As information security shifts from a siloed function to an increasingly relied upon business function and enabler, business executives and Boards have taken a greater interest in understanding how information and cybersecurity risk impacts the enterprise as a whole. In the time when cybersecurity was a business function, the governance, risk management, and compliance (GRC) tools that CISO’s turned to were sufficient. It allowed each function within a cybersecurity program to operate and in the sporadic occurrence that a CISO had to report out the performance of their program it was possible (albeit a full project in and of itself) to use GRC software to deliver that information. However, with an increasing number of Boards seeking out cybersecurity talent and the creation of information security committees, a modular approach to cybersecurity program management is no longer adequate.
The need that many CISOs have faced is one of how to translate the metrics and data that they have previously collected in GRC solutions into actionable information and strategies to report up to the rest of the executive team and the Board especially as it relates to the business impact that cyber risks have on the enterprise. In the face of this quandary, black-box cyber risk quantification tools have emerged. Black-box solutions, for our purposes here, are defined as a solution or tool that ingests cybersecurity risk assessment data and produces a distilled metric or small set of metrics to “articulate” the risk posture of the organization with little-to-no explanation of how those metrics were generated from the assessment. For reasons we’ll examine here, this is extremely detrimental to information security leaders and potentially jeopardize the future cybersecurity program itself.
Building Trust with Business Leaders
We are still in the early stages of seeing Boards and business leaders committing to cybersecurity as a business function. After seeing the financial impact of data breaches and cyber events in recent years, the industry is now very aware that today effective cyber risk management is no longer optional. That said, as more Boards recruit information security experts, form committees, meet with CISOs, and do their own research, we must realize that there is a learning curve. The result of that learning curve is that CISOs must be teachers in the Boardroom to an extent.
When presenting to other executive team and Board members, CISOs are often the expert in the room as it relates to the unique configuration of cyber risks the organization is facing. The consequence of that is that they must be able to articulate the background of the metrics presented to executive management and the Board. However, the implication of black-box risk quantification solutions is that there is very little explanation for how those metrics were generated. While the promise of “advanced algorithms” backing one’s risk metrics may sound appealing, in fact, it can and often does hurt the credibility of the CISO presenting the metrics themselves. CISOs are often seen as one of the leaders of digital transformation efforts within the enterprise and must use these opportunities to build trustworthiness that they have the knowledge to help shape the organization for the future.
Black-box Solutions Bring Their Own Risk
We are starting to see the increased risk of software that operates outside our realm of understanding. Gartner has stated that it sees artificial intelligence emerging as the preferred attack vector for cybercriminals; in essence, if the software can do something that humans cannot then it becomes exponentially more difficult to determine if the result has been tampered with. Consider in the case of black-box risk quantification a cyber attack could go largely unnoticed if the black-box tool was adjusted by the bad actor to hide the attack itself.
By implementing a black-box solution, CISOs are opening their own organization up to a host of new risks that many see as unnecessary. For many (if not all), the risks that black-box tools offer far outweigh the potential benefits of ease of use.
Leveraging Open Source and Gold Standard Cyber Security Risk Management Frameworks
Especially in this phase of cybersecurity as a business function, where many executives are still developing an understanding of GRC activities and their own cybersecurity and GRC program, leveraging well understood and recognized risk management processes and frameworks give CISOs an advantage in the Boardroom. Instead of spending time explaining a potentially limited understanding of a black-box solution, CISOs can clearly present how various risks align and inform business objectives all while being prepared to clearly explain how those metrics were calculated. In many instances, CISOs are not as used to the level of scrutiny that they are currently exposed to like other members of the executive team, having operated in a silo for decades previous. By making use of frameworks produced by well-known organizations (NIST’s SP 800-30, for example) or frameworks that are clearly understood by the information security community (i.e. FAIR) and can be explained, it enables CISOs to present with both knowledge and confidence, building credibility with the Board and executive team.
Getting a Clear Understanding of the Entire Cybersecurity Program
The avoidance of black-box tools to quantify cybersecurity risk is only one piece of the puzzle for a future-facing information security leader. Integrating GRC practices under the banner of integrated risk management, enabling faster feedback loops and enabling teams to address uncertainty and act with integrity together rather than with a modular approach. For an information security program and leader to feel fully empowered and supported, effective solutions must deliver transparent metrics both on the risk and compliance functions.