Are we safe? The question every new CISO needs to be prepared for

By David Coleman Lead Security Solution Engineer (ANZ), Rapid7

The spate of recent high-profile breaches has many senior leadership teams concerned their organisation may be hit next. While it’s not possible to be prepared for any eventuality, the new (old) adage of “when, not if” applies.

In this time of heightened sensitivity, every CISO must be ready to have the conversation relating to “are we safe?” with the CEO and other leaders. And it’s better to do it before you have to deal with a live incident and are focused on fixing an identified high-profile problem.

As you cannot guarantee your organisation won’t face potential breaches and threats, as the security leader, you may be asked to demonstrate that you and your teams are doing everything you can with the strategies, processes, and resources you have put in place.

Understand your “safe” according to your risk tolerance and communicate

The current climate is actually a great time to prove how integral cybersecurity is to your organisation. Part of the balance in any CISO’s role is being able to rise above the day-to-day firefighting, and be proactive in your communications with senior leaders across the business; to highlight exactly what you’re doing to ensure the business is as protected as it can be. While cyber security is everyone’s problem, it is often considered that the CISO will provide the ultimate guidance on how to ensure your organisation is cyber secure (safe).

But what does a cyber-safe organisation look like?

And how do you communicate that effectively to your senior leaders?

Your ability to protect your organisation depends on many factors, including your processes, organisational security culture, the availability of skilled teams and tools, and importantly, defined cyber-security metrics, aligned to risk appetite, all of which are understood and tracked by all relevant stakeholders. There must be a solid and shared understanding of cyber security risk appetite, and an acknowledgement of who owns, and ultimately provides remediation / execution functions against defined assets (and yes, assets include data).

All too often the CISO is assumed to have accountability that goes beyond their purview, as the ownership and accountability of information system assets belongs to others. Simply put, assets belong to others, and the CISO is engaged to provide cyber security guidance on identification and risk treatment options against those assets. In a more mature cyber organisation, a CISO will have defined the policies, and the operational owners will execute. A good CISO will recognise that if you put the security brakes on too hard, you risk hampering the ability to operate and innovate. Be too laissez-faire and it could become open season for threat actors.

A delicate balance is always required, and many technically focused CISOs start their cyber security metrics with details that an average board won’t understand. If you want to get on the front foot with your CXO to help them understand what “safe” may look like, here are three elements to help.

1)

Best practice cyber security assessment evaluates not just your organisation's susceptibility to vulnerabilities and cyber threats, but also security culture and the support you receive from senior management stakeholders. One of the biggest determinants of successful cyber culture, and the cyber safety of an organisation, is the extent to which that culture is driven from the very top of the business.

At a technical level, assessments often rely heavily upon the ability to have complete visibility into your entire technology environment from the inside, and out. Understanding where all your assets reside, and the associated vulnerabilities in your organisation is critical. If there is limited visibility and understanding of risk, that can have a major impact on securing budget, resources, and confidence. As the saying goes, “you can’t manage what you can’t see,” and this is often one of the first (and biggest) stumbling blocks for any CISO, especially in today’s hybrid environments.

That’s why many security leaders are investing in new visibility tools and technologies, and further leveraging systems that contain asset data, such as cloud resource inventory APIs. Greater visibility begins with gathering accurate data from a tool you can trust; one that ensures the number of false positives are low and accuracy is high. Integrations are essential, such as to CMDBs, both for additional asset context, as well as to provide updates to those systems. Any assessment of cybersecurity should also be viewed in light of your organisation’s obligations and compliance with frameworks and regulations, and risk tolerance levels, particularly with respect to industry guidance and critical infrastructure.

Understanding how to quantify risks and threats is likely the most challenging of the three elements to get right, and that’s because you can never predict the actions of an adversary or rogue employee in an ever-changing cyber landscape. Nowadays, most organisations will use a threat intelligence tool to help them further understand what external threats exist, how those threats are being exploited in the wild, and against what regions and verticals. Digital Brand protection services assist in early stage identification that a campaign may be about to be undertaken against your specific organisation. This helps to ensure you can protect digital assets and secure cloud environments and applications. However, making sense of this data can often be overwhelming.

The cyber industry relies upon various rating systems and models to help understand the severity levels of those threats. The challenge is that much of this is meaningless to those outside of the cybersecurity world. Case in point: according to CVE Details, out of roughly 176,000 vulnerabilities, more than 19,000 have a CVSS score of 9.0–10.0 (most severe) — over one in ten. However, this metric alone is misleading. Would you prioritise the remediation of an external facing service that has a high CVSS score but no known exploit, or an internal system that has a lower CVSS score but has multiple active exploits and in which you may have no compensating controls? How is that data then further interpreted to not only understand what’s relevant to your organisation to prioritise your resources, but also explain to senior management so they too can also understand what’s important? The answer lies in how you communicate and present the data to the business.

Better communication of risk and threats means talking in a language the C-suite understands — the operational impacts. The best CISOs make technical details easy to consume by explaining their potential impact on the business. For example, if there’s a high-risk vulnerability that could affect customer-facing or revenue-generating systems, the conversation will quickly focus on how to reduce the risk to those systems.

Sometimes, risks can be assigned a specific dollar value proportionate with their potential impact. System downtime or regulatory fines are two potential outcomes with hard dollar values. Other consequences, such as reputational damage, are more abstract but no less important. The CISO should communicate the risks in terms their colleagues will understand to get agreement on prioritising the most critical risks in alignment with the defined risk matrix.

CISOs can assign security resources to assess for and communicate work on vulnerabilities and exposures in the order that would cause the largest business impact. This also means, with the support of the business, that plans can be developed and tracked to remediate identified issues in alignment with defined service-level agreements (SLAs).

Now, time can be spent on things that matter, rather than drowning in daily alerts and subjectively ranking threats with the same or similar severity scores, which may potentially be misinterpreted and leave you exposed in other areas.

CISOs can also build confidence among their C-suite colleagues by implementing, and then communicating, SLAs or an emerging term ‘protection level agreements’. Using and tracking SLAs for resolution teams can help demonstrate the value of the investment in security in terms of the business impact. Talking to measures of “safe” in this manner enables an easier and more efficient measurement of ROI for cyber initiatives. Business leaders can now assess their decisions based on likelihood of occurrence and cost to the bottom line.

The fact of the matter is that no organisation will ever be safe, and putting in place all the tools and resources is just half the battle. Positioning risk and communication with your senior leadership teams are just as vital in being able to set appropriate expectations. Unfortunately, we’ve seen firsthand the impacts of breaches in Australia, and very often, how a situation is managed and dealt with will have a huge bearing on your executives and/or boards mindset.