Eliminating Language Barriers Between Information Security and the C-Suite

Whether or not security operations pose a core focus to a company or are an afterthought, the largest obstacle now affecting business and security outcomes is the language barrier that exists between security teams and the C-Suite.

In general, security groups’ budgets have increased over the years, with organizations adding more vendors to the mix, “layering” security with the latest new tool to address the latest threat. One of the newest such tools is “threat intelligence” which organizations are using to form an “intelligence-led security” program, a security operations center, or incident response capabilities. While threat intelligence and other solutions hold the answers to many of the important questions executives ask about cyberattacks, this terminology means nothing to C-level executives, nor does the output from these systems and programs. What does it mean that you have stopped one billion attacks this past month? What impact have the 30 incident responses you’ve run over that same period of time had on the business? What’s the significance to reducing response time from one month to one day?

Executives running and overseeing a company have two primary concerns: increasing revenue and shareholder value. There is a big disconnect between security and the C-suite because they speak two different languages. One is a very technical language that needs a translation layer to explain it to the executives. The other is a very strategic language that needs to be conveyed in a way that makes security part of the team and company, and ensures alignment and participation with the business units and executive suite.

What’s the fix? Communication. Each group has to understand the other at least enough to relay the core concepts as they apply to the other and in a language the other understands. As a first step, some companies are adding a technical expert—a “designated geek,” if you will—to their board of directors so they can work on improving communication and understanding. While that can help, it takes a lot more to make sure priorities, efforts and results don’t get lost in translation.

A Two-Way Street

Executives need to include the chief information security officer or chief technical officer as part of their strategic discussions and make sure that security leadership has the ability to push that communication down to their teams in a way everyone understands. To that end, CISOs and executives need to train their security operations personnel to ensure they understand the business. This starts by asking some critical questions:

  • Does every member of the security team understand what is it that you sell/produce/provide?
  • What are the things your security teams need to watch out for to protect revenue?
  • Many organizations operate large industrial control systems. If your organization has such a system, is your security team aware of this?
  • If your company is moving into the cloud or is about to launch a mobile app, does your security team know about this and have you enabled them to get the right monitoring in place to protect it?
  • Have you involved the security team as you were designing that new revenue stream, or evolving your business model in some other way, to be sure that security isn’t an afterthought?

These are just a few examples of how executives need to think about the enterprise to ensure that security is strategically aligned. It is incumbent on the business to train the security personnel on its priorities so that security teams can look for attacks that are important to the business and take action.

Likewise, security teams need to change how they communicate to the C-suite. Every security team should conduct a stakeholder analysis to identify who needs to be informed of what and when. It all comes down to content, format and frequency. Make sure you have regular communications with not only your peers in security and network operations, but with the business units, risk management, C-level executives, the board of directors, and anyone else in the company that is involved in the day-to-day objectives and operations of the company. The CISO should be the link to make this connection happen, working with executives to establish regular communication.

There is no “right way” to communicate. Some executives and boards are more technical than others. Security teams need to take the time to learn what type of communication will be most effective or forever struggle to align security with the business. Sticking with the generated metrics of number of events, alerts and incidents per month has far less impact than an update that contains the “who, what, when, where and why” of a thwarted attack. For example: “We identified and stopped one attack this month from a cyber espionage group targeting our Western European manufacturing facility, which is responsible for $20 million per year in revenue to the company.”

For those in security who feel they can’t deliver such a statement because their security infrastructure doesn’t provide that kind of information about threat actors and campaigns, there is a path forward. Look into creating a program that uses adversary-focused, contextual cyber threat intelligence and make sure you understand enough about your business to know the impact of threats against the various business units. With the communication gap closed, and security and business goals aligned, organizations can become more secure, and profitable.

Information Security Teams Drastically Underfunded, Understaffed

LAS VEGAS—As the information security industry’s hackers, IT professionals, technology developers and even Hillary Clinton’s campaign descend on Las Vegas for this year’s Black Hat conference, Black Hat has released the results of a survey from last year’s convention, offering an insider’s look at the state of cyberrisk. The report offers a failing report card for current investment on cyberrisk and some key feedback for the C-suite about current risk exposure.

The Rising Tide of Cybersecurity Concern is the second annual Black Hat attendee survey. Last year’s results included the alarming findings that 72% of respondents felt it likely that their organizations would have to deal with a major data breach in the year ahead, while approximately two-thirds of respondents said they did not have enough staff, budget, or training to meet those challenges.

Unfortunately, these top security experts have only grown more concerned. As cyberrisks proliferate – and attention from the C-suite increases – 15% “have no doubt” they will have to respond to a major security breach in the next year, with another 25% considering it highly likely and 32% calling it somewhat likely.

Yet information security teams are not getting the funding, staffing or training they need to combat this top risk. Only 26% of those polled said they have enough staff to simply defend against current threats. Black Hat reports some 63% of security professionals say their departments do not have enough budget to defend their organizations against current threats, with 20% saying they are “severely hampered” by a lack of funding.

The training critical to effectively managing evolving cyberrisks also presents a considerable concern for many security professionals. Two-thirds of respondents said they feel they do not have enough training and skills they need to perform all of the tasks for which they are responsible — up from 64% last year. Ten percent of respondents said they feel “ill-prepared” for many of the threats and tasks they face each day.

Experts considered the top new cyberrisks:

blck hat enterprise security

The weakest links in enterprise security:

When asked why security initiatives fail, some 37% of respondents (a plurality) pointed toward this shortage of qualified people and skills, with a lack of commitment and support from top management the second-most frequently cited response at 22%.

blck hat enterprise security

“Organizational priorities such as compliance and risk measurement consistently reduce the time/budget available for security professionals to resolve issues they consider the most critical,” Black Hat noted. “These pressing issues include targeted attacks, social engineering, and internal application security troubleshooting. Although the 2015 report revealed this trend, rather than a reverse in expenditure behavior, the issue has continued to increase.”

Additional findings from the survey include:

  • 37% see the re-emergence of ransomware as the greatest new threat to appear in the last 12 months
  • The attacker that 36% of security professionals fear most is the one with internal knowledge of the organization
  • While the emergence of the Internet of Things (IoT) has garnered much attention in recent years, only 9% of those surveyed are currently concerned with IoT security. However, 28% believe this will be a concern two years from now. This ranking has not altered since 2015.

Holding Executives Accountable for Cybersecurity Failures

The average cost of a data breach for companies surveyed has grown to $4 million, a 29% increase since 2013, with the per-record costs continuing to rise, according to the 2016 Ponemon Cost of a Data Breach Study, sponsored by IBM. The average cost hit $158 per record, but they are far more costly in highly regulated industries—in healthcare, for example, businesses are looking at $355 each, a full $100 more than in 2013. These incidents have grown in both volume and sophistication, with 64% more security incidents reported in 2015 than in 2014.

Ponemon wrote:

Leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach–saving companies nearly $400,000 on average (or $16 per record). In fact, response activities like incident forensics, communications, legal expenditures and regulatory mandates account for 59 percent of the cost of a data breach. Part of these high costs may be linked to the fact that 70 percent of U.S. security executives report they don’t have incident response plans in place.

With so much on the line, more and more companies and consumers continue to search for whom to hold accountable for cybersecurity failures, and the message is becoming clearer: executives need to get serious or watch out.

In a recent report from Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports,” board members expressed a surprising amount of confidence in their abilities to understand and act on cyberrisk threats and indicated there are real risks on the table for IT and security executives. Almost all of those surveyed said that some form of action will be taken should these executives not provide useful and actionable information, with 59% claiming there is a good chance one or more security executives would lose their job over such reporting failures.

More board members (26%) ranked cybersecurity risk as their highest corporate priority than any other risk, including financial, legal, regulatory and competitive risks, and 89% said they are “very involved” in making cybersecurity decisions.

Following the typical presentations from IT and security executives, more than three in five board members are both significantly or very “satisfied” (64%) and “inspired” (65%), but 32% are significantly or very “worried,” and 19% are significantly or very “confused” and “angry.”

According to the report:

Of the information provided to them during these presentations, the majority of board members (97%) say they know exactly what to do or have a good idea of what to do with the information. This statistic, however, does conflict with IT and security executives’ thoughts on the information they present. Based on our December 2015 survey, only 40% of IT and security executives believe the information they provide the board is actionable. There is a clear disconnect here between what the board perceives is actionable information, and what IT and security executives define as data that can be used to make informed decisions.

“IT and security executives are focusing on what they believe are the most impactful issues: a) forward-looking information about known vulnerabilities that could potentially harm the company in the future, b) specifics about data that was lost as a result of known infiltrations and data breaches, and c) the impact of these infiltrations and breaches,” Bay reports. “Interestingly, while information about how much is spent to address cyber risk is reported by IT and security executives in less than one-half of the companies surveyed, this was the most commonly cited information that board members said they needed to make investments for cyber risk planning and expenditures.”

Bay also pointed to a critical challenge in the education gap of many board members and the reliance upon information security executives: a large portion of the education board members have on infosec is from the organization’s IT and security executives, and “when the person education you on cybersecurity is the same individual tasted with measuring and reducing cyberrisk, there’s a fundamental disconnect.” It is extremely difficult for board members to understand what they are missing without education of their own and a third-party audit in place.

As cyberrisk continues to become a top enterprise risk priority, the consequences of failure may impact more of the C-suite than just chief information security officers or top IT executives. In May, following a social engineering fraud case that resulted in a wire transfer of 50 million euros, Austrian aircraft parts manufacturer FACC fired its chief executive of 17 years. Some regulators also want to start holding chief executives accountable in a way that truly speaks to them: their paychecks. According to a report from members of parliament on the British Culture, Media and Sport Select Committee, Britain’s status as the leading internet economy in the G20 is under threat from a combination of increasing reliance on digital infrastructure, and inadequate protection of it. To address the issue, they suggest that chief executives who fail to prevent cybersecurity breaches have a portion of their pay docked.

Such was the case with Baroness Harding, the chief executive of TalkTalk, Britain’s fourth-largest broadband provider, which suffered a high-profile cyberattack recently. Her performance bonus was slashed by more than a third as a result of the company’s security failings.

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment,” said Jesse Norman, chairman of the committee. “Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.”

Navigating Technology Risks

One of the key questions being asked by audit committees and boards of directors of organizations around the globe is whether their emerging technology risks are being properly identified and managed. To that end, the Global Internal Audit Common Body of Knowledge (CBOK) released “Navigating Technology’s Top 10 Risks,” which identifies the top technology risks and ways that organizations can learn about and address these risks.

Here are the top five out of 10 risks ranked by the study:

1.      Cybersecurity

One of the biggest cybersecurity risks faced by companies is the possibility of theft of confidential data by external perpetrators, and the study found this is the most discussed IT topic among executives, internal auditors, audit committees and the board. One of the biggest cybersecurity risks faced by companies is the possibility of theft of confidential data by external perpetrators. More than 70% of survey respondents consider the risk of a data breach to be extensive or moderate, while 82% of IT specialists consider this risk to be even higher.

2.     Information Security

With the recent spotlight on data breaches, the current focus is a layered defense of critical information rather than a single layer of protection.

A strong information security program encompasses:

● Robust risk assessment process

● Effective governance and compliance procedures

● Documented and communicated information security policies and standards

● Effective security awareness training program

● Efficient access control procedures

● Tested disaster recovery, business continuity and incident response programs

● Operational asset management, network management, patch management and change management processes

● Tight physical security

3.     IT Systems Development Projects

While organizations need to update their technology systems, success rates are low. The study found that the success of systems development projects was 16.2% for overall success, 52.7% for challenged projects and 31.1% for impaired or canceled projects.

Examples of project objectives not achieved include missed deadlines, cost overruns, efficiencies not delivered as expected, flawed software that was not tested before implementation, reduced integration from the initial plan and less functionality than was identified in the business case when the project was approved.

4.     IT Governance

In many organizations, management questions the amount of money spent on IT and increasingly monitors IT costs. This added emphasis is also due to the widening gap of what IT thinks the business needs and what the business thinks IT can deliver.

A good IT governance program must have these elements:

● Clear alignment to business

● Measurable value delivery to business

● Accountable controls of resources, risk, performance and cost

IT Governance Activity

5. Outsourced IT Services

Because of the increased focus on IT costs, some key IT services have been outsourced. According to the study, this can expose an organization to risks that may remain undiscovered until a failure occurs. An average of six out of 10 internal auditors surveyed said they expect an increase in audits of outsourced IT services over the coming year, according to CBOK, which is administered through the Institute of Internal Auditors. The largest increase is expected in Sub-Saharan Africa and the smallest in Europe.