Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/21/2018
10:30 AM
Jo-Ann Smith
Jo-Ann Smith
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Proving ROI: How a Security Road Map Can Sway the C-Suite

When executives are constantly trying to cut the fat, CISOs need to develop a flexible structure to improve baseline assessments and target goals, tactics, and capabilities. Here's how.

It's no secret that cybersecurity is top of mind for most modern enterprises. But a recent survey from Marsh, a risk management company, reveals that only one in five organizations has the tools in place to manage the risk of a cyberattack, despite high-ranking executives claiming it is a top risk management priority. Why the disconnect? It often stems from the fact that security products and tools don't seem to have a return on investment (ROI) that directly affects business results, which makes advocating for them a tough task for security practitioners.

As organizations struggle to quantify the value of cybersecurity investments, it's important to note that true ROI comes from defending the organization against material impact. A study from Juniper Research shows data breaches will cost businesses more than $2 trillion dollars by 2019. As such, smart security spend pays for itself in cost savings, reputation protection, and more, given the direct connection between loss prevention and a company's bottom line. We're facing a reality in which organizations understand they need to care about security, but to really get executive buy-in, the security team needs to prove ROI — the right kind of ROI — and provide a clear plan for implementation. 

Meanwhile, traditional infosec roles are expanding beyond just security operations. Security professionals now wear multiple hats and need to justify the need for implementing certain tools, instead of just making sure they function correctly.

Faced with this new test of leadership, how can security teams get senior leaders to understand that security should be built into the products and the process at the outset, so companies aren't adding it after they're faced with a major security incident? Putting a security road map in place can help plan the tactical actions necessary to sway the C-suite to commit and spend.

An effective road map creates a flexible security structure under the CIO that runs under four distinct towers:  

1. Security oversight: Encompassing enterprise governance and KPI tracking.

2. Information risk: The design and sustainability of an internal risk management program that tracks general enterprise risks and exceptions where higher risk levels are acknowledged.

3. Security architecture and engineering: That which relates to the proactive and progressive deployment of security controls and tools that help to track and mitigate risk.

4. Security operations: The operational model that leverages all three of the previous towers to monitor and report on issues and incidents.

From here, the following four steps are designed to help infosec professionals put their road map into practice.

Practice 1: Assess Your Risks, Assets and Resources
You should first identify and document the assets you need to protect most. What's important to your business, and what are the main threats to your systems and data? Then you need to understand the probability of cyber threats to these assets. If your security team isn't adequately staffed, feel free to leverage other teams or hire a contractor, if needed. Once you're done assessing, you should also select a security framework to follow — such as the National Institute of Standards in Technology's — one that covers any relevant regulatory requirements, to keep the program on track.

Practice 2: Update Your Information Security Policy
To get buy-in at the C-level, you'll have to start at the manager level and work your way up. Updating your existing policies and creating security standards for general use will allow you to give them guidance on high risk areas. Managers will also benefit from translating risk assessments into business terms and using metrics that resonate with the C-suite.

Practice 3: Identify New Controls Required and Deploy Them
Make sure to log all access to data by a unique identifier, which will require a log management tool or security information and event management system. Limiting access to specific data to specific individuals is typically a good rule of thumb. You should also require unique system usernames and passwords and eliminate the sharing of group-based accounts. Protecting against data leaks is vital to make sure no sensitive data is emailed outside of the organization. Once you're ready to test these controls, you should use a phased approach to ensure that they're incorporated into the software development life cycle for new infrastructure and application deployment. During the testing process, you should not only note if the solution works technically but also that it doesn't impose too much of a burden on your employees or processes.

Practice 4: Educate Your Employees, Executives, Vendors & Customers
Once you're ready to roll out your new policies, you'll need to focus on internal and external education. Internally, you should explain what employees should do to comply and the consequences they face if they fail to do so. Holding regular security trainings will also help boost awareness and hold everyone accountable. Externally, you should let vendors and customers know about your new policies and what they need to do to comply.

When enterprises are constantly trying to cut the fat, an effective road map is the fastest way to bootstrap cohesive action. It will allow you to improve your baseline assessments, target goals, tactics, and capabilities. By effectively calculating risk, laying out security products' worth in terms of managing this risk, and justifying their place in the budget, infosec professionals will be able to sway the C-suite.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Jo-Ann Smith is an IT security professional who has worked in information technology as both an employee and a consultant for more than 20 years. She currently serves as the Director of Technology Risk Management and Data Privacy at Absolute. Jo-Ann is responsible for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
12/22/2018 | 1:36:32 AM
Protect yourself
I reckon that last point about proper education of people and stakeholders is one of the most important points in this whole article. I remember the old days when security just wasn't something that you had to think about because we didn't expect that there would be people who would try and steal information.  But alas, we have moved past that and there are opportunists everywhere that are out to get you. So we have to do something about it, right?
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
12/17/2018 | 1:25:36 AM
Teamwork cooperation
In every organization, teamwork is key to ensure that a specific set of goals can be met at the end of the day. It is not just about making sure that everyone can work together to get tasks done but it is ultimately to strive in reaching their main aim. Moving forward each day would be made much easier when everyone knows where to move towards.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.