It’s 2:00 AM and the smartphone on a nightstand is chirping a lonely message for Alice Bentlee (fictitious). Alice is the Vice President, Cybersecurity and Risk Operations Director for a local bio-technical research facility and right now she is trying to brush the sleep from her eyes as she reaches for her phone. In the next fifteen minutes, she will become wide awake as she learns the news. The organization, which is her employer, has had a data breach and has activated the incident response plan. In the days to come as she triages the breach, she will use forensics to understand how it happened and what data was accessed.
The company will leverage its cyber insurance policy to help cover its costs as it initiates an internal investigation into Alice’s cybersecurity program, and as the CISO she will need to answer questions to prove her program was meeting the definition of “reasonable care.” Did she, as the senior security executive for the company, implement a cybersecurity program to the best of her ability that met industry best practices and as an organization met the standards of care for protecting the critical intellectual property data her company had stored within its enterprise networks?
As a CISO, it is essential to understand the idea of “reasonable care” and why it is a minimum strategic standard for the business. This concept is based on several core principles:
- The organization, or the CISO acting on its behalf, shall be considered to have complied with reasonable security practices and procedures if an industry standard framework was used to implement the procedures (i.e., NIST, ISO, COBIT, and CIS), and there is a current documented information security program. This program should have mature information security policies that contain managerial, technical, operational, and physical security control measures that are at a maturity level commensurate with the level of sensitive information being protected by the company.
- In the event of legal action or a request from regulators stemming from a data breach, the organization, or the CISO acting on its behalf, may be required to demonstrate that security control measures were implemented, and they are documented in the organization’s information security policies.
- The security procedures are certified or audited on a regular basis by an independent auditor. The audit of reasonable security practices and procedures must be current and therefore conducted within the last year.
I am sure by now you are wondering why this is so important. The reason is that, as we’ve previously discussed, cybersecurity is a continuous lifecycle and breaches are part of that lifecycle. To reduce the risk to our organizations, as CISOs we create and implement enterprise cybersecurity programs and deploy policies, procedures, security controls, and standards to reduce risk and protect our assets. However, even with a mature cybersecurity program, we will at times remediate security breaches and then be required to prove that we are meeting reasonable security standards.
We’re now ready for our next discussion topics. One of the primary processes that your cybersecurity program will be responsible for is “continuous monitoring.” In many network/organizational environments, there may be extreme technology change as organizations try innovative solutions to compete in their specific business markets. This dynamic change environment makes providing enterprise risk management and cybersecurity as a service extremely challenging.
To bring balance to my security teams and be effective as a security leader, when operating in chaotic business environments where there is no stable risk baseline, I implement the concept of continuous scanning, monitoring, and remediation to provide an effective security practice for my business and our stakeholders. Understanding the answers to the questions for this chapter will enable you as a CISO to state that you are meeting the requirements of “reasonable care.”
Continuous monitoring provides a critical service to security operations teams through detection, response, and remediation. When such a program is aligned with the organization’s enterprise security program and implemented with appropriate security controls, it enables security organizations to detect security incidents, remediate security gaps, and analyze trends to reduce the company’s risk exposure. I believe it is essential to understand that continuous monitoring is a component of a lifecycle, a cybersecurity lifecycle.
Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.