Across our planet, the Internet is making inroads into every society as technology moves forward in exponential fashion. With this increase in connectivity, we see new business platforms being created and these societies reaping the benefits of access to new business opportunities and services.
However, there is a dimmer view of this amazing growth in technology. With every tool that is used for one’s benefit, there is always the dark side of how it can be used to one’s detriment. This drama of how today’s technology is being used against organizations highlights the unique position of the CISO.
The CISO within an organization is the subject matter expert on the dilemma of this dark side. It is incumbent upon the CISO to know the organization’s risk exposure to cyber-crime, compliance and regulatory issues and new evolving threats. To do this effectively, the CISO must establish an executive-sponsored cyber-security program, create relationships within their organization’s internal and external stakeholder communities, and continuously evaluate their organization for risk and take immediate steps to protect it from harm.
This leads us to the questions we will discuss in this chapter on why CISO’s must know their security posture, understand their organization’s risk exposure, and look at alternative solutions such as cyber insurance to protect their company and its business interests.
You Want Me to Protect What?
As we begin our first discussion, it is incumbent on me to remind you that the CISO is the focal point for an organization’s effort to deploy cyber-security as a service (CaaS) and reduce the company’s risk exposure to its current technology portfolio. As previously mentioned, one of the first steps a CISO will take is to establish an executive-sponsored cyber-security program.
This program will be the platform that a CISO can employ to gain a better understanding of the organization’s exposure to technological risk and create a mitigation plan for how to address it based on the organization’s business requirements. As it matures, this security program will also provide a foundation for the CISO to pivot from and use new workflows, security controls and technologies to enable the business to understand its risks and its partners’ risks and reduce them where appropriate.
So to begin our first discussion, we will talk about cyber-security and the inherent risk it manages for the business. We will also discuss how the CISO gains visibility into the corporate enterprise environment and how this knowledge will be used for the betterment of the cyber-security program and the company’s strategic business plans. So let’s discuss how you, as CISO, will approach this first question and how you should proceed to look for viable answers, “How do I assess my organization’s current cyber-security status? What do I need to protect first?”
To begin our discussion, let’s first understand what type of risk we are concerned about as a CISO. In our position, we must understand “cyber-security inherent risk,” which is the risk posed by an organization’s business activities and its connections to partners, as well as any risk-mitigating controls that are currently in place. An organization’s cyber-security risk incorporates the type, volume, and complexity of its cyber operational components. These are the types of connections used by the applications and technology required by the organization to conduct its business operations.
To understand this risk, we must approach the business departments within the organization and gain insight into how they do work. We must understand the applications, data, workflows, and technologies that are required by their personnel and any projects they wish to initiate to improve their capabilities. To collect this information quickly and effectively, I would suggest you begin with an enterprise risk assessment. I have completed several of these in the past and would recommend using a framework like the NIST Risk Management Framework or the COSO Enterprise Risk Management Framework. These frameworks will provide you with a solid foundation to begin your discussion about risk within your enterprise.
As you begin your assessment, there will be components that will require you to directly interact with your various business departments. Use this assessment as an opportunity to begin building the relationships you will need as a CISO. Your stakeholders have critical knowledge about your organization and you will need them to help your program mature and grow a cyberculture within these departments.
So as you work with these stakeholders, you should seek to gain the insight that you will need as a CISO, which is to understand what assets are essential and must be protected for the organization to be successful.
Questions for the CISO to Gain Insight to Critical Assets
- Do I understand which applications and services are critical for my organization?
- Do I know what data these critical applications create and where this data is stored and backed up?
- Does my organization have formal agreements with its critical partners that allow us visibility into how they are managing their technology-based risks??
- Does my executive leadership team understand what threats and vulnerabilities are being used by our adversaries the target the products the company presently has it its technology portfolio?
As you begin discussions with your stakeholders, there is one crucial point I want you as CISO to pay attention to and document. This critical point is the tone that you and your teams get from these stakeholders for anything associated with your cyber-security program. Most boards of directors only speak about cyber-security when there is a breach. If the board is routinely addressing security and senior executive management is sponsoring your security program, you should see the beginnings of cyber-security awareness taking root in the organization’s culture.
However, if this is not the case, it will be harder for you to get true information when conducting your assessment. I bring this point up because it will give you much-needed insight into how you should address your stakeholders and the responses you might receive from them.
As a CISO, I have found in the past that there will be departments that will want to work with me as a partner and departments that will try to ignore me. Those that were partners I treated as equals in the process, and I championed their projects at tech review. I also included their inputs in new security policies and work processes and requested their assistance with my reluctant departments to eventually grow the trust required to conduct a full cyber risk assessment with all departments.
So back to our cyber risk assessment. As CISO you should also review current practices and overall company preparedness. Several critical processes that should be a focus of the risk assessment are:
- “Risk Management and Governance” – this component is about strong governance with clearly-defined roles and responsibilities. There should be assigned accountability to adequately identify, assess, and manage risks across the organization. How well does management account for cyber risk when implementing new technologies? Is there a formal process to review and mitigate issues as required? It is also in this process that we look at our personnel, who are the company’s first line of defense. It is here that we address whether the organization is providing cyber awareness training to employees and whether this training is effective in providing employees with an awareness of ongoing cyber risk.
- “Threat Intelligence and Collaboration” – this component is about the processes the business has in place to collect and analyze information to identify, track and predict the intentions and activities of your adversaries. This information can be used to enhance your decision-making capabilities, providing needed visibility into the risks associated with large strategic projects. Participation in information-sharing forums such as: CERT, NIST, InfraGard, MS-ISAC or FS-ISAC are considered critical to the CISO. A key element of the CISO’s job is assisting with organizational risk management and the information from these partners is instrumental in the CISO’s ability to identify, respond to, and mitigate cyber threats/incidents.
- “Security Controls” – this component focuses on the employment of security methodologies that can be preventive, detective, and/or corrective. Most organizations will use preventive controls, controls that are focused on preventing unauthorized access to enterprise assets. However, a mature cyber-security program will employ multiple control types, interwoven to provide more resilient coverage against the changing cyber threat landscape. The types of controls that can be deployed to work together are:
- Preventive Controls – processes such as patch management, encryption of data in transit or at rest. These controls need to be periodically reviewed and updated as the organization’s technology portfolio changes.
- Detective Controls – tools that are used to scan for vulnerabilities or anomalous behavior. Some of these controls are anti-virus/anti-malware solutions or new endpoint solutions.
- Corrective Controls – these are controls designed to fix issues. Examples are organizational policies such as change management, patch management, and third-party vendor management.
- With the deployment of these controls don’t forget to ask yourself “What are the processes for implementing them?” Are these security control processes documented and are they periodically reviewed? What are the procedures to mitigate risk identified by these processes? As you can see, controls are like children. They will need to be fed, monitored, cared for and as they mature updated to ensure they effectively provide value to the organization.
- “External Third Party Management” – this component is about the management of connectivity to the business’ third party providers, partners, customers, and others. What processes/policies should the company have in place to manage these relationships? Part of this component will be organizational directives that document company policy for executing contracts with third-party entities. Does current contract policy spell out what types of connections will be required to corporate networks? Does current contract policy spell out what data will be required and document who will access it? Does current contract policy include as part of the contract a “verification of risk standard” with respect to the external partner’s disaster recovery/incident response plans?
- “Incident Management” – this component is critical for the organization. It is focused on cyber incident detection and response, mitigation of identified risks, incident escalation/reporting procedures, and overall cyber resiliency. In the assessment process, you will need to identify whether the business has documented procedures for the notification of customers, regulators, and law enforcement with respect to a breach. You will also need to verify that metrics are being collected on this component and its maturity is being periodically reported to senior management. One last essential process that will need to be verified through this risk assessment is “does the organization have documented Disaster Recovery and Business Continuity plans?” In answering this question be sure to verify that the plans have been tested, there are communication policies in place, and there is a documented process for how trusted third parties are included for effective communications.
As you can see from our discussion so far, in assessing the organization to develop a more thorough understanding of its cyber-security inherent risk, you will generate…
Copyright © 2016 CISO DRG JV – All Rights Reserved.