The job of the Chief Information Security Officer (CISO) has become challenging. As security has become a top-level concern for executive boards who are paying attention to the business impact of security, CISOs now have a seat at the table. This is good news for CISOs who want to make a positive impact and be aligned with corporate strategy. The bad news is that while the security conversation is becoming more strategic for the business, the confidence in the ability to identify and stop threats from occurring is weak at best.
How Can Organizations Protect What They Cannot See?
According to a recent NYSE Governance Services survey, 66 percent of respondents are "less than confident" can protect against attacks. With over 70 percent of respondents being “significantly concerned” about third-party risk in their supply chains, security risk is spread beyond the ability of even the most mature security organizations ability to handle it.
The average total cost of a data breach in 2015 has grown 23 percent since 2013 to $3.79 million, according to the most recent Ponemon Institute report(May 2015). The cost of lost customers has risen to $1.57 million per breach. Brand name after brand name is feeling the effects. Those companies that have not been attacked yet are worried they could be the next company in the news. Target, Home Depot, Sony Pictures, Anthem Health, JPMorgan and many others, including most recent big name, the U.S. government’sOffice of Personnel Management are the unfortunate case studies in weak security damaging the business.
New approaches and strategies by the C-level are needed to reorient the mindset of business units, technology teams, and the security behavior of employees. Here are three approaches CISOs and cyber-responsible CSOs can use right now, in 2015, to affect change.
1. Increase Security Visibility Into Your Emerging Partner Ecosystem
CISOs are inevitably accountable for the protection of data in their respective company. It used to be that data lived only inside the four walls of our fortress behind firewalls, behind two-factor authentication, protected by passwords, and monitored by systems and full-time employees that we trusted to hold the keys to the kingdom. Also, we used to have an added layer of financial protection via vendor contracts and SLAs. Lockdown was much easier.
In today’s interconnected world, we’ve discovered that commerce isn’t executed in the isolation of the fortress, but thrives on the massively complex, interconnected, sometimes symbiotic network of B2B relationships. Business departments are taking advantage of the cost efficiencies and turn-key conveniences from cloud, mobile and a whole host of unique, time-saving or cost-effective technologies. Developers carry around their company’s entire production source code on their laptop, and the mobile workforce now operates in a fully distributed model – and are no longer shackled to the cubicle.
Most security leaders, however, do not have the transparency, tools and visible reach into the new security landscape beyond our own four walls. Let’s say your company uses an externally-hosted third-party cloud infrastructure to host their application. How do you ensure that the third-party ecosystem uses the same security standards that you use inside your corporate fortress? If a hacker has non-intrusively exfiltrated your data from a third-party network, how do you know?
The emerging operational habitat is decentralized, so we have to adapt. Data is now in systems that we do not own, cannot see and cannot access. How can the CISO protect what they cannot see?
2. Empower Your Weakest Links
One of the most striking discoveries from this year’s Verizon Data Breach report showed how quickly attackers can access and exfiltrate a company’s data reflecting the sheer agility of hackers. The report cites that in over 60 percent of breaches, attackers were able to infiltrate a target within minutes. Security owners may not want to publically admit the difficulty in preventing a breach, and many discover a breach only after it has occurred.
Now that digital operations are more dispersed than they have ever been, and includes the flaws, vulnerabilities, and security behavior of third parties that you cannot control, how do you effectively achieve an accurate risk profile and risk mitigation strategy? How do you apply controls that see and understand the context of the decentralized habitat as it interacts with the partner ecosystem and your fortress? Once we're breached, and once an intruder is inside of our fortress, what are the steps to identify and isolate an intruder – and prevent them from persisting to your most valuable and sensitive data, such as intellectual property or customer and employee data that may put you in jeopardy with regulators (or adversely affect your company’s revenue targets or shareholders)?
Protective layering, of course, helps, but it might not be enough when authorized credentials bypass that layering. The volume of interconnected technologies and systems from external, third-party sources combined with poor security behavior from your average employee make for fertile data theft crop. After all, you’re only as strong as your weakest link.
Even with amazing fortress-protecting perimeter technologies supplemented by highly competent security team talent, breaches are occurring at rates much higher than 10 or 15 years ago. The surface area has grown exponentially. CISOs need thick skin to accept this reality and shift their team’s mindset from complete prevention to rapid detection and remediation, which is not nearly as easy as it sounds.
3. Communicate the Right Security Story
After the next major, highly publicized data breach of a major company, you should expect the CEO or executive board to ask the following questions: "How secure are we? Could that happen to us too?”. Security tools are distributed, and speak a very technical language making security risk questions an incredibly hard question to answer.
It is our duty to find an approach that executives can understand in a vocabulary and format that relates to larger corporate strategy and goals. Executives want business metrics that tell a story. How secure were we a month ago versus today? What are the historical security trends and pitfalls for our industry? How secure are our business partners that we are connected to?
We are very good at tracking and presenting our own security operations through technical metrics, security KPIs and the like, but they do not tell the story that needs to be heard. We do not tell how we are doing compared to our industry or competition. We have little to no ability to benchmark ourselves and our peers. CISOs who understand this will learn how to put the right business lens on their reporting and communications, and will use it to their advantage to secure strategic budget and stay aligned with company priorities.CISOs will need tojointly define and understand acceptable risk thresholds from business units and departments.