Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/11/2019
10:00 AM
By Brian Contos, CISO, Verodin
By Brian Contos, CISO, Verodin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Close the Gap Between Cyber-Risk and Business Risk

Four steps outlining how security teams can better understand their company's cyber-risk and demonstrate to company leadership what's being done to mitigate the resulting business risk.

In my role as CISO of a security company, I travel around the US and abroad quite a bit and have the opportunity to meet with security practitioners from many industry sectors. I also give talks and present to people on the front lines about the importance of treating cybersecurity like any other business operation.

With the number and types of cyberattacks on the rise, and the growing numbers of companies that experience some sort of breach, cyber-risk has become equivalent to business risk. As such, a company's vulnerability to cyber threats is now a top-of-mind issue for C-level executives, which puts increased pressure on CISOs I talk with to ensure their security controls work as they should. Yet there seems to be a large gap between how companies should address cyber-risk and what they're actually doing.

How do I know this? Aside from conversations and interactions with security leaders that point to this trend, I also collect security statistics from hundreds of audience members via real-time polling software when I'm making a presentation. My audiences generally include red and blue security teams, auditors, security executives, and individuals representing various non-technical, non-security leadership roles across government organizations, financial services, transportation, telecom, retail, healthcare, and oil and gas, just to name a few — providing an interesting cross-section of perspectives.

Recently, I posed this question: "Does your leadership leverage security metrics for business decisions?" Surprisingly, 49% voted that they "rarely or never" use security metrics for business decisions, while 51% said "half the time," "usually," or "always." While just over half of the respondents said they use security metrics for business decisions at least half the time — which is a positive statistic — just under half said that they rarely or never use security metrics, which shows there is a lot of room for improvement in helping business leaders understand the impact of cyber-risk on the financial, operational, and brand risk — and how it can be measured.

Another polling question — "How good is your organization's security team at mapping cybersecurity risks to business risks?" — revealed that 77% of respondents felt that their security teams did a poor to fair job of mapping cybersecurity risks to business risks. This number shows that while security is maturing and playing a greater role in critical business functions, as an industry, we're not far enough along. Most people likely know that it's a good idea to map cyber-risk to business risk, and want supporting evidence-based data so cybersecurity can be measured like other business units. But there clearly is a disconnect when it comes to how to do this.

While companies are beginning to understand all that's at stake when a breach occurs — loss of brand trust, compromised customer data, millions of dollars stemming from lawsuits to name a few — there is little understanding of how to measure and understand an organization's cyber-risk and what actionable steps to take to improve the company's security posture.

Here are my recommendations for how security teams can better understand their company's cyber-risk and demonstrate to company leadership what's being done to mitigate the resulting business risk.

1. Stop assuming and start measuring.
It used to be enough for security teams to think only of performance and speed when evaluating security solutions. But that's no longer true because there is increasing complexity in the environment to manage while also measuring and reporting on security effectiveness to the rest of the organization (including sales, marketing, human resources, and finance). This reporting must be based on quantitative, data-driven measurements, not assumption-based metrics, to provide the evidence needed that validates that security controls are working as they should.

2. Conduct and automate tests on an ongoing basis.
Given point No. 1 above, evidence is needed on an ongoing basis to demonstrate what is working or not working. Companies tend to look to audits and penetration tests for this, but these approaches are limited — they provide only a one-time snapshot of security controls rather than an end-to-end picture. Testing options exist that will not only identify vulnerabilities but also prescriptively fix them and validate that the fix is successful — and then automate the process for continued validation, particularly as environmental drift occurs, to ensure that what's working stays working. In other words, fix it the right way, make sure it's fixed, and keep it fixed.

3. Be sure you're evaluating and implementing the right security solutions.
When considering any security solution, it's important to know if you're evaluating the right products for your environment and to enable the business. Think of it this way: You only create internal processes, build apps, or hire people if doing these things will improve the overall effectiveness of the company. Security has been excluded from this type of evaluation for too long, simply because there haven't been the right tools to rationalize investments. These tools now exist and give security leaders insights into how security components both enable and improve business.

4. Report actionable information to the executive team.
If you're a security professional, you likely know that key stakeholders in the company — the audit committee, the C-suite, and the board — want assurance that the security controls that are in place are effectively protecting the company and its digital assets. Look for systems and platforms that provide the kind of evidence-based, practical reporting your executive team requires, and convey with confidence that the security infrastructure is continually monitored and optimized to minimize business risk.

If you're like the nearly half of respondents who said they "rarely or never" use security metrics for business decisions, or if you're in the 77% bucket of people who say their security teams do a poor to fair job of mapping cybersecurity risks to business risks, the above steps can help you better manage your organization's cyber-risk and business risk, and ultimately protect the company and preserve its brand, operations, and financial position.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Works of Art: Cybersecurity Inspires 6 Winning Ideas"

Brian Contos is the CISO & VP of Technology Innovation at Verodin. With over 20 years of security industry experience, working across more than 50 countries and six continents, he is a seasoned executive, board adviser, security company entrepreneur, and author. After getting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18986
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
CVE-2019-18981
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks an Access Denied outcome for a certain scenario of an incorrect recipient ID of a notification.
CVE-2019-18982
PUBLISHED: 2019-11-15
bundles/AdminBundle/Controller/Admin/EmailController.php in Pimcore before 6.3.0 allows script execution in the Email Log preview window because of the lack of a Content-Security-Policy header.
CVE-2019-18985
PUBLISHED: 2019-11-15
Pimcore before 6.2.2 lacks brute force protection for the 2FA token.
CVE-2019-18928
PUBLISHED: 2019-11-15
Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection.