This week, I had the opportunity to speak at the ISACA 2019 Governance Risk and Control Conference in Ft. Lauderdale, FL. Having spent a career as both a cybersecurity practitioner and leader, the most recent trend of Board- and CEO-level concern around cyber has emerged as a top-of-mind issue facing many information security leaders. The need to be able to communicate cybersecurity as a business function has always been prevalent. With the massive breaches occurring now, we see the bottom-line impact of fragmented and static cybersecurity practices.
Being able to communicate an organization’s cyber posture is no longer simply a matter of securing more budget. With the events like the Marriot and, more recently, the Capital One breaches, information security is having as direct an impact on bottom lines and stock prices as any other business function within the organization. Information security leaders must prepare themselves to be able to articulate their programs as effectively and held to the same standards as other members of the C-suite.
Since the inception of the function within an organization, information security has operated often misunderstood by business-side teams. However, many of the frameworks that cybersecurity teams use to enhance their cybersecurity posture were developed for business-side leaders. As a member of the panel that helped develop the National Institute of Standards and Technology’s wildly popular Cybersecurity Framework (NIST CSF), I can say that the language is designed to be understood by both technical- and business-side leaders. With the elevation of cybersecurity to a Board- and CEO-level concern, CISOs must employ both frameworks and tools that bridge the gap and foster an enterprise-wide conversation around information security.
The Needs of the Modern CISO
There are three main needs of the modern CISO as I see it: an integrated risk management and continuous compliance approach, implementing tools that utilize “glass-box” not “black-box” reporting and methodologies, and finally automating and standardizing reporting.
Integrated Risk Management and Continuous Compliance
Many of the tools available in the market, many that I used as a cybersecurity leader, do not empower organizations to integrate their cybersecurity organization, nor are they capable of supporting a continuous compliance approach. As a CSO, I realized that the half-life of assessment data is incredibly short - which is to say that the value of an assessment is only valuable as a snapshot of the organization at that point in time. With the rapid pace of innovation and technology adoption at any enterprise, annual (or at best quarterly) assessments are not an accurate representation of an organization’s cybersecurity posture at the time of reporting. The result is decisions are made at the executive level using antiquated data and results in a lack of awareness and at worst a hole in the organization’s security. Security leaders must employ a continuous compliance approach and as a result, must shift the tools that their security organization uses.
The other cornerstone of a modern security program is an integrated approach to risk and compliance. Too often do we see organizations using modular tools that by design incentivize security organizations to stay siloed. Again, in order for an organization to see relevant metrics that empower decision making, they must use platforms that integrate all risk and compliance data in such a way that leaders can see and understand the enterprise’s cybersecurity posture with the most up-to-date data possible.
Glass-box not Black-box
When reporting out to Board- and C-level executives, information security leaders must be able to start from a high-level yet be able to justify and explain the workings of their program. What we are seeing in the market today in terms of cyber risk quantification is an increasing number of black-box risk quantification tools that provide little to no insight into how those metrics were reached. The result is a dependency on those solutions given that the security leader knows little about how the risk is actually being quantified. This can prove catastrophic in a Board- and C-level discussion if the person in the room who is positioned as the expert cannot explain a core aspect of their program.
That is why we at CyberSaint champion the use of glass-box methodologies and deliver that through the CyberStrong platform. We use the open-source NIST 800-30 risk assessment methodology, which is easily explainable to the Board and C-suite. Further, our CyberStrong Score also uses a glass-box approach and can be explained to business-side stakeholders as well.
Automating and Reporting
The assessment process is only as valuable as the data that your organization can report on and in so doing, enable business-side decision making. Spreadsheets add an unnecessary tax on your cyber organization. For most teams, the greatest need for automation lies in the post-assessment reporting. The lag between the completion of an assessment and delivering the report further outdates assessment data - the value of an assessment is only as good as a singular snapshot in time. Automating reports allows security organizations to produce up-to-date reports that spreadsheets and modular tools simply cannot.
Meeting The Needs of The Modern CISO
With the elevation of the CISO into more and more senior-level management discussions, the solutions that they employ for their organization become all the more critical. Integrating governance, risk, and compliance into an integrated risk management approach empowers leaders and practitioners alike to get a better sense of enterprise-wide cybersecurity posture. Using glass-box methodologies that produce clear metrics that are easily explained, not black-box solutions that produce opaque numbers, will help support Board- and CEO-level discussions. Finally, using an integrated approach allows for more automation at the post-assessment reporting level and helps empower CISOs to report out more consistently and empower more significant decision making in doing so.
Watch George's full speech from ISACA GRC Conference 2019 here.