When Your Greatest Cybersecurity Doubters Are in the C-Suite
A recent global survey by Microsoft and Marsh found that enterprise leaders rank cybersecurity a top-five concern, yet only 1 in 5 are highly confident their company can manage and respond to a cyber-event.
CISOs, let’s consider that for a moment: You’re a valued member of the C-suite, with visibility and reporting to the board of directors level. You have an ever-expanding budget for the best talent and tools money can buy. And you have demonstrated success in evolving your enterprise’s risk management maturity. But your CEO still thinks you can’t manage your next major cybersecurity threat.
It’s possible she’s right. You and your fellow CISOs worry publicly that a breach is not if, but when. Your security teams are struggling to analyze and prioritize a never-ending cascade of security alerts. And all industry pundits say that cybersecurity is going nuclear soon with the weaponization of AI.
It’s clear you’re going to need a different approach to navigate 2018 and beyond. So, let’s talk strategy for elevating your cybersecurity response—and winning the C-suite’s confidence.
- Implement a cyber risk framework: If you haven’t implemented a cyber-risk framework yet, run, don’t walk, to do so. It is critical to being able to achieve the holistic view of cyber-risk your enterprise is going to need in the coming months and years. Risk needs to be managed at an enterprise level—across businesses, geographies, platforms, regulations and product lines. And that needs to happen now.
- Gain situational awareness of cyber-risk: Platforms such as security information and event management (SIEM) and user and entity behavior analytics (UEBA) are great, but they don’t provide you with the total picture of cyber-risk you need. Recent Gartner reports have highlighted the need for integrated risk response, with “one platform to rule them”—security orchestration, automation and response (SOAR) platforms that orchestrate technologies, automate critical processes, provide end-to-end incident management and deliver dashboards and reporting. You need command and control over cyber-risk, not point-by-point response. SOAR platforms can help get you there.
- Speak the same language: CISOs and their teams have great platforms: SIEM, UEBA, SOAR, CARTA … the list goes on and on. We love acronyms and we love features. We read the latest Gartner and reports and we know how to cross-compare solutions in mind-glazing detail.
There’s a problem, however. Business leaders aren’t particularly interested in cyber-risk management tools and probably don’t understand them. What they do want to know are the answers to questions such as these:
- Is the business getting more secure with new investments?
- How will new business models affect the enterprise risk posture?
- What can we do right now to protect our company against an information security breach that could cripple our business?
Sure, you can pull metrics and show them processes that have been improved, malware that has been detected and categorized and threats that have been repelled.
But is that that really the language of the business? Is that really what they care about? Speak to your fellow C-level leaders and line-of-business heads in the common currency of finance.
When you implement a SOAR-type platform you can simplify metrics to the one that really matters—a risk score that is tied to financial exposure.
Imagine talking to your fellow C-level leaders and calmly laying out cyber-risk investments as a book of business opportunities. Show your business partners the cybersecurity risks and threats that cost millions of dollars if not addressed and work together to prioritize them. A risk score with a price tag will surely get the C-suite’s attention and align your interests in solving issues that could hurt your business.
Let’s take a simplified example. Together, you analyze risks and realize:
- Compliance issues: Your enterprise faces low-level risks, except for GDPR which has a compliance index of 2 and a financial exposure of $100,000.
- Data centers: You’re running aging data centers that pose end-of-life issues and could create performance issues with a major business platform. Your risk score is 2 and your financial exposure is $75,000.
- Threat pattern: Your analysts just detected a new malware pattern. It normally wouldn’t be cause for alarm, but your risk level just shot from 3 to 4 and your financial exposure now exceeds $350,000.
- Insider abuse: A small team offsite is exhibiting unusual behavior, accessing and downloading valuable IP that is core to an upcoming M&A. Your risk score is 5 and your financial exposure exceeds $100 million.
In our example, every one of our four risks is critical, but the latter two require immediate action. While security teams are good at tackling new threats, you might not realize the loss of valuable IP until it’s gone. And that threat can be every bit as important as a malware attack—or more.
Uber recently settled a lawsuit with Waymo for $245 million over accusations its star hire and former Waymo employee Anthony Levandowski downloaded 14,000 confidential files and brought the stolen files and trade secrets to his new job. With a near-real-time risk score and financial exposure, Waymo could have prevented that leak from ever happening. What would Waymo have given to keep its trade secrets private? What would you?
Risk is everyone’s business, but being able to speak in language the business can understand is yours. If other C-suite members are spending more time interpreting risk data and insights, and less time collaborating and strategizing, they and their boards of directors’ confidence levels surrounding cyber-risk posture will always be moderate at best. There’s no room for skepticism in this constantly evolving cybersecurity risk landscape. Eliminating it in the board room now needs to be at the top of the CISOs to-do list.
Pingback: IT Security News Blast 04-10-2018 | Critical Informatics