CISO DRG Vol 1: Chapter 1 – The CISO


Where and to Whom Should the CISO Report?

We begin our book with one of the most basic and fundamental issues facing cybersecurity today, namely the reporting structure for CISOs. As our authors will note, this reporting structure has a tremendous impact on the efficacy of the organization’s security operations. This discussion highlights the differences between traditional, IT-focused views of cybersecurity and those that are evolving to view cybersecurity as a risk-management function.

While there are differences in approach and perspective, our authors collectively emphasize how important it is for the CISO to know their organization’s industry, regulatory requirements, and lines of business. This organizational context has important implications for the security operations’ staffing levels and budget.

Bill Bonney highlights how organizations are demanding more of their CISOs and the fact that CISOs are expected to expand upon their deep technical knowledge to also include domain expertise in the areas of risk management and business operations. His analysis highlights how the balance between technical skills and business acumen is frequently influenced by the level of maturity of the organization.

Matt Stamper suggests that the reporting relationship for the CISO reflects how the organization views risk. Organizations that take a more expansive view of cybersecurity and risk will likely have a CISO reporting outside of traditional IT, generally reporting to the CEO or CFO. His perspective is that there are also inherent challenges in having a CISO report into IT. Under these scenarios, the CISO is placed in the unenviable position of having to judge the work of their boss, frequently the CIO.

Gary Hayslip offers a pragmatic view of where CISOs should report depending upon the industry context of the organization. What is clearly emphasized, and all the authors agree on this point, is that organizations that have a designated security officer – a CISO – will have better security outcomes than those who have not formalized this role within their organization. Gary highlights how critical it is for the CISO to truly know the organization – its people, its data, its industry, its applications, and its infrastructure. As Gary notes, “cyber doesn’t exist in a vacuum.”

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  Who should I (the CISO) report to? 

♦  How and where should the CISO and security program fit within the organization’s structure?

♦  How and why do I see this changing?

Report to and Organizational Structure – Bonney

We often think of reporting relationships and organizational structures as fixed. You get hired to do a job, reporting to a particular person in a department, business unit, or functional group that has a certain structure, and you learn to operate within those parameters. But as cybersecurity risks have become high-profile news-generating events, the CISO role has had to evolve. With that higher profile you sometimes get greater latitude to adapt to the changing threats, but you almost always inherit greater expectations that the approach taken by you, the CISO, on any given issue will be appropriate from a C-level perspective, not just technically correct.

What does that mean? It means that organizations are asking more from the CISO. Besides the technical standards and regulatory requirements that you’ve mastered, you are expected to know the products, the business, your customers, and the market in which your organization competes. You are also expected to act in a way that is best for the organization, placing the needs of the organization before the needs of your career or any other personal outcome. That’s called a “fiduciary responsibility.” If you need to change the structure of the information security group to meet the organization’s needs, do it. If you should be placed in a different part of the organization to best serve its information security needs, it’s up to you to determine that and advocate for it.

With that as backdrop, let’s look at all three parts of this question: To whom should I report? How should the organization be structured? How should I expect that to change over time? We’ll look at each of these questions through the lens of a C-level executive making the determination about what is right for the organization. We’ll assume that whether you, the CISO, were hired at the C-level or not, you wish to and are expected to contribute as if you were a C-level executive.

Three Criteria for Deciding

The three criteria I’m going to apply are organizational maturity, business domain, and skill alignment.

By organizational maturity, in this context I mean specifically how experienced is the organization in dealing with the types of risks that threaten the continuity of its lines of business? Does it build in operational resilience to account for disasters and disruptions, develop continuity plans to recover normal operations, and communicate those plans to employees, key partners, and customers? Does it practice responding so that people throughout the organization, including within the customer and partner eco-systems, know what to do when disruption or disaster strikes?

By business domain, in this context I mean specifically what is the nature of its external environment? Does the organization operate in a highly regulated environment? Is the market segment in which it operates subject to numerous security or operational threats? Is it in a highly technical arena?

And finally, by skill alignment, in this context I mean specifically how do the skillsets within the Information Security department align with the expertise in the rest of the organization? Which business units or functional groups are responsible for business continuity? Where does responsibility for risk management lie? Is Information Technology managed centrally, regionally, or within business units? Where do the CIO and CTO report? Given this environment, what is the appropriate balance between technical skills and business acumen for the CISO?

Organizational Maturity

Let’s start with organizational maturity. A key factor in your thinking should be that for many organizations, the CISO needs to be the “Chief Resilience Officer.” This is especially true for those organizations without significant muscle memory in building and executing continuity plans. If the organization does not have much experience in this area, you should give strong consideration to having the CISO report to the Chief Executive Officer (CEO). In this environment, the organization is more likely to experience a devastating cyber-attack than a physical threat, and it is not likely to be ready for either without your help.

As the CISO, and informally the Chief Resilience Officer, it is your job to help the organization identify the key assets that must be recovered for the organization to continue as a viable entity and determine how to ensure that outcome. You’ll drive the creation of action plans that will be executed in the event of a crippling cyber-attack. To do this successfully you’ll need the full, active support of the entire executive team. Head nods and lip service are not sufficient. You’ll need to answer for yourself “at what reporting level am I likely to get that support?” and advocate for that outcome.

The breadth of impact that a cyber event would have and the number of touch points that cyber-preparedness activity is likely to require throughout such an organization would be substantial. For that reason, it is likely that a CISO would be less effective as a sub-function of either Finance (reporting to the Chief Financial Officer (CFO)) or Information Technology (reporting to the Chief Information Officer (CIO)), even though these leaders typically own risk and technology, respectively. Nor is it likely that a Chief Operating Officer (COO) will have sufficient breadth of responsibility in this case.

If the organization has a mature process for business continuity, then it is imperative that the CISO is closely aligned with whoever owns business continuity. Ideally, you’ll work with these key individuals to improve the existing plans to include recovering from a cyber-attack. At a minimum, you will need to share communication and escalation processes. Hopefully this will be a member of the C-suite so you can integrate with the team charged with keeping the company in business while the disaster, attack, or disruption is abated. If continuity planning is assigned but is too far removed from a C-level executive, you’ll need to help the organization re-think its position and elevate that function or subsume it into your department.

Finally, if the organization is more mature and has high-functioning, independent business units that tend not to rely on centralized back-office functions, you should consider using more embedded resources to support the business units directly. While you’re still likely to have a greater impact by centralizing infrastructure protection, incident response, and governance functions, embedding application security business partners directly into the business’ technical and product teams may improve their ability to flex and keep up with changing business requirements.

Bill Bonney

CISO DRG Vol 1: Chapter 2 – Regulatory, Requirements, and Audit


How Do Regulations, Frameworks, and Standards Impact Cybersecurity and Audit Practices?

In this chapter, we review strategies and techniques to assess and address the seemingly infinite number of regulations and standards that impact cybersecurity practices and the ensuing audits used to validate security controls. Each of us touches upon some of the more common regulations we face as CISOs, including those that impact sectors such as healthcare and financial services as well as critical infrastructure. We each emphasize the importance of taking a collaborative approach to regulatory compliance…working with other stakeholders within our respective organizations to understand the requirements of the security programs we oversee. Key actors in these processes include the organization’s legal counsel, its chief risk officer, and other C-level executives that have a fiduciary responsibility to oversee the governance of the organization.

Bill begins this chapter with the basic premise that regulations and compliance requirements mandate “minimum standards of due care.” Bill’s experience working with publicly-traded organizations that are subject to both Sarbanes-Oxley compliance and regulatory audits offers excellent guidance on how to approach an audit as a CISO and how to work with colleagues throughout the organization to prepare for this level of oversight. Bill also notes how important it is as the CISO to evaluate the organization’s contractual obligations. These may be especially impactful for organizations in healthcare that are subject to HIPAA-HITECH.

Matt continues with an assessment of the regulations that mandate specific security practices and suggests that we’ve entered an era where boards of directors and our colleagues in the C-suite can no longer ignore security. The CISO is now the advocate for legally-defensible security practices. Matt also highlights the unique role that the Federal Trade Commission (FTC) has had in establishing minimum security practices with its enforcement of Section 5 of the Federal Trade Commission Act (FCTA), which addresses “unfair and deceptive trade practices.”

Gary emphasizes how critical it is for the CISO to “meet and greet” fellow executives and stakeholders. This informal discovery leads to actionable guidance related to regulatory compliance and the required controls. Gary’s analysis also suggests that the regulatory requirements should inform the type of controls and techniques deployed. Gary warns CISOs not to make controls, processes, and techniques overly complex as this will typically overwhelm the organization and have the opposite of their desired effect. Despite Gary’s background with the Navy, the Department of Defense, and municipal government, he brings a refreshing “business perspective” to dealing with regulations and compliance.

Consider these questions as you read this chapter:

♦  Do I have any regulatory requirements?

♦  How do I position my security program and organization for success with regard to compliance?

♦  What policies, processes or procedures should we leverage to successfully engage our auditors and/or regulators?

Regulatory Requirements and Audit – Bonney

In the first chapter, I talk a little about regulatory oversight. I point out, for instance, that in the overall scheme of information security, regulatory requirements are really cover charges. I also noted that typically, in mature organizations with well-known or substantial regulatory requirements, corporate governance would be structured to comply with mandatory management oversight obligations. To be clear, I believe that regulations and compliance requirements mandate minimum standards of due care.

The reality is that while regulatory and compliance requirements do not in and of themselves keep your data secure, they are obligatory, with the specifics depending on the industry, locale, and organizational structure. But, truth be told, despite the disdain that many people hold for compliance activities and requirements, they can often be leveraged as a foundation for a good information security program.

In this chapter, I will expand on some of those thoughts and talk about setting up your program for regulatory success, leveraging that foundation for successful governance, and engaging with your internal and external audit teams as key partners in your governance program. I will take the questions for this chapter in order. What are my regulatory requirements? How do I set up my program for success? And how do I engage my auditors and regulators?

How Do I Know What My Regulatory Requirements Are?

That brings us to the first question I am going to address: how do I know what my regulatory requirements are? I’m going to take an expansive view of this. By expansive, I mean I’ll consider a broader range of compliance regimes that aren’t all strictly regulatory.

Let’s begin with the obvious: if the organization is a publicly-traded company listed in the U.S., it is subject to the Sarbanes-Oxley Act of 2002, which was enacted to ensure reliability in financial reports filed by public companies with the U.S. Securities and Exchange Commission. Check with your Chief Information Officer (CIO), Chief Technology Officer (CTO), Chief Operations Officer (COO), Chief Financial Officer (CFO) or Corporate Controller to understand how your organization is currently managing these obligations and how you should engage with the appropriate teams. In general, you’ll be responsible for some subset of the Information Technology General Controls (ITGCs) that your organization has defined to comply with Section 404.

If the organization holds personal data for employees or customers, it is likely subject to privacy regulations from applicable state privacy and breach laws, along with potential international implications depending on the localities involved. U.S. multinationals who do business in the European Union (EU) or hold data for EU citizens must comply with the General Data Protection Regulation (GDPR). Check with your Chief Privacy Officer (CPO), Chief Risk Officer (CRO), or Chief Legal Officer (CLO). If your organization doesn’t have these leadership positions, a good fallback is the CFO, who will often own risk for medium-sized firms. Here you’ll again have a subset of IT controls.

For good proxies of what is required to meet these controls, you can use the following. For preventative control requirements use the Massachusetts privacy regulations (201 CMR 17.00). Use the Nevada breach notification law (N.R.S. § 603A.010) and the California data breach notification law (SB 1386) for breach notification requirements. And to provide a sober reminder of the reach of some state regulations, review the Texas extreme notification requirements (Texas Medical Records Privacy Act), which are more stringent than those found in the federal Health Insurance Portability and Accountability Act (HIPAA).

Of course, HIPAA is one of the other major regulatory regimes you’ll need to pay attention to if you are a “covered entity,” which are generally healthcare clearinghouses, employer-sponsored health plans, health insurers, and medical service providers. One of the more interesting features of HIPAA is that covered entities are required to cascade their obligations to Business Partners and Business Associates (look for any business associate agreement (BAA) your organization has signed) to ensure that all third parties that are involved in handling Protected Health Information (PHI) are obligated to safeguard the PHI in their care.

Besides healthcare, other industries have specific regulatory regimes. Some examples:

Federal agencies must comply with FISMA, the Federal Information Security Management Act. DoD contractors are subject to DFARS 252.204-7012, which requires a subset of NIST 800-53 controls and DoD contractors that handle classified information are subject DFARS Rule 78 Fed. Reg. 69273.

Organizations that accept credit cards for payment or process credit cards are subject to the Payment Card Industry Data Security Standards (PCI-DSS) and organizations that use Experian data agree to comply with the Experian Independent Third-Party Assessment (EI3PA).

Finally, similar to the contractual requirement of adhering to PCI-DSS controls (these are not regulations, you agree to comply in your contract with the Payment Card Industry), organizations often agree to data handling requirements that usually include security requirements by accepting contract language specifying security and privacy related duties.

It is best to start with your executive peers for a general idea of what contractual security compliance requirements you have in place, but do a deep dive with the procurement department or whichever group is responsible for managing contractual compliance. Contractual compliance is something most audit firms will look at while conducting financial audits, which implies that some group within the organization will be responsible for tracking the agreed-to obligations. If the structure within your organization is not apparent, you can start with the CFO or Controller.

Typically, signed addendums, engagement letters for third-party assessors, and the resulting attestations will list the individuals in the organization who are authorized to represent the organization, and that is an excellent place to start to determine what has been committed and who is executing and testing controls.

For banks and certain other financial institutions, there are a host of compliance regimes, including compliance with the Gramm–Leach–Bliley Act (GLBA) and adhering to guidance from the IT Examination handbook of the Federal Financial Institutions Examination Council (FFIEC), the multi-agency bank regulator. Other organizations that provide services to the financial industry are often required to provide third-party attestations about their controls. These attestations used to be called a “Statement on Auditing Standards No. 70” (SAS-70) report, but in 2011, the American Institute of Certified Public Accounts (AICPA) replaced the over-burdened SAS-70 with a new standard called the “Statement on Standards for Attestation Engagements No. 16” (SSAE-16) and then in May of 2017, updated that standard with the “Statement on Standards for Attestation Engagements No. 18” (SSAE-18). This replacement was more than a series of name changes.

In addition to creating extra burdens on the organization obtaining the audit (called the “Service Provider”) and transferring some responsibility from the auditing firm (called the “Service Auditor”) to the Service Provider, the changes also defined and formalized additional types of attestations (SOC2 and SOC3) based on trust principles, including: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Financial institutions typically have mandated management duties as well, and the CFO or Chief Audit Officer (CAO) can be consulted to start your discovery for these compliance requirements.

What I have covered above is not meant to be 100% complete. We could dedicate an entire book to listing and describing all the compliance regimes touching information (or data) security. Instead, I have laid out several fundamental principles. First, there are some mandatory security regulations for nearly every organization, indeed any organization that would require a full-time CISO. Second, compliance obligations come in both mandatory (regulations) and voluntary (contractual) varieties. And third, for each requirement, there are logical places to start your discovery about what is required and determine the role you must play.

Bill Bonney

CISO DRG Vol 1: Chapter 3 – How Data and Information Classification Influence the Role of the CISO


There are few topics more critical in cybersecurity than the establishment of proper data classification and protection programs within an organization. For many organizations, data and information are their most valuable assets, the new currency in the digital economy. In this chapter, we explore how aligning data and information protection with business objectives is a core element of good data governance.

Data classification influences the three central tenets of security: confidentiality, integrity, and availability (CIA).  While each of these three attributes is important, their relative values vary from industry to industry. Data classification is critical in prioritization because we cannot protect all data equally. A critical part of the CISO’s role is to understand which data is most important to the organization.

In addition to data classification, you should conduct formal data-flow analysis within the organization. We share approaches to documenting information flows within an organization that range from non-technical “meet-and-greets” to more technical packet analysis. The resulting data flow diagrams (DFDs) are a valuable tool for your information security and governance program.

Finally, treat data as a strategic asset. Make data classification activities as pragmatic as possible. Be aware that exhaustive data classification projects become “shelfware.” It is critical to have the data classification and governance activities aligned with the organization’s risk management practices and ultimately the organization’s risk appetite.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What type of information and data does my organization create, use, and share as part of our operations?

♦  Do we have data that is subject to specific regulatory or contractual controls and practices?

♦  Do I know the lifecycle of this data and the systems, processes, applications, individuals, and third parties that have access to this data?

♦  Are our organization’s data governance practices consistent with the value of this data and our regulatory or contractual obligations?

Data Mapping – Stamper

In this chapter, we will be discussing the critical requirement to classify and map data. As I explained in the previous chapter, laws, regulations, and industry standards are placing greater emphasis on knowing the types of data within organizations and its governance. Before focusing on data governance, let’s take a quick detour to the world of economics.

Transaction costs, according to economists, can influence which functions are handled internally within the organization or outsourced to an external provider. When transaction costs are high, there is a tendency to maintain these activities internally. These functions are often transferred to more cost-effective, external providers when transaction costs are low. What we have seen over the last twenty-plus years is the widespread reduction of transaction costs for many core enterprise functions and across many industries including healthcare, financial services, manufacturing, and professional services. In addition to outsourcing wide-scale functions, we are now outsourcing niche activities at the margin (i.e., shadow IT). As an economist might note, most everything happens at the margin. What does this have to do with cybersecurity? Everything.

For the CISO today, it has never been more critical to understand the types of information moving into and out of the organization. The effect of reduced transaction costs, coupled with new technologies such as mobile telephony and cloud services, has introduced significant challenges for CISOs charged with protecting organizational assets, including information and data. Let’s take a few moments to understand how pervasive outsourcing of specific functions is in today’s economy and its impact on knowing where our data resides.

Most organizations have common departments including human resources, finance and accounting, sales and marketing, information technology (IT), operations (including manufacturing), and legal. The reduction of transaction costs related to core activities within these departments has effectively made the organizational boundary semi-permeable. What is outside the organization is now inside, and what’s inside is now outside. Those of us in security feel this viscerally when we think of our own organization’s perimeter. It’s hard to find and nearly impossible to secure.

Where’s Our Data?

Let’s look at some concrete examples of how fluid information is within, and more importantly, outside of an organization. It’s not uncommon for organizations to outsource their payroll services to third-party processing organizations. Payroll data includes personally identifiable information (PII), including the employees’ social security numbers (SSNs), salaries, dates of birth, and addresses. That same organization may also outsource its accounting function. The accounting firm would have access to sensitive financial information including profit and loss detail, the value of assets, and the particulars about significant transactions. External auditors will validate the financial reports prepared by the firm and may request samples of specific transactions to support their assertions regarding the quality of the financial reporting.

The organization may leverage external legal counsel to file patent applications, handle merger and acquisition (M&A) activities, and other highly-sensitive projects. A third-party marketing application sends e-mails to clients and prospective clients containing personally-identifiable information (the name and e-mail address of the recipients). Independent contractors may be providing support on critical projects with access to material non-public information (MNPI). The organization may outsource manufacturing to a contract manufacturer in another country. The manufacturer could be using patented processes or other intellectual property of the organization. An external DevOps team may be handling application development and might have real production data to test functionality.

The organization’s applications reside in multiple locations across multiple states and several countries. Some applications and data are “in the cloud” and many lines of business, given the responsiveness challenges with traditional IT, use SaaS services to meet their requirements. Employees have personal mobile phones that they use to receive e-mail outside of the office. This e-mail includes attachments containing any number of data elements. Employees also bring their devices to work and take these devices with them when they leave the office each day, including when the firm terminates their service. Employees use third-party file-sharing tools, personal e-mail accounts, and external media to store information. Suffice it to say that the average organization does not know where its critical data and information are and, equally important, how they are protected, if at all, outside the organization.

Matt Stamper

CISO DRG Vol 1: Chapter 4 – Third-Party Risk


In Chapter 4 we turn our focus to third-party risk. You could say that the first half of this decade was the dawn of a new era of third-party risk in cybersecurity. Edward Snowden was an independent contractor when he expropriated and disseminated a trove of sensitive information belonging to the National Security Administration in the spring of 2013. In 2014, breaches of third-party Point of Sale (POS) systems victimized both Dairy Queen and Taco Bell. And both Target and Home Depot were breached through inadequately secured vendor logins in 2013 and 2014, respectively. Granted not a breach, but the case of Cambridge Analytica and Facebook (which began circa 2015 and came to light in March of 2018) highlights how third-party access to data can have consequences beyond the initial business proposition.

It has never been more evident that how you engage with third parties that have access to your network or your data is a critical component of your risk management program. What you will see from all three authors in this chapter are practical recommendations that will help you understand, explain, and better control the third-party risks you encounter as the CISO for your organization.

Bill starts the discussion by pointing out some red flags that managed to go undetected and the resulting regulatory scrutiny that third-party risk management now enjoys. Bill touches once again on the importance of knowing how and under whose control data flows into and out of your organization. He provides some practical advice for the new CISO for uncovering and quantifying third-party exposure and discusses essential legal protections that you need to have in place, including a “right to audit” clause for critical third parties. Engagement is the key to Bill’s approach, at the individual level for contingent workers and at the center of the relationship for organizations upon which you depend.

Matt focuses on the vendor management aspect of third parties from a service delivery perspective. He emphasizes how important it is to know the capabilities of the third parties we rely on and helps us use several tools, including the RACI (responsible, accountable, consulted, informed) matrix, third-party inventories and assessments, vendor management lifecycle, and independent attestations and audits, to validate the assertions made by prospective vendors. Matt makes it clear that vendor management is an ongoing activity best approached as a team sport.

Gary looks at the five categories of risk, including Financial Risk, Strategic Risk, Operational Risk, Regulatory/Compliance Risk, and Geographic Risk (Ambrose 2014). He reminds us that we can’t contract away our responsibility to manage our own risk. We can outsource activity, but we can’t outsource responsibility. Gary provides an in-depth discussion of how to set up and run a vendor management program (VMP) and helps us understand how each third-party vendor aligns with the organization’s strategic goals. Another key takeaway is to be transparent with your vendors about how you measure them. That helps them stay focused on performance as well.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  How do vendors and other third parties impact our cybersecurity program?

♦  How do I know if my vendors are secure?

♦  What should I do to protect my organization when using third parties? What controls or processes should I have in place?

Vendor Management Program – Hayslip

In your role as CISO, you will deal with many third-party vendors who provide services for your security program and your business. However, be advised that each one of these vendors can bring unique issues and open doors to unknown risks. As CISO, some questions you should ask yourself are: “What do I know about my new vendor? They provide a service or an application I require, but are they a good partner for my company? In the long run, do I see them as being financially viable and able to deliver services as promised?” These are just a few of the questions that you will have to vet as a CISO. Luckily, there are risk-management frameworks and vendor management programs that can be implemented to assist companies in understanding the risks of their third-party vendors.

How Much Risk Do My Third Parties Have?

Today we are witnessing an increasing number of data breaches in both government and private industry. The immense volume of data stolen and the risks these security threats impose on organizations is impacting their ability to operate as effective business entities. This combination of threats and risks is also increasing the pressure on corporate information technology departments, cybersecurity programs, executive committees, and boards of directors to devise and implement a plan to manage these issues and protect corporate “data.” It’s this visibility into the executive board’s interest in risk that I want you to think about as we proceed to discuss our first question, “As the CISO, what are the risks to my organization from our third-party vendors and why is it important that I understand their impact?”

Organizations will typically put controls in place to secure their business assets. The level of these controls will be based on several factors such as:

♦  The likelihood of an attack on those assets

♦  The impact to the business if the assets were lost or damaged

♦  The sensitivity of the data these assets use, process, or store

One tool to help measure the maturity of these controls will usually be some compliance regime. However, employing these controls still leaves the organization open to an enormous amount of risk involving third-party vendors, contractors, and partners. This risk is due in part to the fact that we lack visibility into the third party’s enterprise networks, business operations, workflows, and financial processes. Remember, your board of directors and senior management are ultimately responsible for managing activities conducted through third parties. Part of management’s due diligence is to identify and control risk. It’s imperative that all parties remember that no matter what services are contracted out, “all responsibility and accountability still rest with the organization.” We can’t contract away our responsibility to manage our own risk.

As a CISO, you may wonder “why do I want to use third-party vendors, who needs that headache?” Well, that is a good question, and it deserves the context of your company’s strategic business plan. I’ll bet that if you review this plan and its goals, you will find that your organization is using third-party contractors to attain one or more some strategic objectives. They may have a wish to use third-party contractors to quickly increase resources to resolve an issue and ultimately increase revenue. Perhaps they aim to use third-party contractors to reduce costs or to gain access to specific expertise, such as software development, that the company currently lacks. As a CISO, I have employed contractors over the years as staff augmentation for my teams or because we lacked critical skillsets for upcoming organizational projects. What’s important to remember here is that there are business reasons why your organization requires the services of third-party vendors. However, as security professionals, we must thoroughly understand the risks associated with using third-party organizations.

To start this process of understanding third-party risk, you will need to know what types of risk categories apply to your company. To assist you in understanding these risks, I would first suggest that your organization conduct a risk assessment. This risk assessment will enable you to better understand the different types of third-party vendor risk exposures, whether or not these risks apply to your organization, and their impact on your company’s strategic operations. The first phase of conducting this risk assessment is about establishing a risk framework, a lens through which the organization can proceed to identify risk, understand risk, and mitigate risk. To focus your lens, you need to ask the following questions:

♦  Are activities within the organization regulated?

♦  Do you know how much data is used by these activities?

♦  Do you know the data types and data classifications used by these activities?

♦  Do you know what vendors have access to these data types and data classifications?

♦  Do you understand each vendor’s responsibility concerning the organization’s sensitive data?

♦  How does each vendor fit into the organization’s overall strategic plan?

♦  If this data is breached, manipulated, or lost, what is the potential impact to the organization?

These questions begin to create a picture of how third-party vendors become intertwined in business operations. Once you embark on this assessment, what I expect you will discover is that there are many vendor relationships deemed not only critical to the organization but vital to its strategic plan. Therefore, the organization views these vendors as strategic partners and their operations and strategic viewpoints are considered to be consistent with its own. However, keep in mind that this doesn’t make them less risky. In fact, in my mind, they often bring greater risk exposure to the business because they are deemed critical to the organization’s strategic plans and would have a significant impact on those plans if not available.

Management analyzes the benefits, costs, legal aspects, and potential risks of these strategic partnerships. They also conduct risk and reward analyses on relationships deemed to be operationally vital. However, they can make mistakes if they base their analysis on data that is false, manipulated, incomplete, or out of date. So now you understand some of the concerns and questions that you will need to investigate in conducting a proper risk assessment. Next, we will cover the categories of third-party vendor risk and how they impact the organization.

Gary Hayslip

CISO DRG Vol 1: Chapter 5 – Measurement and Reporting


In Chapter 5 we look at how to create a metrics program that will help you measure the performance of your entire organization and determine what to report to your management and your board of directors. Each of the authors has a bias toward objective measurements and sees that as key to fulfilling the role of the trusted authority on your organization’s risk posture. They collectively emphasize the value of using widely adopted security frameworks to create a comparable baseline from which to measure improvement and extoll the virtues of being disciplined in the performance of preventive and periodic controls.

Bill begins with a brief historical review of tying measurement to business objectives and briefly discusses the evolution of control coverage to measuring the impact on service delivery. He provides several recommendations for frameworks you can use to establish your baseline. To conclude his section on measuring process effectiveness, he offers a helpful set of principles for deciding the metrics reported and how to maximize the impact of the reports. Bill then pivots to a discussion on the CISO’s role in risk management and how to measure the effectiveness of this strategic function.

Matt points out that there is no shortage of things to measure and helps the reader understand how detrimental an unchecked onslaught of raw data can be. He skillfully guides the reader through an analysis of key categories of risk and the relevant measurements to capture and report. Some of the categories he covers include legal, financial, human resources, vendor management, software, data, and system hygiene.

Gary focuses on how to effectively frame information for management and the board of directors to, in his words, “tell a story.” After outlining the criteria for developing the set of metrics the CISO will collect and share, including sample metrics and a formula for creating a useful metric, Gary pivots to organizing the information for consumption and action. He brings all of this home for the reader by sharing lessons learned, including the types of reports and dashboards to share (and with whom), establishing relationships with the recipients of the dashboards, and putting the information into context before they even see the report.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What are metrics? Why are metrics important? What steps should the CISO and security team take to create valid metrics for their program?

♦  What are some examples of dashboards you can develop as strategic assets?

♦  What types of reports should a CISO create to educate executive management and sponsor a more resilient, cyber-aware corporate culture?

Cybersecurity Metrics – Stamper

We live in a noisy world, one where the amount of information that crosses our desk, overloads our inbox, or distracts our attention from more meaningful activity is overwhelming. For those of us who work in IT and cybersecurity, our world is exceptionally noisy, and the signal to noise ratio is overwhelmingly noise. Just look at the log and event ID detail with which we work.

As a case in point, Cisco’s ASA reference material includes over 500 pages of Syslog detail (this is just one platform). Combine firewalls with routers, switches, servers, operating systems, applications, VPNs, LDAP or AD, and facility systems from multiple vendors, and you get the picture. Information blinds us.

As CISOs, we are simply overloaded by the amount of information that we are expected to absorb and respond to in a timely and technically-accurate manner. The tools we have to simplify and order this noise are also challenged. The basic legacy signatures and rules-based approaches to securing our infrastructure cannot keep pace with the talents of those looking to compromise our organizations.

This information overload is the reason why so many attacks are successful. The bad guys know how overwhelmed traditional security and IT departments are and can craft exploits that take advantage of this signal to noise ratio. They can simply send a well-crafted e-mail with a weaponized URL link or attachment. Advanced Persistent Threats (APTs) are mainly below the radar, overlooked in this noisy environment. We need to be more efficient in reducing the noise associated with our security operations.

The Value of New Approaches, Techniques, and Technologies

There are ways to improve our security operations and enhance our capabilities to find threats to, and within, our environments. On the technical front, there have been fantastic enhancements to automating security analysis, including tools to automate the collection and surfacing of specific event IDs that warrant attention – essentially indicators of compromise (IOCs). Complementing and extending Security Incident and Event Management (SIEM) tools are newer approaches that leverage network and user behavioral analytics to triage anomalous behavior. Anomaly detection and reporting offers an innovative and practical approach to focusing on what puts our systems and organizations at risk. The value of these systems is that, when engineered correctly, they leverage machine learning that mitigates the requirement for extensive rules writing and manual intervention.

Apart from the technical improvements we see in the realm of anomaly detection, there is also an increasing maturity in security operations related to agreed-upon security controls and metrics. As discussed previously in this book, the FTC’s enforcement of Section 5 of the Federal Trade Commission Act – focused on unfair and deceptive trade practices – has had the effect of creating a minimum baseline standard for security practices, at least within organizations that have a consumer focus.

There is also  precedent from states attorneys general, including Kamala D. Harris (former Attorney General for California and now U.S. Senator), recommending the adoption, at a minimum, of the Center for Internet Security’s Critical Security Controls. Essentially, there are now widely-agreed-upon frameworks – including the recent NIST Cybersecurity Framework – that set the minimum bar for security operations and can be used to evaluate and baseline your organization’s security practices.

Security metrics validate the effectiveness of our security operations and controls and provide actionable detail on where organizational improvements are required. Similar to logs, event IDs, and other data points, not all security metrics are created equal. The goal is to have a tailored set of crucial security metrics that are appropriate to your organization’s size and complexity as well as commensurate with the regulatory environment in which your organization operates. Effectively, as a CISO you want to focus on the return on security metrics employed.

To that end, I strongly recommend grouping metrics into functional areas and focusing only on those that are truly important to the organization and your security operations. Too many metrics can feel like a logging environment without a SIEM… too many distractions and nothing upon which you can act. Too few metrics and you overlook key performance and risk indicators. A balanced and thoughtful approach to security metrics is required to ensure that you align the signal to noise ratio with your organization’s risk tolerance.

I recommend grouping metrics into functional areas. There should be metrics that provide insight into administrative functions such as training, policy review and approval, and non-technical indices. Other metrics should focus on the operational and technical side of security. The development of your organization’s metrics dashboard should involve colleagues from business units and executive management. Their insights and requirements will inform the types of metrics you ultimately create, implement, and review. These metrics should be consistent with the core view that the CISO role is transforming into a lead risk management role – evaluating information risk across the entire organization.

Matt Stamper

CISO DRG Vol 1: Chapter 6 – Management and the Board


In Chapter 6 we turn to our interactions, as CISOs, with our management and our board of directors. As we note, there is a heightened awareness of cybersecurity within both the senior management team (what we often refer to in this book as the “C-suite”) and the board of directors. This heightened awareness comes from the ever-increasing profile of cybercrime and the concomitant increase in scrutiny from regulatory bodies, whether to protect our critical infrastructure or protect the victims of breaches and leaks. While this heightened scrutiny is both expected and, in many ways, needed, our higher calling is to be the best partner we can be to our peers within our organization.

Bill brings three points front-and-center: your role as the CISO within your organization, the roles of the individuals with whom you are communicating, and the outcomes you wish to achieve from these encounters. To Bill, the key results are to inform, collaborate, and take action. Bill also asks the reader to consider the natural filters as well as the differing duties that each member of their audience brings to the conversations. As the CISO, he reminds us, you will need to supply the narrative, so others don’t do it for you.

Matt implores us to take our duty to the board of directors and our management team seriously and realize that how we communicate the status of our security program and our risk posture matters significantly. He provides the point of view of a member of the board as a unique and informed way to clearly describe what a board member is concerned about, how they expect to be informed, and what they will do with the information you provide. Through his narrative, he helps CISOs to be more effective in advocating for their requirements.

Gary articulates one of the new fears that members of the board harbor when it comes to cybercrime: “… if their company will be next.” Gary also emphasizes how important it is to form relationships within the organization to keep constant tabs on the competing business objectives, both to inform the CISO about the needs of the organization and to tailor briefings to enable better outcomes. Gary provides a treasure trove of “been there, done that” advice for new and aspiring CISOs on how to make the most out of the extraordinary opportunities that CISOs now have to participate with senior leadership and influence the board of the modern company.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  If the CISO were a board member, what data would he/she would most want to see? What would he dashboard look like?

♦  What does the CISO want from the board in support of their information security responsibilities?

♦  What are recommended practices for reporting cybersecurity requirements to the board?

♦  How should the information be presented?

♦  What important aspects of cybersecurity and risk should the CISO ensure are conveyed to the board?

Management and the Board of Directors – Hayslip

In today’s uncertain business environment, the board of directors is becoming more security aware. They watch the news and read articles on the latest cyber incidents and wonder to themselves if their company will be next. Many of them also wonder what their competitors are doing to reduce their cybersecurity risk.

As the CISO, you will be the organization’s expert for this evolving uncertainty. It will be incumbent upon you to report to your organization’s executive management on issues relating to risk exposure, cybercrime, compliance issues, and newly evolving threats. To do this effectively, you will need to establish an executive-sponsored cybersecurity program. This program will enable you to provide “Cybersecurity as a Service” (CaaS) to your organization and its business units. Periodically report these cyber services, their impact on the organization, and any resulting risk exposure to executive management. It is this process of presenting to the board and executive management that we will cover in the discussion that follows.

As I mentioned in the previous chapter, reporting to management and the board of directors is a unique experience. The way you prepare your reports, how you present your data, and the preparation required to ensure you are effective are skills you must learn as CISO if you expect to grow your cybersecurity program and be seen by the company as a business enabler.

Are You Board Ready?

To begin, let’s assume you have a mature security program in place and you are collecting metrics that you will use to measure the maturity and growth of its value to the organization. To analyze this data and use it to implement change, you have created dashboards to display this information to support your organization’s business units. Now as CISO, you are excited about the trends you are seeing in the information you have collected, and you communicate this news to upper management. Then one afternoon you get “the email,” that’s right the email that comes from your organization’s executive assistant for the board of directors. The board is requesting that you present to them the information you have on your cybersecurity program and the current risks the organization faces. At first, if you have never done an executive presentation, you may be apprehensive. However, recognize that this is an incredible opportunity.

You, in your role as the CISO, have the chance to educate the board and executive management on how cybersecurity is providing value to the organization. So, let’s discuss how you can approach this opportunity and not lose your job with the following questions: “What are recommended practices for reporting cybersecurity requirements to the board? How should the information be presented? What important aspects of cybersecurity and risk should the CISO ensure are conveyed to the board?”

Boards of directors are tasked with protecting their organizations from significant risk. Their duties generally fall within six areas:

1.  Governance

2.  Strategy

3.  Risk

4.  Talent

5.  Compliance

6.  Culture

To corporate boards, cybersecurity risk is as significant to the business as risks posed by strategic, operational, financial or compliance operations. For the board, providing effective oversight of cybersecurity risk means the difference between learning about cybersecurity after a breach with significant damages and having a mature cybersecurity program in place that can mitigate the costs of a breach with minimal exposure to the company. In today’s fast-moving business environment, boards can’t claim lack of awareness as a defense against allegations of improper oversight. Boards of directors and executive management must educate themselves about cybersecurity and its risk exposure to their organizations. This knowledge is crucial; it enables board members to make strategic decisions with the full understanding of how cyber risk impacts their business plans. With this strategic view in mind, let’s discuss how the CISO, the security program, and security teams can assist the board with its mission of providing proper strategic oversight.

At the executive management level, the CEO is ultimately responsible to the board of directors for the business’ cybersecurity risk strategy. However, the CEO will typically look to an executive, (CIO, CTO, CRO, etc.) who has governance responsibilities over information technology or risk management to execute this strategy. This executive will be expected to interface with the board and be held accountable to the CEO for this strategy’s implementation and overall management.

As I mentioned in Chapter 1, it’s my opinion that the CISO should report to another C-level executive who understands the importance of the CISO position and how cybersecurity can be used as a valuable asset to support the organization’s strategic objectives. This senior executive is critical to the CISO. Business tends to try to decentralize itself to be nimble and competitive while cybersecurity programs tend to try to centralize the business to be more effective in managing risk. It’s evident that these conflicting views will be in a constant state of opposition unless there is a senior executive to provide context and mentorship to the CISO. It’s this partnership between the senior executive and CISO that enables the CISO to see cybersecurity and risk from a more strategic viewpoint and understand its impact on the business.

So back to our plight. Your presence is requested to report to the board of directors on the state of your cybersecurity program and the company’s current level of exposure to cybersecurity risk. Your relationship with the senior executive you report to is critical. He/she will be able to assist you in articulating the value of cybersecurity in business terms and demonstrating how the program provides clear business value.

Ideas for painting this picture on business value

♦  Approach this opportunity as if presenting a financial report on a budget.

♦  Provide a balanced cost-benefit analysis on cybersecurity projects based on expected results.

♦  Describe a reduction in risk based on the use of specific cybersecurity controls or work processes (it is good to have metrics here to back up this picture).

♦  Demonstrate some quantifiable financial returns. Show how an increase in a specific cyber metric allows a more specific service or reduces risk to a critical business process. Describe how a mature cybersecurity risk management program increases productivity or allows for a reduction in cost – how the automation of controls or processes reduces time required to touch equipment or rewrite code.

♦  Discuss how the cybersecurity program enables corporate competitiveness. The company can leverage new technologies to be more competitive, reduce operations costs, and provide superior service to its customers. Describe how your security program enhances revenue by reducing risk to business operations.

Management has the responsibility to develop and implement the cybersecurity strategy; however, the board must fully understand the company’s risk exposure to cyber-related issues. Boards, due to their positions and breadth of governance, tend to look at issues from a broader macro level of operations while management operates at a more tactical level within their specific departments or divisions. Your job when you present to the board is to tell a story, a story that is concise, simple, and connects the organization’s business goals to your cybersecurity program’s risk management objectives. As you can see, this is very similar to the process you implemented when you created security metrics for your program and architected dashboard views to manage them. When you address the board, your story needs to have a beginning, middle, and end. It also needs to be interesting and should have a goal:

1.  Inform and Educate – you wish to tell the board that leveraging a new technology provides opportunities, however it also provides new risks that must be addressed.

2.  Influence a Decision – make the case for why a specific action should be taken, for example the cybersecurity program should be moved out of the IT department to address “segregation of duties” issues.

3.  Change Behavior – show how a current organizational process, behavior, standard, etc. is opening the organization up to substantial risk. Demonstrate workable alternatives that will reduce risk exposurewith minimal impact to business operations.

Since you are in effect telling a story, it is crucial to know how you want your audience to feel. To ensure that you are constructing the correct message, test it on one or more business executives to get their opinion on the information you present and whether it seems valid. Ask them to review your terminology and provide suggestions. You want to be sure that your story is demonstrating how cybersecurity is providing value to the business.

To assist in preparing for your board presentation, ask senior management for a board-level sponsor. This sponsor will be your sounding board as you create your presentation and can help you convey your message and answer the dreaded question, “What do you need from us?” There are multiple strategies to assist you in formulating your narrative. One that I would suggest you start with is to increase your business operations knowledge. You need to review the organization’s strategic plans and annual reports and interview executives within your company. The information you get will give you more insight into the business drivers that are critical to the board. They are also essential for you – you must ensure that your metrics and presentation are aligned to support them. Another strategy I would suggest is to compare/contrast with your peers if possible or use a framework such as NIST CSF or ISO 27001. Risk posture is difficult to measure.

Gary Hayslip