure transactions between financial institutions or business partners.
The chief marketing officer needs to master how to securely leverage digital and social media without putting the organization at risk.
The chief human resourcesofficer needs to know that digital recruiting processes are secure and personal data won’t be compromised.
Cybersecurity concerns and capabilities for each managing function should be harmonized under companywide priorities and principles. This presents new opportunities for the Chief Information Security Officer (CISO). To get to this point, the organization needs to establish these key processes:
The CISO needs to interact directly with all C-Suite members.
TheC-Suite needs to agree on what the company wants to do from a holistic perspective.
The CISO needs to facilitate these discussions.
To facilitate these critical conversations in the C-Suite, the CISO should be prepared to ask the following questions:
What are the crown jewels we want to protect with the highest priority?
What are the business consequences if those crown jewels are stolen?
How much are we willing to invest to mitigate those risks?
Integrating cyber-resilience solutions
Across each organization, there can be many solutions to address cyber resilience. A technology solution could be managed-security services; a financial solution could be cyber insurance; an operational solution could be a Computer Security Response Team (CSIRT); a legal solution could be fiduciary actions based on the advice of attorneys.
The key is to integrate these solutions into a cybersecurity strategy that supports the business priorities of the company. Many companies have not defined and assigned a person to lead that effort. This is a new space in corporate business management—and a new opportunity for the CISO.
Conclusion
By taking on the cybersecurity leadership role in the C-Suite, a CISO can develop and drive a cybersecurity strategy that becomes a comprehensive and integrated package, rather than an aggregation of independent tactics. It can be owned by the entire C-Suite and woven into the companywide business strategy. This will help to reduce risk and improve cyber resilience.
If you view your CISO as a techno-nerd, capably managed by the CIO and therefore someone the board doesn’t need to make time for, think again.
Poor cybersecurity poses an existential threat to your business. That makes it a board-level matter which demands close attention and priority resourcing. You undervalue your gatekeeper at your peril.
Cybersecurity is an operational issue, not an IT one, so your security mastermind must be established, accountable, and independently funded. Delegation can be dangerous when it comes to responsibility for security breaches: just ask former Yahoo CEO Marissa Mayer.
It is now just a year since Yahoo reported two major hacks, one in 2013 and one in 2014, which compromised a total of 1.5 billion customer accounts. That delay, which is still under investigation by the Securities and Exchange Commission (SEC), exacted a heavy price. The company’s share price dropped immediately and plunged the Verizon takeover deal into uncertainty, while Mayer forfeited her annual bonus and stock award.
Where did Yahoo go wrong?
Yahoo made a series of fundamental errors which exposed the company to attack in the first place and then compounded the damage. In short, cybersecurity was not on the C-Suite’s agenda because the people at the top fatally underestimated the destructive potential of a hack.
Firstly, Yahoo took too long to hire a CISO, and then the company failed to bring its security specialist into the inner circle, meaning some top-level decisions are likely to have been ill informed. For example, the CISO may not have been told about a secret program Yahoo installed on behalf of the government to scan users’ emails.
If a company sees cybersecurity as a business barrier instead of the business enabler it should be, then the CISO will inevitably be well down the pecking order for resources. Switch the thinking and you transform the CISO from a hindrance into a potent business asset.
The mind-set was simply wrong at Yahoo. Despite multiple vulnerabilities being noted by internal security teams, there was no appetite or financial backing for controls to be put in place. Some data was encrypted using secure algorithms while other data was plaintext or insecure, and the company also lagged behind other Silicon Valley heavyweights in implementing technologies such as end-to-end encryption and bug bounty programs.
Then, when the first attack was discovered, users were not immediately forced to change passwords. This is a prime example of the company’s poor attitude to cybersecurity. The SEC and the public were kept in the dark for two years. There was no action plan to contain the damage, no investigation to learn the lessons, and no communications strategy to protect consumer confidence.
Four lessons for industry
IT security needs proper investment and commitment from the board. Just because you have appointed a CISO, it does not mean you can ignore the issue. Empower your CISO to protect the organization.
Conduct detailed IT security due diligence during any takeover. You are buying data assets along with a company and you need to know whether any lax security might come back to bite you.
Tell users and the authorities about any security breach at the earliest opportunity. Not only is that the ethical thing to do, but the rules demand it.
Own the problem. Taking responsibility and communicating effectively can save a great deal of pain and ensure that reputational damage is minimized.
How safe is your organization?
The easiest way to determine whether your company has a healthy cybersecurity culture is to look at where the CISO sits in the organization.
When a CISO reports directly to the CEO, the C-Suite has a better understanding of the issues, is better invested in minimizing the risks and planning damage limitation, and therefore less likely to fall foul of a Yahoo-style scenario.
You also avoid any conflict of interest between the team responsible for implementing IT projects and the specialists charged with protecting the organization.
Choose a CISO who can articulate business risk
Make room for the CISO at the top table
Resource the role properly
Have a clearly defined action plan in case of a breach
Cybersecurity is a business risk, so treat it like one.
Critical digital and physical assets are becoming increasingly vulnerable due to accelerated connectivity, differing global regulatory requirements, joint ventures and business partnerships and security weaknesses within complex multinational supply chains. These factors have led to a rise in insider threats for enterprises across all industries.
An insider threat is an employee or third-party vendor that has access to a company’s network. While some insiders seek to compromise sensitive corporate data for monetary gain or out of spite, others do so accidentally due to negligence or lack of awareness.
According to the “2016 Insider Threat Report” by Crowd Research Partners, 75 percent of survey respondents estimated insider threats cost their companies at least $500,000 in 2016, while 25 percent reported costs could exceed that amount. The study also found that 74 percent of organizations are vulnerable to insider threats. Of that number, 7 percent reported that they were “extremely vulnerable.”
Common Behavioral Indicators
The most common indicator of an insider threat is lack of awareness. For instance, employees with savvy IT skills often create workarounds to technology challenges. When employees use their own personal devices to access work emails, they often create new vulnerabilities within the organization’s physical security processes and IT systems.
The chief information security officer (CISO) must be aware of these patterns to detect suspicious motives, which requires a holistic and layered approach to user behavior analytics (UBA). The following are examples of behavioral indicators:
Downloading substantial amounts of data to external drives;
Accessing confidential data that is not relevant to a user’s role;
Emailing sensitive information to a personal account;
Attempts to bypass security controls;
Requests for clearance or higher-level access without need;
Frequently accessing the workspace outside of normal working hours;
Maintaining access to sensitive data after termination;
Using unauthorized external storage devices;
Visible disgruntlement toward employers or co-workers;
Chronic violation of organization policies;
Decline in work performance;
Use of mobile devices to photograph or otherwise record computer screens, common work areas or data centers;
Excessive use of printers and scanners;
Electronic communications containing excessive use of negative language;
Installing unapproved software;
Communication with high-risk current or former employees;
Traveling to countries known for intellectual properly (IP) theft or hosting competitors;
Violation of corporate policies;
Network crawling, data hoarding or copying from internal repositories;
Anomalies in work hours;
Attempts to access restricted areas;
Indications of living beyond one’s means;
Discussions of resigning or new business ventures; and
Complaints of hostile, abnormal, unethical or illegal behaviors.
Remediation Pain Points
Insider threats are costly to remediate because they are very difficult to detect. A thorough investigation often requires companies to hire forensic specialists to determine the extent of a breach. It is also challenging to distinguish malicious activity from regular day-to-day work. For example, users who have elevated access privileges interact with sensitive data as part of their normal jobs, so it can be virtually impossible to determine whether their actions are malicious or benign.
Users who have elevated access privileges often cover their tracks by deleting or editing logs, impersonating another user or using a system, group or application account. Proving guilt is yet another pain point, since offending users may claim ignorance or human error.
Steps to Combat Insider Threats
Most organizations lack procedures to deal with internal threats. Moreover, security architecture models have no room for insider threats. Security infrastructures primarily prevent outside attackers from gaining entrance to the network undetected, operating under the false assumption that those who are granted internal access in the first place are trustworthy.
To properly account for and remediate insider threats, organizations must establish a comprehensive, risk-based security strategy that includes the following four elements:
1. Information Governance
It is of paramount importance to protect critical data assets from insider threats. Information governance provides business intelligence that drives security policies and controls. This improves risk management and coordination of information management activities. A solid information governance foundation enables organizations to adopt a risk-based approach to protecting their most valuable assets and installing sound data management procedures.
2. Advanced Forensic Data Analytics
User-based analytics are indispensable tools that provide detection and predictive measures to thwart insider threats. These solutions incorporate artificial intelligence and machine learning technologies that objectively analyze insider behaviors and generate risk rankings within the user population.
3. Incident Response and Recovery
External and insider breaches have their own nuances, but the impacts are similar and should leverage the same response program in anticipation of a major breach. Organizations must strive to build as strong an insider threat program as possible. It’s also important to develop an incident response program that considers both internal and external breaches.
4. Legal Considerations
An insider threat program cannot be successful without careful legal and regulatory considerations. For example, privacy laws pertaining to employee monitoring vary across national boundaries. In the U.S., the Electronic Communications Privacy Act (ECPA) allows employers, under certain provisions, to monitor their employees’ emails and other electronic communications. Meanwhile, the member states of the European Union (EU), in compliance with the European Convention on Human Rights, adhere to privacy laws under the Data Protection Directive, which regulates how organizations within the EU process personal information.
A Cross-Organizational Challenge
Combating insider threats is an organizational issue that crosses people, processes and technology and requires a detailed understanding of the organization’s assets and security posture. It also demands a clear separation of duties, continuous monitoring of employee behaviors and a formal insider threat program that includes IT, human resources, legal and all other business groups. With the proper resources in place, a CISO can gather the actionable intelligence needed to thwart internal attacks and gain visibility into the highest-risk users.
Demand for top-level security professionals continues to exceed supply. Recent data from the job site Indeed shows that “severe cyber security skills shortages persist in every country.” In fact, in only two countries—the U.S. and Canada—does the supply of job seekers exceed even 50% of employer demand.
In this environment, the best security professionals can be selective in choosing where to apply their talents. It is, therefore, important for corporate management and board members to get inside the heads of these leaders and understand what factors make them satisfied and successful in their jobs.
To help, we have identified four overarching questions CISO candidates typically ask when evaluating an opportunity. As you look at the questions below, it is worth thinking about how your organization stacks up—and what actions you might be able to take to make improvements.
“Who is my sponsor and how much influence does he or she have?”
This is likely to be the first question on the CISO candidate’s mind, and he or she is thinking about this issue in at least two specific ways. First, while the CISO is likely to have some interaction with the board and C-suite, there will still be many conversations that affect the information-security function to which the CISO will not be privy. As a result, the CISO will have to rely on his or her supervisor to act as an effective intermediary in advocating for resources and policy initiatives and in educating the board and CEO on information security issues as they unfold. Second, when the CISO needs to take an unpopular position to strengthen an organization’s information security profile, he or she must be confident that there will be support in high places.
“How deep is the organization’s commitment to information security?”
This is more than a question of staff and budget allocation, although those elements are certainly important. The CISO wants to know that the C-suite and the board appreciate the complexity and uncertainty at the core of the information-security function and the need to make everyone in the organization—top to bottom—responsible for security. For the CISO to be successful, he or she must be empowered to act and be armed with the necessary resources to deploy, both in times of normalcy and crisis. Although the CISO expects organizations to have high standards, he or she will avoid enterprises that reflexively cycle through security teams.
“What key performance indicators will I be measured against?”
Given that every large organization must assume that it is continually under cyberattack, it follows that security breaches are a matter of not “if,” but “when.” Therefore, it is not realistic for a company to hold its CISO to a “one strike and you’re out” performance benchmark. The conversation about expectations is just as important as those about resources, reporting lines, and compensation.
“Where will I be in five years?”
Those who lead the information-security function are like other functional leaders in their range of career ambitions. For some, the opportunity to lead the function at a quality organization is the goal; others, however, are looking ahead to a CIO role or even a broader position in organizational leadership. It is important to understand each candidate’s desires vis a vis what the organization can offer. Remember that the CISO’s reporting relationship will be one factor that frames this issue in his or her mind.
Conclusion
In today’s environment, board members cannot afford to be complacent in their oversight of cybersecurity issues and, in particular in helping the organization hire the right people for the most critical positions. A big step is to understand the issues that are of the most importance to today’s CISOs.
Today, no business executive would disagree with the statement that cybersecurity is a business issue, not just a technology issue. An increasing number of businesses and governments experience cyber incidents and the way they handle such incidents can have a significant effect on their reputation.
A cyber incident can cause a number of damages for companies. One is damage to business continuity. If a company’s IT system or operation system is compromised, the company may need to make a judgment to stop operations of those systems. The second type is loss of stakeholder trust. Today, business transactions are conducted under the assumption that information provided by companies is accurate and reliable. If a company’s IT system or operation system is compromised and information is manipulated and the company cannot guarantee integrity of the information it provides, then the company is unqualified as a trusted business partner.
Along with this, digital innovation is emerging as a new reason why cybersecurity is a business issue. Many innovations are taking place in all parts of the world in the form of AI, big data, robotics, fin-tech, biometrics, etc. Unless a company is digitally secure, it cannot internalize digital innovations into its business system and leverage them for value creation. In the age of digital innovations, cybersecurity is becoming an imperative for business growth, presenting a new challenge for the C-Suite.
Cybersecurity has traditionally been a topic that only a few executives are expected to understand. However as additional security concerns spread across a business, cybersecurity is now a topic that concerns all members of the C-Suite. For example:
A Chief Financial Officer needs to ensure secure transactions between financial institutions or business partners.
A Chief Marketing Officer needs to master how to ensure cybersecurity in marketing activities via digital and social media, and
A Chief Human Resources Officer needs to ensure that digital recruiting processes are secure in a competitive market.
A New Opportunity for the CISO
How cybersecurity is addressed with regard to each managing function needs to be harmonized under company-wide priorities and principles. This presents a new opportunity for Chief Information Security Officers (CISOs). Traditionally, a CISO has been a supporting role for the Chief Information Officer or the Chief Risk Officer. However, a CISO now needs to interact directly with all C-suite members. The C-Suite needs to agree on what the company wants to protect from a holistic perspective and the CISO needs to facilitate these discussions.
To facilitate these discussions, a CISO should ask below questions to C-suite.
“What are our crown jewels that we want to protect with top priority?”
“What are business consequences if those crown jewels were damaged?”
“How much investment are we willing to make to mitigate those risks?”
Across an organization, there are many solutions to ensure cyber resilience. As a technology solution there are Managed Security Services. As a financial solution there is cyber insurance. An operational solution may be a Computer Security Incident Response Team (CSIRT) or employee training. A legal solution may be fiduciary actions based on a lawyer’s advice. The key is to integrate these solutions into a cybersecurity strategy that supports the business priorities of the company. Who leads this effort is not defined in many companies. This is a new space in corporate business management and a new opportunity for the CISO. By taking on such a role, a CISO can provide company-wide impact and contribution because if CISO plays such as role, cybersecurity strategy becomes a comprehensive and integrated package rather than an aggregation of independent tactics. It is owned by entire C-suite and woven into company-wide business strategy.
