Day: August 29, 2018

Posted on

Empowering Executives with Security Effectiveness Evidence

After decades of presentations and prayers, security has finally become a business imperative for executives and boards alike. Business leaders are speaking publicly about championing security investments, as it’s important for shareholder value and future expectations. In fact, evidence-based security effectiveness measures are finding their way into annual reports (10-Ks), committee charters, and corporate governance documents.

Because of the spotlight that is on security, your business leaders are demanding security effectiveness evidence from you. This evidence is similar to the data-driven measurements and KPIs seen in other strategic business units such as shareholder return, client assets, financial performance, client satisfaction, and loss-absorbing resources.

Your leaders are making decisions predicated on these non-security measures every day to increase value for their shareholders, address stakeholder requirements, and mitigate business risks. Security is simply another variable in the business risk equation. In fact, your security program isn’t about security risk in and of itself, but rather, the financial, brand, and operational risk from security incidents.

One area where the need for security effectiveness evidence is profusely obvious is around rationalization. For example, many auditors no longer ask, “Do you have security tools in place to mitigate risk?” because the answer is always, “Yes, but we need more tools, training, and people anyhow.” Now auditors are asking for rationalization in terms of, “Can you prove, with quantitative measures, that our security tools are adding value? And can you supply proof regarding the necessity for future security investment?”

This evidence-based, rationalization methodology, often characterized as security instrumentation, aligns with the reality that your organization has finite resources to invest in security and that all investments need to be prioritized. Every dollar invested in security is a dollar not applied to other imperatives.

Measuring your security effectiveness: where you’ve been
The sad truth is that most security effectiveness measures are assumption-based instead of evidence-based. Because of a lack of ongoing security instrumentation, you assume your tools and configurations are doing what is needed and incident response capabilities are a well-choreographed integration of people, processes, and technologies. You know that assumption-based security is flawed. But historically, you haven’t had a way to empirically measure security effectiveness. You get some value from penetration testing, the endless march of scan-patch-scan, surveys, and return on security investment calculations, but these approaches don’t truly measure your security effectiveness. As a result, your business leaders are relying on incomplete and/or inaccurate data to make their decisions.

Where you need to be
You need to know if your security tools are working as intended. Once they are, you can optimize those tools to get the most value, rationalize, and prioritize where greater investment is required, and retire tools no longer needed. Then you can monitor for environmental drift so that when a tool is no longer working as needed, you are alerted to the drift and how to fix it. Finally, from a leadership perspective, your team can consider security effectiveness measures when calculating the business risks.

How to get there
By safely testing your actual, production security tools with security instrumentation solutions, not scanning for vulnerabilities, not looking for unpatched systems, and not launching exploits on target assets, but actually testing the efficacy of the security tools protecting your assets, you can start measuring security effectiveness of individual tools as well as security effectiveness overall. When gaps are discovered, you can use prescriptive instrumentation recommendations to address those gaps. Then you can apply configuration assurance to retest the security tools to validate that the prescriptive changes implemented resulted in the desired outcome. Once you have your security tools in a known good state, automated testing can continue validation in perpetuity, alerting you when there is environmental drift.

The end result of security instrumentation is security effectiveness that can be measured, managed, improved, and communicated in an automated way. Your security teams are armed with evidence-based data that can be used to instrument security tools, prioritize future investments, and retire redundant tools. This newfound ability to communicate security effectiveness and trends based on actual proof allows your decision-makers to incorporate security effectives measures when making business decisions.

Author’s note: Brian Contos is the CISO & VP Technology Innovation at Verodin. He is a seasoned executive with over two decades of experience in the security industry, board advisor, entrepreneur and author. After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, he began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian has worked in over 50 countries across six continents. He has authored several security books, his latest with the former Deputy Director of the NSA, spoken at leading security events globally, and frequently appears in the news. He was recently featured in a cyberwar documentary alongside General Michael Hayden (former Director NSA and CIA).

[ISACA Now Blog]

Source: https://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=1060

Posted on

Avoiding the Security Pitfalls of Digital Transformation

By 2020, 60 percent of enterprises will be implementing a digital transformation strategy as they seek to leverage technologies such as cloud and software-defined infrastructures. However, as they embark on a digitization journey, too many are ignoring security risks that could bite them back later.

Earlier this year, telecommunications giant AT&T developed a cybersecurity report based on interviews with 15 subject matter experts, including several (ISC)² members, to determine who holds responsibility for this transformation process. The report cautions organizations to be sure they evaluate and update their defense systems before implementing digitization plans. “Security models are changing as infrastructure goes virtual. If the number of cyberattacks in the news points to any one pattern, it’s that companies are grappling with how to secure their businesses from ‘edge-to-edge,’ across their endpoints, networks and cloud services,” the report says.

Some companies are taking a short-term approach to cybersecurity by overly relying on cyber insurance. “More than a quarter (28 percent) of organizations see cyber insurance as a substitute for cyber defense investment, rather than as one component of a multi-layered cybersecurity strategy.”

While cybersecurity can address the immediate impact of a breach, it cannot prevent long-term reputational damage. Instead, organizations should take a more balanced, comprehensive approach that includes layered security implementations and help from third parties where appropriate.

The report points out that U.S. companies are the least confident in their in-house security, according to the AT&T 2017 Global State of Cybersecurity survey, with 56 percent of U.S. respondents expressing confidence, compared to 70 percent in EMEA and 72 percent in APAC.

Security Steps

Properly planning for digital transformation requires several steps. The first is to gain an understanding of all security implications and then come up with a plan to address them. Organizations need a solid understanding of the security controls they have in place to determine if they are appropriate as their infrastructures evolve to include software-defined systems and Internet of Things (IoT) devices.

Then they should address whatever gaps they identify through a multi-layered security strategy and advanced security measures. For instance, it makes sense to virtualize security to replace simple firewalls with advanced web filtering and data loss prevention, the report suggests.

Another recommendation is to get buy-in not only from the top but also across the entire enterprise. For one thing, it’s important to recognize that the CFO is often the executive in charge of digital transformation, which means the CFO needs to be part of the team in charge of cybersecurity.

“This might seem counterintuitive for a technical project, but the CFO’s compliance and risk management responsibilities and their budget-allocation powers make them an obvious leader,” the report says. But because of the CFO’s “traditional lack of technical expertise,” the cybersecurity team also needs to include the CISO, CTO or whoever else is responsible for security.

Raising Awareness

To ensure everyone within the organization is invested in digital transformation and security, it makes sense to run training programs and workshops explaining how the new infrastructure will affect day-to-day operations. Cybersecurity awareness training should be ongoing, the report says.

The better a company’s employees understand security risks, the more likely they are to avoid doing something that could cause a breach. As companies become more reliant on digital and automated processes, this will become more important than ever.

[(ISC)² Blog]

Source: http://blog.isc2.org/isc2_blog/2018/08/avoiding-the-security-pitfalls-of-digital-transformation.html

Posted on

Calling All CISOs: Speak the Language of Business

As a business executive or board member, how do you feel when you are talking to your organization’s CISO? Do you feel like you are on the same page, speaking the same language? Or do you feel overwhelmed by jargon and techno-babble that requires an interpreter?

If your answer is the latter, it’s not your fault. You shouldn’t have to know all of the jargon or speak in the language of a technologist. Rather, your CISO should be speaking the language of business in a way that is easy to understand, relatable to your needs and focused on the bottom line.

That’s the advice of Diane E. McCracken, and she should know. McCracken is a widely known and well respected chief security officer at a midsized bank located in the northeastern United States and, as she says, a technologist at heart. But although tech talk is her native language, speaking it in the boardroom is a definite no-no.

“In today’s environment, cybersecurity professionals need to learn a new language,” she says. “The language of money. That’s when board members and executive management pay attention. They need to know what the investment is really buying and whether it will protect the organization.”

McCracken offers advice to her colleagues and peers as a speaker at various conferences and, recently, as an author in the upcoming book Navigating the Digital Age, Second Edition, published by Palo Alto Networks. She also provides guidance for business leaders on what to expect and demand from their CISOs.

For CISOs the main advice is to learn the language of business. Use numbers, speak in specifics about risk, anticipate questions and use your imagination. In one particular case, she used an allusion to the pop icon Taylor Swift to make a point about cloud computing. But, If Taylor Swift doesn’t work, there are always two areas that will resonate: One is risk and its consequences; the other is business enablement.

Advice for Executive Management and Board Members

Just because the onus is on the CISO to speak in your language, that doesn’t let you off the hook as a business leader, says McCracken. You too have to be vigilant. You have to establish a regular cadence that includes the topic of cybersecurity in board meetings. You have to insist that the security teams present information in language and formats that are clear, simple to understand, relatable and focused specifically on the value to the business. Most of all, you have to support your cybersecurity leaders.

“They are fighting a nameless, faceless adversary on your behalf,” McCracken says. “They have to be right thousands of times a day; the bad guys have to be right just once. In order to be successful in the cyber world, both parties much be in sync, and only through these conversations will that be possible.”

The Language of Business Enablement

One of the more important challenges for CISOs is embracing the concept of cybersecurity as a business enabler—and then articulating that value so it captures the attention of business decision-makers. McCracken offers one example where the solution was to show the board the money.

In her organization, the tech teams had a desire to bring software development in-house as a means to improve quality assurance and accelerate speed to market. From McCracken’s perspective, the key was to ensure that security was factored in at every stage of the development cycle. To convince the board, she created a flow chart that showed the cost of remediation early, midway and at the end of the development cycle. The numbers told the story for her and the board fully funded the program.

“In a case such as this, it is clear that the role of the CISO is as a business enabler,” she says. “It’s not our job to say ‘No.’ Our job is to advise on the risk and put the controls in place to appropriately limit that risk. When the business needs board sign-off, I must be able to address the risk in language the board members understand. With business leaders and the board, money is the universal language.”

Source: https://www.securityroundtable.org/calling-all-cisos-speak-the-language-of-business/

Posted on

Cybersecurity And The New CISO: The Leadership Enigma

As chief cybersecurity advisor, I regularly receive requests from recruiters working in the field. Acknowledging the economic forces at play, I appreciate that global demand for cyber professionals exceeds supply. Add to this the increasing rate of organizational breaches and explosion in technology and online services, and it is easy to see why demand has spiked.

All of these factors have no doubt fueled a boom in the cybersecurity industry, bringing with it the problem of questionable leadership. There are those who aspire to be cyber professionals, who may even have an IT background but do not have the necessary knowledge, experience, training and time at the coal face in cyber roles. Put simply, they lack good pedigree. The next time someone wants to talk to you about “risk,” ask them if they have ever conducted a threat risk assessment or managed incident response. More than likely, the answer is no.

How do we get the right cyber leadership?

Let’s first consider this through recruitment of a key cyber role — the CISO (chief information security officer).

Recruitment needs to start with well-constructed job descriptions and criteria. CISOs need to be able to develop and set strategic direction for cyber risk and information security. Their areas of responsibility should include:

1. Risk management/risk culture.

2. Documentation standards.

3. Relationships and communication — in particular, with senior management and industry.

4. Incident response and business continuity.

5. Third party management.

6. Compliance activities.

7. Technical capability and delivery.

A must-have requirement is the ability to maintain a current understanding of the cyber threat environment for their industry and related laws and regulations and the ability to translate that knowledge to identify risk and develop actionable plans to protect the business.

Similar challenges exist for project manager (PM) roles. A good PM can make a significant difference to the timely delivery of a cybersecurity, project ensuring it is within budget and delivers the intended outcome.

Along with project management ability, the PM needs acumen in IT and cybersecurity. This should be mandatory. Many PM job descriptions now explicitly specify such things as:

• Technical knowledge of ICT infrastructure (software and hardware) and experience with toolsets used by ICT organizations in the security, management and delivery of their services.

• Extensive understanding of ICT concepts and the system development life cycle management methodologies, including experience with agile application development teams.

Developing job criteria can be a challenge, but there are now a number of recognized national standards to help.

The Institute of Information Security Professionals Skills Framework (IISP) was developed in collaboration with public, private, academia and industry security leaders. The framework uses a consistent language in describing the range of competencies expected of information security and information assurance professionals in the effective performance of their roles.

The National Cybersecurity Workforce Framework is part of the National Initiative for Cybersecurity Education (NICE), and NIST Special Publication 800-181 framework categorizes and describes cybersecurity work through the use of several components, using a common language.

Another tip in recruiting is the interview panel. It must include members who understand the specialized field within which they are interviewing and filtering candidates.

What makes an effective CISO?

To be effective, a CISO needs to have both a blend of technical knowledge, business acumen and cybersecurity skills, and an appropriate position within the organization that allows them to deliver on their mandate.

The CISO needs to be able to execute on all fronts of cybersecurity practice, through using their business and security acumen. They also need to incorporate prudent risk management through building and delivering on a risk-based portfolio strategy (including prevention, response, mitigation, insurance and measurement) or business-driven security. This means looking at the organization’s portfolio of risk and determining how cybersecurity plays into each risk.

While I am a big fan of qualifications and certifications, I also believe that informal qualifications are just as important — as long as they are relevant. The qualifications that go into a well-rounded CISO are a blend. Many organizations now require some baseline degree in a relevant discipline along with a range of hard and soft skills. Hard skills can include security concepts (authentication/authorization, operating systems, DNS routing), risk assessment methodologies, network architecture and compliance standards (such as PCI, NIST, GDPR), to name a few. Soft skills such as communications, interpersonal/negotiation skills and strategic planning are now hugely favored.

To effectively influence change and set direction in support of real business objectives, the CISO should be elevated to the equivalent of the CIO. Conflicts of interest aside, I have seen many times when the CISO role falls under the CIO, and their focus is diverted toward plugging security gaps and never actually leading and planning for the future. Moving from problem to problem is an indicator that the organization does not have a mature risk management culture.

The New CISO

The new CISO must know how to quantify risk and understand business as well as cybersecurity technologies. They should have a passion for technology and security. They need to be a champion, educating the organization about the latest security strategies, technologies and methods.

They are no longer just the keeper of secrets or guardian at the gate. They are integrated into the business and taking a risk-based detective/hunter-style approach.

As the CISO role evolves from exposure mitigation to incorporating broader business risk management, the cybersecurity apparatus must also change as well. This means that certain traditional security tasks should move into operational IT areas. Risk management/risk culture through data capture and analytics should become the core functional capabilities.

This will mean having to retool/rekit your organization’s skill set to support more analytical thinking and promote a greater awareness of operational risk management.

The mission today is beyond just exposure and encapsulates everything from protecting brand and reputation, revenues or market share to enhancing shareholder value. This is how you evolve from a compliance-driven model to an intelligence-driven, agile model.

Leonard Kleinman, Chief Cyber Security Advisor, spokesperson and cybersecurity “best practice evangelist” with a focus on cyber threats to IT systems.

Source: https://www.forbes.com/sites/forbestechcouncil/2018/07/26/cybersecurity-and-the-new-ciso-the-leadership-enigma

English
English
Exit mobile version