Instead of the tiresome debate over whether a CISO should report to the CEO, shouldn’t a better question be whether the CISO should be deterring threat or managing risk?
The new National Association of Corporate Directors’ cybersecurity handbook says cybersecurity is a risk management issue, not an IT matter. And I agree. Most of the top federal agency IT managers and cybersecurity officials have been echoing the advice in this handbook for months now. It would have been helpful if Equifax’s board had received an early copy.
The NACD guidebook, developed with an assist from the Internet Security Alliance, is built around five core principles that are applicable to board members of public companies, private companies, and nonprofit organizations of all sizes and in every industry sector. It says that cyber threat expertise isn’t a prerequisite for corporate board members, but that corporate boards should have access to that knowledge and consider how cyber affects their companies overall operations, from management to products and supply chains.
It is designed to help senior executives learn foundational principles for board-level cyber-risk oversight, gain insight into central Cybersecurity issues including how to allocate cyber-risk oversight responsibilities at the board level including legal implications and considerations related to cybersecurity, how to set expectations with management about the organization’s cybersecurity processes, and ways to improve the dialogue between directors and management on cyber issues.
The messaging isn’t as strong as I would have liked, but it beats having no message at all.
As the cyber-threat landscape continues to become more challenging with advanced attacks increasing daily, Board members need to come to grips with the idea that Cybersecurity defense and participation is not only necessary to understand the full dimensions of one of the key fiduciary responsibilities of a board seat but has now become a clearly defined legal liability.
Cybersecurity is no longer just about prevention and CISOs can’t be judged only on defense. All corporate stakeholders need to look at resilience and response, including whether the CIS team has developed the means to go on offense and whether the approaches include advanced threat intelligence and quantitative risk analysis.
Knowing who, what and whether at a tactical operational level is crucial for continued assessment and threat mitigation, but knowing when and how is even more important for preparedness and risk management. And we cannot rely on metrics like low, medium and high any longer either.
We are not going to get a board or a CEO to approve millions in Cyber defense with a business case that says our risk is “high”.
If you cannot identify specifically which assets are at risk of future attacks and can’t quantify that risk level in dollars, you don’t deserve to get a budget request for increased Cybersecurity approved.
It isn’t like we don’t have the means to do the analysis but the road to get there is long and twisty. It requires a categorization of your assets along with a ranking system that can apply specific dollar value metrics to each and a SIEM-enabled system that can ingest and parse a lake of data to identify the low and slow vectors that portend future attacks. Then those elements must be able to adjust the asset risk metrics on the fly and present a holistic view of your threat landscape in real-time. The result is risk intelligence.
Four of the key technology and process drivers in such a system are curated threat intelligence, pattern recognition algorithms, a broad array of data sources that must include feeds from HR, your physical security controls, phone logs, deep web and social media sources and participation with an open threat exchange. It is essential also that your environmental data is correlated with external data and contextualized to your specific landscape. Then you may find out that the app server in Boston is a yawner, but that database server in Cleveland is getting probed to high heaven.
The technologies to get all this done are available today and in use at lots of companies who have successfully implemented variations of a risk intelligence scheme like this.
But unless we start talking to C-level execs in language they can understand with metrics that make sense to them, we will never get the funds to build a useful threat or risk management system. So, while the NACD guidebook is a great start, it ultimately comes down to you, the CISO and the CIO, to start moving the conversation away from tactical technologies and malicious IP addresses and toward asset values, holistic threat defense and strategic risk intelligence.
The combination of increased awareness at the board level and a direction that the check writers can embrace may just save your company and your job.
This is a Security Bloggers Network syndicated blog post authored by Steve King. Read the original post at: News and Views – Netswitch Technology Management