There is a growing chorus of dissent calling into question the need for actual IT departments. A recent article by the Wall Street Journal highlighted the cultural disconnect between IT departments and the core business. As an extension of IT, cybersecurity is often maligned and accused of being an organizational cost center. Moreover, many employees view security compliance and training requirements as burdensome, distracting from organizational productivity. Even today, as headlines abound with tales of ransomware attacks and data breaches, many companies look with a jaundiced eye at capital cybersecurity expenditures. These are the very expenditures needed to prevent and monitor malicious activities that can encumber and cost the core business revenue. One area companies do spend money on is cyber insurance. According to Zurich North America and Advisen Ltd, 78% of corporate risk managers in 2020 have purchased cyber insurance- that’s more than double the amount from 2011.
In my view, relying on cyber insurance as a mitigation strategy to today’s threats is proving to be a flawed strategy. As more companies become victims of security breaches, corporate leaders face scrutiny from shareholders, regulatory agencies and, in some cases, face legal jeopardy from their handling of cybersecurity incidents. However, there are emerging trends and strategies that can help security organizations Level Up and change the perception of security as a cost center and into one that is viewed as integral to the organization.
Relying on cyber insurance as a mitigation strategy to today’s threats is proving to be a flawed strategy
Strategy One: Risk Quantification
The increasing number of cyberattacks against corporations have given CISOs new opportunities to communicate with corporate boards. As such, CISOs must communicate effectively to board experientially diverse members. CISOs are still expected to report technical facts about the cyber threat landscape; however, CISOs also need to present information that demonstrates the financial impact of a breach. According to David Sockol, Founder and CEO of Emagined Security, CISOs will also need to “extract an understanding of a board’s risk tolerance.” This is needed because few organizations can fiscally take on all pressing cybersecurity projects at once. This is where risk quantification as a strategy for CISOs can ingratiate security to the board. A risk quantification strategy will allow organizations to understand risk by:
- Measuring Risk in Financial Terms
- Determine the Best ROI Mitigation Strategies
- Provide an Overall Loss Exposure Over Time (i.e. qtly, annually)
There are many frameworks in use to help organizations quantify risk. One example is the F.A.I.R model framework or (Factor Analysis of Information Risk). F.A.I.R. is a complementary framework to the NIST cybersecurity framework. F.A.I.R. helps organizations understand the risk in terms of likely vulnerabilities and the financial impact of an attack against these vulnerabilities (i.e., downtime, etc.), as well as the financial impact stemming from reputation damage due to the attack.
Risk quantification is a departure from standard risk evaluation tools that present information as color-coded charts (Red/High, Yellow/Moderate, Green/Low) or as numerical rankings. During my time as a military officer, this type of presentation was adequate to inform military leaders that certain threats or vulnerabilities represented a decision point. That decision point was typically understood that some risk had to be accepted to accomplish the mission. However, from a corporate profit & loss and corporate reputation perspective, boards and executives need more granular data. It is not enough to justify large capital outlays based on color-coded charts. A quantification strategy shows the monetary cost of operating within that threat or continuing to operate with that vulnerability. Providing boards with this type of data will sharpen their focus on security projects and highlight the security team as an innovative and integral arm for the organization moving forward.
However, from a corporate profit & loss and corporate reputation perspective, boards and executives need more granular data. It is not enough to justify large capital outlays based on color-coded charts.
The F.A.I.R. Institute is a non-profit organization dedicated to the use and implementation of the F.A.I.R. framework by security practitioners.
Strategy Two: Legal and Compliance
Companies are increasingly facing a legal landscape that is becoming cyber-aware. Many precedent-setting rulings from courts and regulatory agencies will require companies to seek new strategies to maneuver within this landscape. Some corporate counsels may not be aware of the changing landscape to provide the proper advice to fully protect their corporations. Cybersecurity leaders can and add value here given their proximity to IT & security regulatory and compliance requirements.
Recent rulings show the need for greater collaboration between corporate security leaders and legal teams. According to the National Law Review, this past summer, a district court ordered a corporate defendant in a data breach class action suit to turn over its forensic report. In short, the suit and subsequent court action came about when the defendant refused to hand over the forensic report on the basis it was protected from disclosure by the attorney-client privilege. The court ruled that the defendant hired the forensic company for auditing purposes and NOT in preparation for litigation. If the forensic firm were hired in preparation for litigation, the defendant would have a stronger case to consider the forensic report privileged.
The National Law Review provided 13 recommendations for firms to follow to strengthen attorney-client privilege standing. I’ve included three which show where collaboration between corporate security leaders and legal teams can be most useful:
- Hire different vendors or, at a minimum, ensure there is a vastly different agreement and scope of services specifically tailored to the report
- Clearly differentiate between the vendor’s routine services and litigation-related services
- Have the audit and forensic reports billed as a legal expense and not as an IT/security expense
The IT security team can assist the legal team by providing the names of current security vendors so they can be scratched from the list of litigation vendors. Security can also help explain and delineate typical services which are nominally business and regulatory related. Security leaders should resist the urge to review litigation-related audits, which can be interpreted by courts as a business and regulatory action and therefore not privileged.
Another recent case involves an online educational publishing company that was fined $1,000,000 by the Securities and Exchange Commission (SEC) for providing misleading statements and omissions to investors about a breach that occurred in 2018. The breach involved the theft of student data and administrator log-in credentials of 13,000 schools, district, and university customer accounts. Official regulatory reporting from the company in 2019 indicated there was a “hypothetical risk” of a data privacy incident when it knew an actual breach occurred. In addition, the company reported it had “strict protections” in place to prevent attacks. The truth was it failed to patch the critical vulnerability for six months. Finally, other media statements omitted that student data and hashed passwords were compromised. This case is a clear example where security leaders must lead to ensure proper accounting of cybersecurity events is known and reported accurately. Furthermore, CIOs and CISOs should take the lead (after a breach) and craft an actionable response plan that involves the legal team, the board, and the public relations team.
As all businesses and organizations face a daily breadth of risks from online crime, fraud, and disruption, the easiest way to prevent these legal troubles from creeping up is transparency. According to Ms. Terry Roberts, Founder and CEO of WhiteHawk Cybersecurity Consulting, “an effective and affordable approach is to use a SaaS/PaaS solution enabling a focused cyber audit (annually or continuously).” This method shows the company is transparent and diligent when it comes to cyber threats, and it provides a format to inform executives and board members. Finally, a litigation audit can easily be distinguished from these SaaS/PaaS audit solutions.
Strategy Three: Application Security
Many companies find it convenient to have in-house application developers with the intent to have a team of developers that understand its culture to create tools to power the business. As buzz terms like DevSecOps continue to be used to describe an integrated and iterative development process, security teams need to have a clear understanding of the tools developers are using. According to William Wade, former CISO for the City of Atlanta, security teams should look for ways to help application developers remediate code flaws and security findings with tools developers already use. This is a growing concern given that code used in many applications today comes from 3rd party libraries like Github. The open nature of these repositories presents a double-edged sword in that there are boundless opportunities to share expertise, but the openness of the repository can make it a target for bad actors. Security teams need to help developers understand the risk and potential vulnerabilities from such repositories. Specifically, the integration of security team members in the day-to-day activities of developers is what is needed to help prevent sensitive data like credentials from being compromised.
The open nature of these repositories presents a double-edged sword in that there are boundless opportunities to share expertise but the openness of the repository can make it a target for bad actors.
As companies move to the cloud, security and development team integration can be a force multiplier. Cloud providers offer an array of solutions that not only help companies efficiently scale but provide innovative cloud security solutions. The shared security model offered by cloud providers allows corporate CIOs and CISOs to focus resources away from some of the time-consuming and expensive compliance issues and focus on business-focused activities. As an example, cloud providers have created serverless functionality, which allows security teams to develop event-driven security functions. The effect of this is a more automated alignment with product development teams. A great example of this is the AWS Lambda function. Lambda functionality allows for a DevSecOps environment to flourish (if done correctly) and allows applications for the core business to be created quickly and safely. Security teams should lead in provisioning and monitoring Lambda serverless resources to help ensure the DevSecOps process runs smoothly and securely.
Making the case for security integration with application teams can be applied to an organization’s attempt at digital transformation. Cybersecurity teams are increasingly using sophisticated algorithms for threat detection and to improve their effectiveness against attackers. These AI algorithms can spot a cyber infiltration during the early stage of an attack and allow security teams to provide predictive analysis on what an attacker may target. The security team’s hands-on use of AI and machine learning (ML) tools can be of value to the core business as digital transformation projects are started. Security team members with AI/ML experience should be matrixed to these projects to provide their perspectives.
When coming up with strategies to Level Up cybersecurity teams, it’s clear that integration with the core business or business functions is paramount. Integration can happen at the strategic level with the board of directors and can happen at the tactical level with application development teams. Integration can occur with key corporate functions such as legal and public relations teams. Security leaders must get outside their comfort zone and their metaphorical” bat caves” and interact with the organization. This also means loaning your talented team members to development teams and other areas of the business. These steps are necessary if perceptions about IT and security are to change. Finally, security leaders who can speak intelligently about financial impacts as they do about malware techniques will find success in future endeavors.