Caption: C-suite cybersecurity: agenda is different for IT security. CISOs need a new perspective.
It used to be said that the only two inevitable things in life are taxes and death. Now you can add being hacked to the list. From difficult-to-control vulnerabilities in ‘bring your own’ devices to Internet of Things security, many companies now have the attitude of ‘when, not if’ they are going to be breached.
So how can the smart Chief Information Security Officer develop a plan that not only secures the company’s resources and reputation in the event of a breach … but also ensures that s/he still has a job once the dust has settled?
Aim to be resilient, not bullet proof.
This tip is partly to do with human psychology, and partly to do with being pragmatic. If the CISO proudly announces that, thanks to major pentests and the like, the network is completely secure … then s/he is going to have some tough questions to answer when the breach occurs. The board, not unreasonably, are going to say: “You told us we didn’t need to worry, now we have a major crisis.” The CISO is in a very defensive, vulnerable position.
That’s why Gartner recently mentored a group of 3,400 business leaders to re-frame their attitude to cyber security. According to an article titled ‘How to make a digital risk plan and sell it to the board’, website IT News quoted Gartner analyst Peter Firstbrook as saying: ““One hundred percent protection should not be the goal … the goal should be resilience.”
Resilience is a multi-faceted goal. Of course the first action on the list is to make your defenses as strong as possible. That is what any General would do. But genuinely resilient businesses are the ones that can also react quickly to a failure in their defenses, minimize the damage, and finally heal the business as quickly as possible.
In that scenario, resilience is as much to do with processes and different agendas within the business as it is to just addressing the technology dimension. We’ll cover ‘agendas’ as a way for CISOs to develop a holistic security plan in moment. But first, another interesting concept … adaptive trust.
Adaptive trust in C-suite cybersecurity planning.
In the same Gartner presenter mentioned above, analyst Felix Gaehtgens introduced the topic of adaptive trust. Basically, this says that a business will have partners with whom it has to integrate IT processes.
Gaehtgens described the trust scale as going from ‘trust everything until it is proved untrustworthy’ through to ‘trust nothing until it proves itself trustworthy’. The acceptable level of risk:reward helps determine where on scale a company should set its adaptive trust relationship with suppliers.
For example, in our recent blog about Internet of Things security, we described how a hacked $2 component could make a car vulnerable to hacking and ransomware. We also described how compromising suppliers is what enabled the infamous Stuxnet worm. So in that case a car manufacturer (or a company making nuclear-bomb-enabling centrifuges) might move the adaptive trust scale slider all the way to the right and ‘trust nobody until they are proved trustworthy’.
Because adaptive trust focuses on the C-Suite agenda of risk management – rather than the CISO agenda of tech solutions – it is a useful notion for technology teams who want to sell their security plan to the board.
Incorporating multiple corporate agendas into a security plan.
In order to create a resilient security that gets buy-in from the c-suite, CISOs need to view the issue of security from the perspective of every member of the board. Risk management (and therefore adaptive trust) will be a ubiquitous concern, but each board member will have a specific agenda.
An article from CIO Insight website titled ‘The C-Suite gets serious about security’ gives a more detailed review of the different agendas that different board members will have … but here’s the quick overview:
CEO. They will want to know that there’s a plan in place for dealing with a breach, both in terms of technology healing and reputational management.
CFO. To meet their regulatory obligations, the CFO needs to be able to show proper precautions were implemented, and that there is a disaster recovery plan.
CIO. Needs to see that there is the right level of risk:reward and, possibly, an adaptive trust policy. Also that the IT resources can be healed quickly after a breach.
CMO. Part of the CMOs agenda is complying data protection regulations. The CMO will also need to balance the risk of ‘innovative technology as a differentiator’.
So rather than focus solely on the technology aspects of a digital risk plan, whoever is responsible for developing the plan needs to engage with the different functions of the business to develop a solution which meets all agendas after a breach.
Engaging with all the constituencies of the business also engenders a more collaborative and positive approach to dealing with breaches, rather than the customary ‘hunt for the guilty’ when the c-suite is feeling defensive. In an article titled ‘Boards ready to fire over bad security reporting’, IT News reported that 59% of boards would sack people responsible for IT security if there was a significant breach.
Of particular relevance to the main thrust of this blog post, 54% of board members said that the security data they were receiving was too technical, and fully 85% of board members said that ‘IT and security executives need to improve the way they report to the board’.
Free Offer. Understand your Cybersecurity Key Risk Indicators (KRIs).
Caption. We scan for 50k+ network vulnerabilities and provide a c-suite report and technical remediation report. If we don’t find any vulnerabilities, there is no charge.
Key Risk Indicators are a great way to win over those 85% of board members who say that IT security teams are bad at communicating them. And that’s why SecludIT has built industry standard KRIs into the report generated by our Elastic Detector vulnerability detection tool.
Straight out of the box, Elastic Detector provides the CISO with a ‘plain language’ KRI report to share with the c-suite, plus a technical report with remediation tips for the IT team. The reports are based on the ANSSI, PCI-DSS and OWASP security standards and cover server access and data integrity issues, plus details of outdated software and software with known vulnerabilities.
In fact Elastic Detector scan the network and resources for over 50,000 known vulnerabilities. The list of vulnerabilities is updated daily, and Elastic Detector works on cloud- or infrastructure-based networks.
The easily configured Elastic Detector can provide a comprehensive network scan in just a few hours. If Elastic Detector finds vulnerabilities, you pay a modest fee, and get the c-suite KRI report, technical remediation tips, and 1-to-1 mentoring over the phone. If no vulnerabilities are found, there is no charge and you get a clean bill of health for the next stage of your corporate security plan.
You may as well try the three S-Diag vulnerability scan options: for Enterprise servers, Internet/web networks, and E-commerce servers. Between them, those three options enable the technical agenda of the c-suite to be covered.
If you’d like to take that first step in creating a truly resilient and holistic security plan for your company’s c-suite, please get in touch.
Reference sources used in this article: