Introduction

In this chapter, we will talk about the one fundamental issue that drives most CISOs and influences how they create and manage their security programs. That issue is risk. Our authors will note that there are numerous types of risk facing an organization from both an internal and external perspective. They will also discuss the various components of risk and the impact on an organization when risk is not managed correctly. The discussions that follow will highlight our authors’ unique viewpoints on risk in its different forms and how to accomplish risk management through security controls and new tools such as a cyber liability insurance policy.

Our authors collectively believe risk is one of the primary drivers that influences an organization and its ability to be successful. Because of risk’s enterprise-wide impact, our authors believe the modern CISO must understand their organization’s industry, regulatory requirements, and strategic initiatives. This business context will provide critical insight for CISOs as they use their security program, policies, tools, and cyber insurance to protect their organization and reduce its risk exposure to an acceptable level.

Bill highlights the four fundamental approaches that organizations will use to manage their risk. He provides a thorough analysis of how the risk management function within the organization has changed due to many of the dynamic threats now facing enterprise business environments. He describes the multitude of ways that risk can impact an organization, and from his in-depth experience provides several options that organizations can use to mitigate risk and its impact on their business operations.

Matt approaches the discussion of risk through the lens of cyber liability insurance. He breaks down how to view the management of risk through tools like an insurance policy and how to leverage this new capability for the organization. In his discussion, Matt emphasizes that for the CISO to consider using cyber insurance, they must have an understanding of the current risks facing the business, the present risk management controls in place, and the resultant gaps to address. He believes that with this knowledge a CISO is in a better position to help their organization reduce its risk exposure by implementing an appropriate cyber insurance policy.

Gary begins his discussion on risk with the pragmatic viewpoint that for CISOs to be productive in mitigating the risks facing their organization they first must establish a risk baseline. The CISO must understand what is critical to the organization and must have executive management support to prioritize cyber risk correctly. Gary delivers a thorough treatment of cyber insurance and its numerous components and provides recommendations on how to use cyber liability insurance as a tool to protect the organization.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  How to I assess my organization’s current cybersecurity status? What do I need to protect first?

♦  What must my executive team do to prioritize cybersecurity in the organization? As CISO, what components and policies must be part of my cybersecurity program to effectively manage risk and keep my executive team informed?

♦  Should my organization consider cyber insurance to reduce its risk exposure? What do policies cover and not cover? What types of coverage should my organization consider (first party/third party)?

Cybersecurity, Risk Management and Cyber Insurance – Hayslip

Across our planet, the Internet is making inroads into every society as technology moves forward exponentially. With this increase in connectivity, we see new business platforms and societies reaping the benefits of access to new business opportunities and services.

However, there is a dimmer view of this fantastic growth in technology. With every tool used for one’s benefit, there is always the dark side of how it can be used to one’s detriment. This drama of how criminals use technology against organizations highlights the unique position of the CISO.

An organization’s CISO is the subject matter expert on the dilemma of this dark side. It is considered essential that the CISO understands the organization’s risk exposure to cybercrime, compliance and regulatory issues, and new evolving threats. To do this effectively, the CISO must establish an executive-sponsored cybersecurity program, create relationships within their organization’s internal and external stakeholder communities, and continuously evaluate their organization for risk and take immediate steps to protect it from harm.

You Want Me to Protect What?

As we begin our first discussion, it is incumbent on me to remind you that the CISO is the focal point for an organization’s effort to deploy cybersecurity as a service (CaaS) and reduce the company’s risk exposure to its current technology portfolio. As previously mentioned, one of the first steps a CISO will take is to establish an executive-sponsored cybersecurity program.

This program will be the platform that a CISO can employ to gain a better understanding of the organization’s exposure to technological risk and create a mitigation plan for how to address it based on the organization’s business requirements. As it matures, this security program will also provide a foundation for the CISO to pivot from and use new workflows, security controls and technologies to enable the business to understand its risks and its partners’ risks and reduce them where appropriate.

To begin our first discussion, we will talk about cybersecurity and the inherent risk it manages for the business. We will also discuss how the CISO gains visibility into the corporate enterprise environment and how to use this knowledge for the betterment of the cybersecurity program and the company’s strategic business plans. So let’s discuss how you, as CISO, will approach this first question and how you should proceed to look for viable answers. “How do I assess my organization’s current cybersecurity status? What do I need to protect first?”

To begin our discussion, let’s first understand what type of risk we are concerned about as a CISO. In our position, we must realize “inherent cybersecurity risk,” which is the risk posed by an organization’s business activities and its connections to partners, as well as any risk-mitigating controls that are currently in place. An organization’s cybersecurity risk incorporates the type, volume, and complexity of its cyber operational components. These are the types of connections used by the applications and technology required by the organization to conduct its business operations.

Figure 7.1 COSO Enterprise Risk Management Framework

To understand this risk, we must approach the business departments within the organization and gain insight into how they do work. We must understand the applications, data, workflows, and technologies that are required by their personnel and any projects they wish to initiate to improve their capabilities. To collect this information quickly and effectively, I would suggest you begin with an enterprise risk assessment. I have completed several of these in the past and would recommend using a framework like the NIST Risk Management Framework or the COSO Enterprise Risk Management Framework. These frameworks will provide you with a solid foundation to begin your discussion about risk within your enterprise.

As you begin your assessment, there will be components that will require you to interact with your various business departments directly. Use this assessment as an opportunity to start building the relationships you will need as a CISO. Your stakeholders have critical knowledge about your organization, and you will need them to help your program mature and grow a cyberculture within these departments.

As you work with these stakeholders, you should seek to gain the insight that you will need as a CISO, which is to understand what assets you must protect for the organization to be successful.

Questions for the CISO to Gain Insight to Critical Assets

♦  Do I understand which applications and services are critical for my organization?

♦  Do I know what data these critical applications create and where this data is stored and backed up?

♦  Does my organization have formal agreements with its critical partners that allow us visibility into how they are managing their technology-based risks??

♦  Does my executive leadershipteam understand what threats and vulnerabilities are being used by our adversaries to target the products the company presently has it its technology portfolio?

As you begin discussions with your stakeholders, there is one crucial point I want you as CISO to pay attention to and document. This critical point is the tone that you and your teams get from these stakeholders on anything associated with your cybersecurity program. Most boards of directors only speak about cybersecurity when there is a breach. If the board is routinely addressing security and senior executive management is sponsoring your security program, you should see the beginnings of cybersecurity awareness taking root in the organization’s culture.

However, if this is not the case, it will be harder for you to get accurate information when conducting your assessment. I bring this point up because it will give you much-needed insight into how you should address your stakeholders and the responses you might receive from them.

As a CISO, I have found in the past that there will be departments that will want to work with me as a partner and departments that will try to ignore me. Those that were partners I treated as equals in the process, and I championed their projects at tech review. I also included their inputs in new security policies and work processes and requested their assistance with my reluctant departments to eventually grow the trust required to conduct a full cyber risk assessment with all departments.

So back to our cyber risk assessment. As CISO you should also review current practices and overall company preparedness. Several critical processes that should be a focus of the risk assessment are:

1. “Risk Management and Governance” – this component is about strong governance with clearly-defined roles and responsibilities. There should be assigned accountability to adequately identify, assess, and manage risks across the organization. How well does management account for cyber risk when implementing new technologies? Is there a formal process to review and mitigate issues as required? It is also in this process that we look at our personnel, who are the company’s first line of defense. It is here that we address whether the organization is providing cyber awareness trainingto employees and whether this training is effective in providing employees with an awareness of ongoing cyber risk.

2. “Threat Intelligence and Collaboration” – this component is about the processes the business has in place to collect and analyze information to identify, track and predict the intentions and activities of your adversaries. This information can be used to enhance your decision-making capabilities, providing needed visibility into the risks associated with large strategic projects. Participation in information-sharing forums such as CERT, NIST, InfraGard, MS-ISACor FS-ISAC is considered critical to the CISO. A vital element of the CISO’s job is assisting with organizational risk management and the information from these partners is instrumental in the CISO’s ability to identify, respond to, and mitigate cyber threats/incidents.

3. “Security Controls” – this component focuses on the employment of security methodologies that can be preventive, detective, and corrective. Most organizations will use preventive controls, controls that are focused on preventing unauthorized access to enterprise assets. However, a mature cybersecurity program will employ multiple control types, interwoven to provide more resilient coverage against the changing cyber threat landscape. The types of controls that can be deployed to work together are:

• Preventive Controls– processes such as patch management and encryption of data in transit or at rest. These controls need to be periodically reviewed and updated as the organization’s technology portfolio
• Detective Controls– tools that are used to scan for vulnerabilities or anomalous behavior. Some of these controls are anti-virus/anti-malware solutions or new endpoint solutions.
• Corrective Controls– these are controls designed to fix issues. Examples are organizational policies such as change management, patch management, and third-party vendor management.

With the deployment of these controls don’t forget to ask yourself “what are the processes for implementing them?” Are these security control processes documented and are they periodically reviewed? What are the procedures to mitigate risk identified by these processes? As you can see, controls are like children. They will need to be fed, monitored, cared for and, as they mature, updated to ensure they effectively provide value to the organization.

4. “External Third-Party Management” – this component is about the management of connectivity to the business’ third party providers, partners, customers, and others. What processes/policies should the company have in place to manage these relationships? Part of this component will be organizational directives that document company policy for executing contracts with third-party entities. Does current contract policy spell out what types of connections you require to corporate networks? Does current contract policy spell out what data will be required and document who will access it? Does current contract policy include as part of the contract a “verification of risk standard” concerning the external partner’s disaster recovery/incident response plans?

5. “Incident Management” – this component is critical for the organization. It focuses on cyber incident detection and response, mitigation of identified risks, incident escalation/reporting procedures, and overall cyber resiliency. In the assessment process, you will need to identify whether the business has documented procedures for the notification of customers, regulators, and law enforcement concerning a breach. You will also need to verify that you periodically report metrics you collect on this component and its maturity to senior management. One last essential process to verify through this risk assessmentis “does the organization have documented Disaster Recovery and Business Continuity plans?” In answering this question be sure to verify that you test the plans, there are communication policies in place, and there is a documented process for how to include trusted third parties for effective communications.

As you can see from our discussion so far, in assessing the organization to develop a more thorough understanding of its inherent cybersecurity risk, you will generate an inordinate amount of data. This data focuses on the essential technology and business process components required by the organization to execute its strategic business plans. This information will be extensive and can be overwhelming, especially if the organization has numerous business verticals and international business channels. However, as CISO you now have a decision to make, and that is “what do I protect first?” Not all assets are created equal, and now it is time to prioritize with your stakeholders which ones require the most protection and the focus of your cybersecurity risk management program.

As CISO, you use a process called “asset classification” to decide the level of protection dedicated to an asset. You will find that organizations tend to overprotect assets and data. In the world of technology, not all data and assets require the same level of protection. As CISO, you will want to understand what assets make up the category of “most valuable assets” as prioritized by the business stakeholders. This means that your stakeholders will assist you in prioritizing what is important to them. A good rule of thumb to help you in this process is to ask, “If these assets are stolen, compromised, misused, or destroyed, would this result in significant hardship to the organization?” If the answer is yes, then they are critical assets and will require added protection. Once you have this list, you will also need to understand their location and, most crucially, who has access to them.

I am sure by now you are wondering what baseline should be used to assist the organization in grading these assets. You know that you will be working with the business’ various departments to identify what assets are critical and you have some excellent questions to ask yourself as you review the data you collect. However, there is a methodology for determining what is essential and requires extra protection. Some steps I would recommend are as follows:

1. Identify the critical assets and business processes – following the steps I listed above, work with your stakeholders to create a prioritized list of essential assets. Some examples of asset types that fall into this category are trade secrets, market research, trading algorithms, product designs, people, and R&D research.

2. Determine the assets’ value to the organization – “one size fits all” doesn’t apply when you are assessing technology, work processes, and data types. I gave you some questions to measurethe criticality of the assets under scrutiny. However, there is also the topic of compliance. You will have asset types that fall under a regulatory/compliance regime, and as such, they will have laws and fines associated with them. What this means to a CISO is that once you have your prioritized list, you will still need to review it for any items that are governed by compliance and move them towards the top of the list. You will want to ensure your business has visibility on compliance-related assets when they help you set the priorities for this list.

3. Determine the risk toleranceof the organization – once you have identified and ranked the organizations’ assets, you need to determine how much risk the business is willing to accept. This idea of risk tolerance focuses on how much protection the business is willing to employ provided it doesn’t interfere with its ability to conduct operations. I have found, as CISO, that there will be times where a critical asset will not receive a specific level of protection for fear of degrading a business process. This becomes a risk the organization is willing to accept, and it is one you will need to document and develop other compensating security controls or methodologies to monitor and manage. The critical part of this step is listing those assets that have degraded protection, developing compensating controls to mitigate as much risk as possible, and then documenting the residual risk for monitoring and hopefully future mitigation.

4. Set appropriate levels of protection for each asset type – This last step is a recommendation for organizations with large numbers of assets. I have used this step to separate my data into asset groups prioritized in the previous steps. Now with these identified groups, you can establish a level of controls that apply to the specific asset types, and you can determine who has responsibility for the assets. With responsibility identified, you can create a matrix of management to document who is responsible for the assets, who can make decisions about whether to accept or mitigate risk, and who will assist you and your teams in remediating any security issues.

One final aspect of identifying what needs to be protected and establishing an appropriate level of security is developing training scenarios for staff to protect their assigned assets. The CISO is expected to not only understand the complexity of risks facing the organization but know how to mitigate any cyber-related incidents quickly. This is why you will want to create training scenarios. With the work previously completed in assessing the organization’s cyber risk maturity level and establishing what assets are critical, the CISO can now take these training scenarios and include them as an appendix to the organizational incident response manual. These scenarios should be used to test the organization’s response to the ongoing list of threats it faces on a daily basis and assists it in improving its business continuity.

Cybersecurity Must Be a Priority, or Is It?

The Information Systems Audit and Control Association (ISACA) completed an international survey in 2018. This survey, titled “State of Cybersecurity 2018” (ISACA 2018), had over 2,366 cybersecurity managers and security professionals respond. It confirmed that the rate of cyber incidents continues to grow at an alarming rate and the sophistication of attack methods is evolving. Two interesting statistics from this report that I found particularly daunting were that 75% of respondents reported that they expect their organizations to fall prey to a cyberattack this year, and 60% felt their security staffs were not mature enough to handle anything beyond simple cyber incidents.

I am sure you are asking, “Why is this important?” Well, the reason is that as CISO it is your job to understand the maturity of your organization concerning cybersecurity. It is also your responsibility to ensure that your organization is prioritizing the risks your security program is designed to manage and if it is not, that you have the policies and procedures in place to educate your organization’s officers and directors accordingly. This brings us to our next topic of discussion, “What must my executive team do to prioritize cybersecurity in the organization? As CISO, what components and policies must be part of my cybersecurity program to manage risk and keep my executive team informed effectively?”

Corporate laws in every state of the United States impose fiduciary obligations on all officers and directors of companies. To fulfill these obligations, the senior management and board of directors must assume an active role in the governance, management and corporate culture of their respective organizations. In fulfilling these obligations, they must address issues that would put their business at risk. One of the greatest risks they face today is how the organization responds to the threat of cybercrime.

I like to think that organizations come together under the umbrella of cybersecurity, with the board of directors leading the effort, combined with multiple organizational components, including business units, HR, Compliance, finance, internal audit, and procurement. Through collaboration with the CISO and his or her team they can effectively execute the organization’s cybersecurity strategy – cybersecurity does not flourish in a vacuum. For this collaboration to happen, it must start at the top with the executive team. This team must demonstrate, through its actions, that cybersecurity is a priority for the business. Some specific actions that a CISO should observe from their board of directors and executive leadership teams that indicate that cybersecurity is a strategic priority are as follows (Foley & Lardner LLP. 2015):

♦  Members of the executive staff are educating themselves on the risk to the organization from cybercrime.

♦  Leadership is reviewing the status of the corporate cybersecurity program and requesting periodic updates of its maturity level and the status of any outstanding issues.

♦  The executive staff is reviewing current security plans and standing policies.

♦  Leadership is prioritizing cybersecurity projects.

♦  The board of directors and executive leadershipare requesting briefings on incident response and disaster recovery policies and any testing results. They are especially asking for information on how the organization will manage a breach and if this policy has been tested recently.

♦  Executive leadership and the organization are aware of the risk from current third-party relationships and procedures have been put in place to document and mitigate this risk to the organization.

♦  Policies are in place for the business to document and manage technology risks associated with all new third-party relationship decisions.

As the above steps demonstrate, the CISO and his/her team will be involved in assisting company leadership in addressing and reducing the risk of cybercrime. However, even with these steps, we need to remember that every organization that uses technology and employs risk reduction controls is still exposed to cybersecurity threats. Because of this evolving exposure, it is essential that corporate cybersecurity and risk management programs be integrated into the strategic operations of the company to minimize any disruptions concerning cyber incidents. For this type of well-managed program to exist, executive leadership will need to be actively involved, and the CISO will need to work with his/her leadership teams to effectively demonstrate a “standard of reasonableness,” or as it is known in the legal profession a “standard of care.”

What this means to the CISO and the executive team is a legal determination that the organization is conducting a cybersecurity risk reduction program with applicable standards of care and best practices to reduce its risk exposure. This determination is important because we know as cybersecurity professionals that breaches will occur; however, with an engaged executive team and a mature cybersecurity program, we can demonstrate that the organization is taking all reasonable steps to protect itself and the interests of its stakeholders.

Understand that in the triage of a breach cleanup many of the organization’s steps to prioritize cybersecurity will be evaluated to determine if the organization committed appropriate financial, technical, and human resources to the cybersecurity and risk management programs. The answers to these questions are critical. They could either lead to proper payments from the organization’s cyber insurance policies or the opposite, lawsuits from partners and customers who seek to recover from losses generated by the resultant cyber incident.

Introduction

In Chapter 8, we discuss our views on tools and techniques that the CISO can use to validate an organization’s security controls. Each of us provides guidance on how we have used specific tools and techniques and will examine the importance of understanding a tool’s role in mitigating risk and providing actionable information. All of the authors emphasize the importance of collaborating with stakeholders to select the best approach for deploying new critical processes and using tools to measure their maturity.

Through the aggregate of their different approaches, the authors provide the new CISO with a unique opportunity to understand the importance of tools and critical strategies to an organization and their detrimental impact to business operations if not implemented correctly.

Bill approaches this discussion of tools and techniques for CISOs by focusing on the connection between the people on our team, the tools they use, and the continual improvement that is necessary to keep up with the evolving threat landscape. To Bill, knowing which business processes are most critical allows us to invest our limited resources in the best outcome.

Matt starts his discussion with the statement that common sense is one of the best tools a CISO can use to protect their organization. He states that with common sense and some context on the processes that devices are used to serve, the CISO can often provide better service to the company than by purchasing new technology. Matt makes the case that through the use of tools such as a Business Impact Assessment (BIA), the CISO can collaborate with his/her fellow stakeholders to understand the organization’s risks, resulting in a selection of techniques and tools more finely tuned for its strategic business operations.

Gary begins his discussion with a list of best practices he has compiled over the years that an organization and a mature cybersecurity program should use to reduce risk exposure. Gary then provides a list of recommended techniques a CISO and the security program should apply to sustain a more business-centric “cybersecurity as a service” approach. He concludes his discussion by listing and describing the various domains of standard tools that are available to organizations and their security programs to protect enterprise assets.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  What best practices would I recommend that new CISOs implement to reduce risk and provide value to their business?

♦  What actions or techniques can the security program proactively take to better protect organizational assets and preempt threats?

♦  What are some core tools/solutions that I would recommend to a new CISO to support cybersecurity operations?

Tools and Techniques – Bonney

In this chapter, we’re going to cover tools and techniques with an equal emphasis on both process and technology. The temptation among those of us in the technical fields is to think tools first. While tools are often helpful in solving various process problems, an over-reliance on tools is often expensive and usually decreases the effectiveness of any given program. The outcome of working through this chapter should be a roadmap that will allow you to right level your processes for your current requirements and build a technology roadmap for your future needs.

Build the Process Inventory

We’re going to start with a critical data-gathering step. Whether inheriting a mature program or building a new program, the crucial first steps are to document your process inventory and take stock of the tools your organization uses to assist with each process. It’s fundamental that you focus first on your process inventory, understanding how these processes map to your organization’s business objectives. Make sure you completely understand what you are protecting, and from what threats. Know how you are reporting the effectiveness of these processes to management and communicating expectations to your entire organization. It’s important to keep these points in mind as you inventory your tools and map that inventory to your process inventory.

To make sure you get a complete list, use the same information security framework you use for measuring and reporting. In Chapter 5 on measuring and reporting, I listed several options for security frameworks and standards that you can use to determine where you need to have processes and controls in place. PCI-DSS with its 12 high-level requirements and 300+ detailed requirements is a necessary standard for any portions of your network that handle payment card data. Likewise, NIST 800-53 with its 18 security control families and detailed implementation guides provides a wonderful blueprint for a robust collection of processes. Finally, the CISSP 8 Practice Domains and CIS Critical 20 Security Controls provide an inventory of critical must-have processes with which to build a robust program. Any of these will help you create a baseline of processes upon which you can build your inventory and perform your assessment.

Introduction

In our last chapter, we review one of the core topics that all security and risk mitigation operations revolve around – the organization’s cybersecurity program policies. Policies are the foundation for a security program. They explain the requirements for specific processes, including who has the responsibility for process execution, and specify the resources required for mature operations. For many organizations, not having the correct policies in place can significantly impact its ability to defend itself against cyber criminals and can degrade the ability to recover from a cyber incident. It is the responsibility of the CISO and executive management to have the correct policies in place, ensure the organization follows the policies, and periodically update them as the business/technology environment changes.

In this chapter, we will provide insight into the recommended policies an organization should have in its portfolio and describe in detail the components of a corporate information security policy. The authors approach this subject from different viewpoints, and you can rightfully assume that their wealth of experience on this subject demonstrates the importance of security policy for the CISO.

Bill provides his viewpoint that information security policies are foundational to an organization. He discusses the relationship between policy, standards, guidelines, and procedures. Throughout, he notes how important it is to maintain the connection between business objectives and the organization’s policies. Finally, Bill asserts that “policy has a purpose,” that it is written for action, and he elaborates on the principles and steps for establishing an effective cybersecurity policy.

Matt states that CISOs use security policies to be effective in fulfilling the requirements of their position. He discusses the balance between creating a policy that has a specific objective, and that is actually used in the organization. Matt then articulates the core elements of a well-structured policy and provides recommendations for specific policies that he deems crucial for an organization and its cybersecurity/risk management programs.

Gary provides insight into the essential components of an organization’s information security policy. He then walks the reader through a step-by-step process for creating an incident response policy and describes how an organization should use it. He concludes his discussion by providing a list of recommended policies that a CISO should build and use to address the risks facing their organization. He makes the case that through the use of these policies and resulting work practices, the CISO can enable the organization to be more resilient to the risks it faces.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  In building the organization’s information security policy, what components should the CISO consider essential?

♦  Does the organization have a formal, documented incident response policy and plan? If not, what best practices does the CISO need to consider to create them for the organization?

♦  In developing a mature cybersecurity program, what recommended policies should the CISO develop to increase his/her security program’s effectiveness?

Security Policies – Stamper

Many CISOs may feel that our titles don’t reflect what we do on a daily basis. It may seem that we are the CPO (Chief Policy Officer) of the organization and not the CISO. Our days are filled with writing, reviewing, and updating policies rather than deploying next-generation security tools, the fun stuff. Indeed, it can seem that there is no end to the number of new policies that we need to draft and disseminate within the organization. Having too many policies results in policy overload and policy fatigue among our colleagues. If we have too few, the commensurate gap in procedures and practices could lead to operational blind spots that put our organizations at risk. There has to be a reasonable balance to ensure that we address the objectives of the policies, procedures, and practices without generating security apathy among our colleagues.

Just as significant as the right balance and number of policies is how we enforce them. We should not write policies that will only be shelfware. We should operationally translate policies into documented procedures and practices – to wit, the notion of P-cubed (policy, procedure, and practice). Policies without the associated guidance on the procedures and practices are incomplete. It’s easy to say that we should employ a least-privilege methodology, we should encrypt critical data, that we should have strong passwords, and on and on. However, without specific guidance on how we achieve these end states, there is too much room for ambiguity. As I noted earlier in this book, “Declare War on Ambiguity!” Procedural guidance should indicate how to perform the practices, how to conduct and show evidence of review and approval activities, as well as the documentation and systems used to complete a given procedure.

Structure Counts: Consistent Policy Design

One reason why so many policies are ineffective is that the actual structure of the policy has never been standardized within the organization. The consequence of this is that policies are incomplete and omit critical elements required for their successful implementation, notably management authorization and employee acknowledgment. A well-structured policy should at a minimum include the following core elements:

♦  Policy ownership – In the context of a RACI matrix, a policy requires someone to be accountable for the procedures and practices needed for the policy’s compliance. Note this individual or role as the policy’s owner.

♦  Review and approval – Policies should be reviewed and approved by executive management. This authorization should be formalized and include those executives who are impacted by the policy’s scope, including the formal approval of executives beyond traditional IT roles such asthe CIO or CISO.

♦  Employee acknowledgement and sanctions – For policies to be effective, they need to be read and acknowledged by employees and, in many cases, independent contractorsand vendors. A policy should include a formal acknowledgment section where employees confirm that they have read the policy and understand that failure to comply with the policy, unless duly authorized by management (and this would be an exception), could lead to disciplinary action up to and including employee dismissal. Ideally, once employees have signed the policy, these acknowledgment forms should be kept by human resources and maintained in each employee’s HR file.

♦  Effective date – Policies should have a clearly stated effective date. This formally conveys that the policy is in force and is part of the organization’s overall governance practices.

♦  Review date – Policies should be subject to review. Ideally, policies should be subject to an annual review where there may be updates to procedures and practices, scope, or policy ownership. Language indicating that the policy may be reviewed and updated from time to time, based on changes to the organization, technology, or other changes should be incorporated to offer flexibility.

♦  Version – Policies should be version controlled. The version number should change following each annual review (or during an interim review if required).

♦  Scope – Policies should have a defined scope or boundary for their required procedures and practices. The policy’s scope will determine where applicability to needed procedures starts and ends within the organization. As a case in point, there may be a policy to require encryption of data in transit and at rest. The scope of the policy would specify which types of information should be encrypted (e.g., PIIor ePHI).

♦  Procedures and practices – Policies should reference the specific procedures and practices required to ensure that the organization is meeting the policy objectives. Proper procedural documentation leaves little space for ambiguity. Procedural documentation should also capture the system(s) of record used to carry out the activities, the types of documentation created relating to the procedure, and where this documentation is stored. Validation and verification activities should also be clearly captured and understood. There should be no doubt what’s required, who is doing the work, and how it is measured and validated.

Procedures should include a basic RACI. This should note who is:

♦  Responsible (the individuals or departments doing the actual work)

♦  Accountable (the specific role or individual that effectively owns the result of the procedure)

♦  Consulted (individuals with expertise and knowledge of a given domain that can help validate and inform procedures and practices)

♦  Informed (those departments, individuals, clients, regulators, boards, etc. that should know about the existence of a procedure and the outcomes of its activities).

 Collectively, these elements are necessary constituent parts of a well-structured policy.

Introduction

We begin Volume 2 with a discussion about people. As you strive to create a world-class cybersecurity program, you must recognize and address the critical human element. We look at the human element from several different perspectives. We include the technical skills that are required and how to assess them; motivating, inspiring and nurturing the people on your team; and understanding the environmental factors that impact your talent pool and your hiring decisions.

Bill Bonney offers a lot of practical advice on assessing, recruiting, motivating and developing the people on the CISO’s team. But he also recommends an honest assessment of the tasks that can realistically be outsourced to third parties and proposes that you look at how technology, specifically artificial intelligence, can help you be more effective in meeting your goals. Bill includes a bit of a call to arms for our industry to address the shortfall of qualified candidates.

Matt Stamper suggests that CISOs should carefully consider how they define each position. It is essential that requirements and job descriptions are realistic and appeal to the people you are trying to attract. Matt also thoughtfully unpacks several factors, both internal and external to the organization, which impact the composition of the talent pool for any particular hire.

Gary Hayslip takes a data-driven approach to workforce planning that acknowledges the fierce competition for talent in the field of cybersecurity and offers practical advice for motivating the people on your team. He continues using data to define a set of metrics to help the CISO determine if the talent on the team is delivering the outcomes that are needed and to help develop the training necessary to close any gaps.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  How do CISOs develop their hiring priorities to support the organization and their cybersecurity program effectively?

♦  What hard and soft skills does the CISO believe their cybersecurity program requires?

♦  How can I construct a training program that will keep my team’s knowledge, skills, and techniques current?

♦  What metrics can I use to measure the effectiveness of my cybersecurity team’s capabilities to provide security services and reduce risk to the organization?

Talent, Skills and Training – Bonney

I think it’s important to put the topics of recruiting, skills, training, and development in the larger context of talent management and the still larger context of the changing workforce demographics and the technical skills shortage that we face in industry – the so-called “War for Talent.” My point is not to give the reader comfort that this is a problem faced by many companies across most industrial sectors and throughout the entire world economy because that doesn’t absolve us from dealing with the problem, but rather, to draw attention to the true scope of the problem.

In the larger sense, we are dealing with a fundamental transformation of the use of human capital, on par with the industrial revolution. We should keep this in mind when determining how to approach our talent issues. Yes, the short-term tactical advice is always useful. But, planning for the long term can’t be ignored and will take a combination of human resource planning, government policy changes, new capacity and new approaches in our education systems, and new technology. These changes will require us to work differently with partners and suppliers to achieve the outcomes we want. We can’t rely on the old models of allocated headcount with defined duties and desired skills to just “get the work done.”

Talent and the Human Element

Let’s first put the topics for this chapter in the larger context of talent management. Talent management as a discipline traditionally includes four pillars: recruitment, learning, performance, and compensation. This chapter is focused on recruitment and learning which is done for an outcome (performance) at a price (compensation). Keep in mind that the purpose of talent management is to create a high-performing, sustainable organization that meets its strategic and operational goals and objectives. The goal we have for talent development is to:

♦  allow the Information Security team to develop the skills and capabilities to continually adapt to changing business and threat environments, thereby

♦  help the larger organization identify and manage the risks that threaten its information and operations technology, in order to

♦  safeguard the organization’s data (both generated and entrusted), and

♦  protect the people and operations from cyber and cyber-kinetic harm, thus

♦  enabling the organization to compete with less drag and friction.

I think to be successful with how we approach building and developing our team’s capabilities we need to consider the human element. Several different works that share some similarities with each other are helpful here. The first is a book called Drive: The Surprising Truth About What Motivates Us (Pink 2009) by Daniel H. Pink. The second is a study conducted by Tony Schwartz of The Energy Project along with Christine Porath, an associate professor at Georgetown University’s McDonough School of Business. The study is summarized well in an article in the New York Times (Porath 2014). The third is an article in the MIT Sloan Management Review (Gunter K. Stahl 2012) called “Six Principles of Effective Global Talent Management.”

What is common to these works is the assertion that the sense of purpose that each person has for their work is more indicative of their engagement and success than their skills. The argument is that affinity is a more important predictor than efficiency.

That is not to say that skills aren’t important. On the contrary, one has little chance of being successful without possessing the skills required for the job. But it would be worth your time to review these works. Daniel Pink tells us that by providing our teams with opportunities for autonomy, mastery, and purpose, we are providing the key ingredients to motivate our people. Tony Schwartz and Christine Porath tell us that employees are vastly more satisfied and productive when four of their core needs are met:

♦  physical, through opportunities to regularly renew and recharge at work;

♦  emotional, by feeling valued and appreciated for their contributions;

♦  mental, when they can focus in an absorbed way on their most important tasks and define when and where they get their work done;

♦  and spiritual, by doing more of what they do best and enjoy most, and by feeling connected to a higher purpose at work.

Gunter Stahl, et al., found that large successful companies adhere to six key principles rather than traditional management best practices focused on maximizing the four pillars listed above. Those key principles are:

♦  alignment with strategy,

♦  internal consistency,

♦  cultural embeddedness,

♦  management involvement,

♦  a balance of global and local needs, and

♦  employer branding through differentiation.

Therefore, I’d like to suggest that we think of the people we work with, who help us achieve our outcomes, as people, not just talent. We would like to hire the best people with the right skills and mindset, help them become even better at what they do, have them share a common set of goals, and have them engaged and happy to be part of our team for the long haul.

Recruitment

With the human element considered, let’s turn to the issue of recruitment. I referred at the beginning of this chapter to the “War for Talent” and noted that we are dealing with a fundamental transformation regarding how we deploy human capital. These changes affect different industries in unique ways and the various functions within organizations in very different ways. Three factors I think we need to address are the scarcity of qualified workers, third-party service delivery, and augmentation using artificial intelligence.

Scarcity of Qualified Workers

A significant result of the industrial revolution was the migration of populations from rural to urban centers. This migration was aided by several factors. Among these factors were the ability of manufacturers to expand the capacity of their workforce, the resulting increase in productivity and profitability of doing so, the resulting elasticity of wages, and the relatively low barrier to entry (compared to both the guild system that preceded industrialization and the highly technical skillsets that are required in today’s digital workplace). While there were often labor shortages when new factories or industries popped up, the pace of industrial development, the availability of investment capital, and the speed of communications served as natural governing factors.

Still, labor shortages could at times doom businesses or at least temporarily suppress profits. In short, the demand signal was sent, and the response was the arrival of men and women ready to work. Training shifted from years of apprenticeship to mere weeks of classroom or vestibule training, but the key factor was the availability of any person ready and willing to work.

Fast-forward three hundred years, and many of the jobs we need to fill are highly specialized, requiring years of school and what amounts to years of apprenticeship. The demand signal has again been sent, and governments and universities recognize the severe shortages of highly-skilled workers, not just cybersecurity professionals. However, the pace of development in the digital age, the availability of abundant investment capital, and the instantaneous speed of communications serve as accelerators, not governors.

Enough Admiring the Problem. What Are We Going to Do About It?

First, CISOs must recognize that they are always recruiting. Even if there is no unfilled headcount today, the people you meet, the connections you forge, and the network you build will be necessary to create and maintain a pool of talented people for your organization. And while there is a minimum bar for the skills your team will need to be successful, you can only hire for so many of those skills. The cost (in hard cost and opportunity loss) of competing for and hiring fully formed senior security engineers for all positions has already become prohibitive.

Hiring the right team will be a mix of seasoned individuals from outside of the organization along with individuals you nurture. You will use your network, internal and external to your organization, to help you identify and attract both.

You could easily create a laundry list of security domains along with areas of specific process expertise from reviewing the requirements and controls listed in the eight CISSP domains, the 18 security control families from the NIST 800-53 standard, and the 12 PCI-DSS requirements. Add in various processes that have information technology and information security overlap, such as vulnerability management, change management, and mobile device management, along with security-focused activities, services and products such as threat intelligence, forensic analysis, penetration testing, intrusion detection and prevention, and the whole discipline of governance, risk and compliance, and you have a massive set of competencies from which to select job requirements.

It’s tempting to reduce this problem to simple analogies such as building a professional sports team. Drafting from the college ranks to fill skill gaps is like hiring workers early in their careers. Using free-agency can fill more senior positions. The minor leagues provide internships. And a deep bench can stand in for succession planning. These analogies can help explain the situation in simple, familiar terms, but they can also seem repetitious and shallow, and the consequences of failure are very different.

When we trivialize talent development by comparing it with building a sports team, we risk treating all professionals the same as members of sports teams – short-term combinations of skills designed to win a trophy. Failing to win a trophy is disappointing to the team and the host city, but teams can be overhauled in a matter of a few years and a trophy in 5 or 10 years, though not ideal, will still be celebrated.

The skills needed to be successful in the modern white-collar workplace (both hard and soft) are not so readily observed, as they are showcased outside of the arena of public spectacle. Employees are afforded many labor protections that professional athletes do not enjoy. And, the consequence of the team’s performance is greater than the disappointment in the execution of a billionaire’s hobby. And thus, the analogy breaks down.

The few elements of this analogy I do think can add value to our thinking are the youth leagues and skills development programs that exist across all of the major team sports. These programs are available for baseball, football, basketball, hockey, soccer, volleyball, gymnastics and even sports that are more focused on individuals, such as tennis, swimming, ice skating, skiing and golf. In fact, I can’t think of any sports that don’t have youth leagues and skills development programs, and many include community outreach, traveling ambassadors, senior leagues, and representation in K-12 physical education programs.

While not the only cause for this deep infiltration of sport at every level of our society, one major reason for this is President Kennedy’s revitalization of the President’s Council on Physical Fitness and Sports. Physical fitness was seen as a critical need for all Americans to maintain a healthy lifestyle, both for their health and the cost to the nation that would most certainly result from the poor health of the population.

I do not mean to trivialize healthcare or the impact of poor health to our lives, but I do think that building a nation that is “cyber healthy” will be crucial to our citizens’ financial health and our nation’s public safety. I believe that existing programs that invest in STEM (and STEAM) education, hackathons, and other curriculum-based and after-school activities for the K-12 education system are vital to both teach skills and familiarize students and their parents, with cyber hygiene, cyber defense and where the skill and interest surfaces, cyber offense.

Investing for the Long Term

There is widespread recognition that building the skills and competencies needed to improve the overall cybersecurity of critical infrastructure requires national and coordinated attention. NIST’s National Initiative for Cybersecurity Education (NICE) is focused directly on addressing this challenge.  Special Publication 800-181 outlines the initiative.

NICE offers prescriptive detail regarding seven core security functions, and 33 specialty areas of cybersecurity work. It defines 52 cybersecurity roles while providing the requisite knowledge, skills, abilities, and tasks for each role. NICE thereby helps organizations understand the types of skills and competencies that will be required to support a security program comprehensively.

In the graphics below, the seven core security functions are described, and a sample drill-down is provided. Within each core functional area, NICE provides insights and recommendations on necessary training to adequately address the function. NICE therefore provides the foundation for your cybersecurity staffing program.

Both graphics are courtesy of the National Initiative for Cybersecurity Careers and Studies.

Figure 10.1 The NICE Cybersecurity Workforce Framework

Figure 10.2 Detailed Description of Analyst Position

With the NICE skills framework, educational organizations across the nation, including K-12 schools, trade schools, community colleges, technical institutes, and universities can design programs to provide the critical training our workforce needs.

Helping the cyber workforce become productive is another gap that we must fill. The traditional model of graduating four-year degreed individuals from colleges and universities will not, by itself, overcome the worker deficit we face. On-the-job experience, in the form of internships and apprentice programs, is another vital source of learning that is necessary to allow newly trained workers to put their skills to use quickly.

Internships are excellent supplements for the typical four-year program that help the student step out of the classroom and spend critical time in the field at a variety of organizations, seeing real-world events unfold in real time. Apprenticeship programs allow a broader set of experiences that can help trainees use additional avenues to gain the skills they need. These include students who are not following the four-year degree path, workers reentering the workforce, military personnel who are transitioning into the commercial workforce, and unlocking other sources of specialists that are currently under-utilized. A critical insight is that just as the total number of seats in four-year degree programs is not adequate to provide all the cybersecurity workers we will need, and the traditional four-year program is simply not required for many of the entry-level positions that currently go unfilled.

One final recommendation about some of these novel approaches to training the cyber workforce of tomorrow is to look to cyber ranges as an option worth exploring. Cyber ranges can help you train new workers on current methods and help keep your existing workforce up-to-date. Think of cyber ranges as simulators, but under live fire. In order to train our pilot workforce without crashing real planes, we built and deployed flight simulators. Cyber-ranges scenarios are real, but with coaches and highly-skilled experts available as backup.

Hiring Who You Need

Coming back now to your immediate hiring decisions. While it’s difficult to hire individuals with a mastery of the complete list of skills and experience across each of the relevant domains, senior security engineers and security architects should have a fundamental knowledge of all of them. How can you possibly determine whether the more senior people you are hiring have the right level of broad mastery? Some rely on certifications, but I challenge how effective that is. I see a lot of value in certifications; they set an effective minimum bar in many areas, they come with an ongoing requirement for continuing education that in theory keeps people in constant learning mode, and they provide a shorthand for assessing, in aggregate, the skill level of a department.

The latter is the most perilous, though. In any population of certificate holders, just given a normal bell curve of capability, there will be some people who barely met the proficiency requirements. It is not statistically impossible to have a larger than normal collection of people on the left side of the bell. Also, the minimum bar I spoke of is just that, a minimum. It gives a reasonable assurance of familiarity with general concepts, but unfortunately, there is not enough assurance that the familiarity comes along with experiential knowledge.

So, while certifications have their purpose, we can’t solely rely on them for determining the technical fit for new hires. What other tools do we have? A lot of time and energy have gone into interviewing techniques that will both root out the hard skills (have the candidate take a coding test or configure a firewall rule) and soft skills (subject the candidate to team interviews with each team member tasked with assessing certain key soft skills such as communication skills, problem solving, managing up, and team dynamics). There are several systems out there. One of the more popular ones is the “STAR” Technique: situation, task, action, result. It’s so popular that interview candidates also use it to prepare to talk to you.

None of this is ground-breaking, and chances are good your Human Resource department will have a favorite rating system that you can adapt to the hard and soft skills that you want to test for in your screening. But most of the last two paragraphs assumes that you have a pool of reasonable candidates to start from, and your job is to screen for a fit for your team. I do happen to agree that these techniques are valuable. However, I have always found the greater challenge to be finding the reasonable pool of candidates in the first place.

That is why I said that even if there is no unfilled headcount today, the people you meet, the connections you forge, and the network you build will be necessary to create and maintain a pool of talented people for your organization. You want to make sure you always know who you would try to recruit to your organization if you should have a position open. Every interaction you have in your local security community is a recruiting event. Every meeting, every talk, every conference, every happy hour.

I’m going to put the cart before the horse to share a brief thought. The single most important recruiting tool you have is your team. If team members are motivated, work as a team, win more often than they lose, celebrate their wins, pick each other up when they are down, and care about the company they work for, others will want to come work for you too. I know that doesn’t help a lot when you are building a new team, but there is some element of that statement that you can leverage in practically any situation. They will help make your team an attractive place to be before there is a position available.

It is also important to pay attention to social tools such as LinkedIn and Twitter as well as any blogs or security forums you participate in. Make sure your profiles are up to date and that they show a positive image of you and your role. The same should be true for the people on your team. Just as companies use social tools to vet candidates, we all use social tools to vet the companies and teams we want to join. When we see a limited profile, we might believe them to be insular and two-dimensional. That may not always be accurate but underestimate the subconscious signals we pull from social tools at your own peril.

Introduction

Educating your workforce about cybersecurity through an awareness program is a foundational requirement that all cybersecurity standards share. So why don’t we have a very well-educated workforce when it comes to cybersecurity? Perhaps too many organizations, when they recognize the need for a cybersecurity awareness program, treat it like a change management effort; roll it out just in time and then add it to the corporate training curriculum. We know that’s not effective.

Bill begins this chapter by recalling that there have been other large-scale societal changes that have required massive, sustained awareness programs. He outlines the commonalities between these programs and allows the reader to draw inferences that will help put their program into context and set it up for success.

Matt continues the discussion by showing how each member of the executive team must buy in and be part of the solution. Education and awareness are about people, and specifically, the role each of us plays and how that role is personal to every one of us and through us becomes personal for each organization.

Gary then shows us how important it is to measure what we do, and more importantly, to build a habit of learning from each breach and changing the training content so that it evolves as our threat environment evolves. Tying our metrics to our awareness program is a powerful concept and will help any team be more successful by focusing on continual improvement.

The authors would like to pose some important questions to think about as you read this chapter:

♦  What are the “lessons learned” from industry data breaches that can be used to reduce our organization’s risk exposure to these adverse events?

♦  How successful is training our staff in actually preventing breaches versus having the right software and hardware in place?

♦  Does our organization have a culture of cybersecurity awareness and do we have a program to educate our staff?

♦  What is our Incident Response Plan and how do we train staff, stakeholders and partners on how to use this plan?

The Critical Role of Security Awareness with Executive Management – Stamper

Doesn’t Every Executive Value Cyber?

Who doesn’t love the technical side of cybersecurity? With thousands of innovative cyber tools hitting the market each year, it would be easy to lull us all into believing that the security of our organizations is just a toolset or adjusted configuration setting away. Oh, that it was that simple.

Before becoming a CISO, I helped organizations comply with the requirements of the Sarbanes-Oxley Act (SOX). Our company would help management address the state of the organization’s internal controls over financial reporting (ICFR). I was responsible for assessing IT General Controls (ITGCs) in the context of financially material business applications. Our process began with a risk assessment of the organization’s financial statements to determine the materiality of business processes and capture control detail about the applications (think ERP, CRM, and other systems) that supported material business processes. With this context, we’d evaluate and assess the design and operational effectiveness of controls. Our goal was to determine what level of assurance or confidence the organization had that its financial statements were accurate, complete, and valid.

We had two types of customers. The first and rarest were those that were genuinely interested in establishing good governance practices and sound controls over their processes such that ultimately their financial reporting was free from material weaknesses or significant deficiencies. The more common group consisted of those executives that merely asked that we “make them compliant.” It was in this group that the quality of financial reporting was most suspect, and no matter how much we worked to implement, document, and ultimately transfer good governance practices to the organization, we knew that given the lack of “ownership” the governance practices would not stick. The simple reason: there was no accountability or commitment to good governance.

Embarrassingly, we would call executives from this second group “walking material weaknesses.” They put their organization’s standing with financial markets, regulators, and other critical constituencies at risk because they did not value governance. Or, as I’ll discuss below, no one explained the linkages between good governance and financial performance for their organization in a way that resonated with how they saw their role within the organization. It was like we were speaking the wrong language to this second group. It was not that they desired poor governance and ineffective controls. It was, more accurately, that no one showed this group of executives how good governance and internal control could facilitate and underpin their organizational strategy. The failure was on us…we did not communicate in a manner that was effective.

As CISOs, we see similar issues within our organizations. Some organizations take security awareness and security training very seriously and are committed to excellent security practices. Others only pay lip service to security training and education. The consequences for the latter include increased regulatory oversight and brand damage resulting from high-profile breaches. Awareness must start with executive management. It’s imperative that you help your colleagues in the C-suite understand the risks and consequences of security practices that are inadequate or incomplete. How you address this one function may have more bearing on your security program than any selected tool or security configuration. Similar to the challenges with SOX described above, leaders of organizations that do not currently value security the way we would hope may simply lack the context required to change their approach.

It’s About the People

Now back to the opening of this chapter. Cybersecurity, while reliant upon technology, is ultimately about people. Good security practices require engaged and informed stakeholders, be they the board of directors, executives, or frontline employees. One of the most critical components of the CISO role is to help drive this engagement. Behaviors that bypass the best technologies can happen without awareness, an understanding of the acceptable use of organizational assets, and the investment in the training of our teams. One need not look any further than how the best “preventive” technologies deployed are easily circumvented by well-crafted phishing emails that entice employees and executives to expose their organization’s network to bad actors. People count. It is obvious why cyber education and security awareness training are so necessary.

Introduction

Networks are noisy. From heartbeats to probing, from legitimate database extracts to covert data exfiltration, from sensor telemetry to malware infusions, there is an enormous amount of traffic on your network. Without a strategic and diligent approach, It is difficult to know how much of your traffic is appropriate. Long gone are the days when volume alone was the biggest hint that you were under attack.

Bill starts the discussion by reminding us just how much the network and the devices on the network have changed. In the last decade, we have seen not just an explosion in data volume, but a significant change in control as to how the network and the applications and devices on it are acquired, deployed and exploited for business utility. Bill also highlights the need to look at a wide range of activities to successfully monitor the organization’s infrastructure.

Matt reminds us that monitoring involves more than just checking the flashing lights for activity and sniffing packets. His advice for program monitoring shows us the broad range of health indicators that the CISO must be concerned with and how important it is to be integrated with the lines of business to know what matters to the entire organization.

Gary emphasizes the need for continued diligence through scanning, monitoring, and remediation before addressing the critical requirement for having a deep understanding of the health and security of your applications. To end this chapter, he brings the discussion back to one of our favorite topics: metrics.

Some of the questions the authors used to frame their thoughts for this chapter include:

♦  As a CISO, what frameworks, security controls, or processes would you recommend to continuously monitor your organization to prevent or mitigate a data breach?

♦  What framework and/or processes should a CISO use to remediate vulnerabilities and search for malware in their organization’s application portfolio?

♦  Your organization experiences numerous unauthorized attempts to breach its enterprise networks. What metrics are important to your enterprise cybersecurity program to enable it to see these attempts?

Monitoring the Enterprise and Your Cybersecurity Program – Hayslip

It’s 2:00 AM and the smartphone on a nightstand is chirping a lonely message for Alice Bentlee (fictitious). Alice is the Vice President, Cybersecurity and Risk Operations Director for a local bio-technical research facility and right now she is trying to brush the sleep from her eyes as she reaches for her phone. In the next fifteen minutes, she will become wide awake as she learns the news. The organization, which is her employer, has had a data breach and has activated the incident response plan. In the days to come as she triages the breach, she will use forensics to understand how it happened and what data was accessed.

The company will leverage its cyber insurance policy to help cover its costs as it initiates an internal investigation into Alice’s cybersecurity program, and as the CISO she will need to answer questions to prove her program was meeting the definition of “reasonable care.” Did she, as the senior security executive for the company, implement a cybersecurity program to the best of her ability that met industry best practices and as an organization met the standards of care for protecting the critical intellectual property data her company had stored within its enterprise networks

As a CISO, it is essential to understand the idea of “reasonable care” and why it is a minimum strategic standard for the business. This concept is based on several core principles:

1. The organization, or the CISO acting on its behalf, shall be considered to have complied with reasonable security practices and procedures if an industry standard framework was used to implement the procedures (i.e., NIST, ISO, COBIT, and CIS), and there is a current documented information security program. This program should have mature information security policies that contain managerial, technical, operational, and physical security control measures that are at a maturity levelcommensurate with the level of sensitive information being protected by the company.
2. In the event of legal action or a request from regulators stemming from a data breach, the organization, or the CISO acting on its behalf, may be required to demonstrate that security control measures were implemented, and they are documented in the organization’s information security policies.
3. The security procedures are certified or audited on a regular basis by an independent auditor. The audit of reasonable security practices and procedures must be current and therefore conducted within the last year.

I am sure by now you are wondering why this is so important. The reason is that, as we’ve previously discussed, cybersecurity is a continuous lifecycle and breaches are part of that lifecycle. To reduce the risk to our organizations, as CISOs we create and implement enterprise cybersecurity programs and deploy policies, procedures, security controls, and standards to reduce risk and protect our assets. However, even with a mature cybersecurity program, we will at times remediate security breaches and then be required to prove that we are meeting reasonable security standards.

Continuous Scanning, Monitoring, and Remediation

We’re now ready for our next discussion topics. One of the primary processes that your cybersecurity program will be responsible for is “continuous monitoring.” In many network/organizational environments, there may be extreme technology change as organizations try innovative solutions to compete in their specific business markets. This dynamic change environment makes providing enterprise risk management and cybersecurity as a service extremely challenging.

To bring balance to my security teams and be effective as a security leader, when operating in chaotic business environments where there is no stable risk baseline, I implement the concept of continuous scanning, monitoring, and remediation to provide an effective security practice for my business and our stakeholders. Understanding the answers to the questions for this chapter will enable you as a CISO to state that you are meeting the requirements of “reasonable care.”

Continuous monitoring provides a critical service to security operations teams through detection, response, and remediation. When such a program is aligned with the organization’s enterprise security program and implemented with appropriate security controls, it enables security organizations to detect security incidents, remediate security gaps, and analyze trends to reduce the company’s risk exposure. I believe it is essential to understand that continuous monitoring is a component of a lifecycle, a cybersecurity lifecycle.

I have written about this lifecycle and its five stages: inventory, assessment, scanning, remediation, and monitoring (Hayslip, Pulse, Articles by Gary Hayslip 2015). This graphic is a depiction of the final stage, continuous monitoring, and will be our guide in the discussions that follow.

Figure 12.1 Continuous Monitoring Mind Map

The first question that we will review will provide some insight into the components that make up continuous monitoring and why I believe it is an essential business process. Numerous strategic frameworks address continuous monitoring. I have implemented the National Institute of Science and Technology (NIST) guidelines, NIST SP800-137 (NIST 2011) at multiple organizations over the last several years. I consider it to be a best practice for a CISO standing up a security program.

I believe it is a critical business process for organizations to understand and maintain their situational awareness and oversee their enterprise risk management portfolio. While I used the NIST guidelines for continuous monitoring, the framework you select should be decided through input from your stakeholders, including legal staff and executive management, and depends on your technical requirements.

With that said, let’s review our first question: “As a CISO, what frameworks, security controls, or processes would you recommend to continuously monitor your organization to prevent or mitigate a data breach?”

To design and implement an effective continuous monitoring program, a CISO will need to take into account answers to the following questions:

♦  Purpose of the monitoring system – From the viewpoint of the organization, what are the overall business reasons to develop a monitoring system? Is it a compliance/regulation requirement? Are there technical requirements? As a CISO you must be able to answer the question of why resources need to be expended to develop this program.

♦  Requirements – Now that you understand why you need to implement it, what are the technical, security, legal, business, and compliancerequirements for the program’s creation, management, report structure, and data views?

♦  What needs to be monitored – This question is critical. It is imperative for the CISO to work with stakeholders and trusted partners to identify what systems, applications, and data to monitor.

♦  How will it be implemented – From a technology perspective, will this monitoring be on-premises, will it be in the cloud, or would it be better to use a hybrid approach? If deploying sensors or agents, determine if the deployment is a one-to-many configuration or a distributed site-to-site configuration. Once you have identified the data to pull, you can create the architecture to move the data to a location for analysis and storage.

♦  Data, data, and more data – You have identified what data you will monitor, and now you need to ask yourself, where will the data be stored? Do I have a data retention policy? Do I have a data governance program that specifies who is allowed to access it and why?

♦  Metrics and reports – Collecting information from the monitoring program should have a purpose. Do you have any metrics? Do you have specific reports based on the analyzed data? What is the story, and to which audience are you providing this data?

♦  911 – You understand your requirements, you have built a continuous monitoring program for the organization, you are collecting information, and now the question is who will use it to protect the organization?

As you can see from these questions, there is an extensive amount of information you need to collect before you begin architecting a monitoring program. I typically start with conducting an inventory of my security suite to identify all of my security assets such as firewalls, IPS sensors, honey pots/nets, endpoint platforms, and vulnerability scanners. I then proceed to document what logs I can collect from these platforms and meet with my peers in our data centers, desktop support, and network services teams to verify what assets they have and what logs I can collect from them. Once I have identified these assets and log types, I research and deploy a security information and event management (SIEM) platform that enables me to build dashboards to analyze the collected information. This allows me to make decisions about reducing risk and focus on how to best use my limited resources.

You will need to review several issues if you plan to use a SIEM platform as one of the core elements of your continuous monitoring program. The SIEM platform will provide your monitoring program with extensive capabilities for reviewing and analyzing collected data for actionable threat mitigation. However, you will need to verify some information before you start analyzing the collected data. Some of the issues I would recommend you check are:

♦  Deployment of Security Suite Assets – Review where you have your security assets deployed in your enterprise network. Assets such as intrusion prevention systems (IPS) or unified threat management (UTM) appliances become primary sources for data logs and it is critical to position them at locations in the network with the best visibility into data flows to ensure you are collecting optimum data. Whether it’s at the network edge, chokepoints between sites, or within enclaves that manage sensitivedata – review your network maps and the position of your security suite’s

♦  Log Filtering – Next, I would recommend that, depending on the data type you collect (for instance, if the data is from security components like firewalls or IPS systems), you incorporate filters or pre-defined rulesets to remove basic informational data so your analysts don’t get overwhelmed. There are configurations for many of your security components that will allow you to filter out informational data and only send alerts for data that meet specific criteria for review by one of your security personnel. The use of these filters and automation for specific analysis will help provide relevant data and meaningful metrics for review. As a result, security staff will be able to spend less time analyzing the data and more time remediating any issues they find.

♦  Log Management – You are collecting logs and sending them to a central repository for your SIEMto review, however, what events are you collecting? Some events that I have collected in the past (and by no means is this a complete list) are:

◊  Asset boot/shutdown

◊  System process initiation/termination

◊  Invalid Login attempts

◊  File Access/File Close

◊  Invalid File Access attempts

◊  Network activity

♦  Ports/Protocols

♦  Flagged application activity (Tor, Web Proxy, File Sharing)

◊  Resource Utilization information

♦  Log Retention/Access – It is critical that you understand your log retention requirements. If you must keep logs for several years due to federal regulations or industry compliance, you will need to factor storage and encryption of the data at rest as part of your program for managing this data. Another critical question you will need to address is who needs access to these logs, why do they need access, and what rights do they need to this data? You will need to incorporate an access control mechanism for this information, so you can demonstrate you’re a good steward of the data entrusted to your program. I have found that discussing this issue with my stakeholders will help identify who needs access and the business requirements for the information, so collaborate when setting your access control mechanisms.