Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/6/2019
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Success Enablers or Silent Killers?

These five success enablers will help CISOs report, measure, and demonstrate ROI to the C-suite.

CISOs today are challenged to report, measure, and demonstrate return on investment to the C-suite and board. CISOs must address these success enablers, because if they don't, they become silent killers. The lack of ability to report, measure, and demonstrate ROI has been keeping CISOs from a strong and enduring relationship with the C-suite.

The following is a high-level cycle of five success enablers. The first, if successfully set up, enables the second, and onward, with the last reinforcing the first.

1. Security Goals That Don't Resonate with the C-Suite and Board
We often hear: "Security is a journey, not a destination." That's a real problem for business executives because they're driven by results. They have a fiduciary duty to shareholders to get the most value from an investment. If CISOs have not established security goals that resonate with executives, there isn't a destination to showcase. In this way, security becomes a journey without a destination. Unfortunately, for CISOs that's often a journey to C-suite discontent and onward to a new organization.

CISOs should align their cyber resilience goals around business crown jewels. These are top-of-mind business assets that have executive and board-level significance and are clearly critical to business success. This way, it is crystal clear the value that security can provide and doesn't need to be supported with a regulatory and complex probabilistic impact argument.

2. A Strategy That Doesn't Clearly Interlink Height, Depth, and Breadth of Cyber Resilience
Most security strategies weakly establish the height, depth, and width of what we might call the "cyber resilience wall." This is an oversimplification in security terms but an easy way to connect with business leadership to agree on key concepts to frame impact control expectations and security costs.

Threat sophistication covers a full spectrum of capabilities — from accidental to nation-state. Commensurately, the sophistication necessary to counter them varies — as do the costs. Controls and control groups can calibrate costs to defend to various levels. And the CISO should be able to pitch cost levels of cyber resilience. Let's call this the height of the cyber resilience wall.

Not all security controls act in the same way. Some controls predict to help prioritize defences, prevent to stop/divert attacks, detect to alert responders, respond to handle attacks and impacts, and recovery to learn, recoup, and mitigate. Let's call this the depth of the wall.

The width of the cyber resilience wall is scope and coverage. Controls often don't have a firm grasp of scope (e.g., do I know where all the important data is?) and rarely achieve full coverage of known scope.

These three dimensions directly influence the business plan.

3. A Business Plan That Doesn't Provide the C-Suite with Clear Risk Appetite Choices
You buy "security" to protect against impact. You can do that by preventing the breach that leads to impact, or by handling the breach such that impact doesn't cross a line of "unacceptable" quantity. CISOs are poorly armed today to robustly justify the quantity of impact control that specific budgets can buy. And that's very frustrating for executives. Because there isn't a strong correlation between security investment and control of impact, it's easy to executives to cut budgets, or to under-budget, and not feel repercussions. This's why "risk appetite" has been so elusive.

4. Inconsistent SecOps KPIs, Metrics, and Reporting
Because most control leads and security frameworks largely focus on the technical side of security controls, they don't effectively run it like a business.

Consequently, security controls aren't measured to a core set of KPIs that accurately predict performance results. Security control KPIs are often inconsistently chosen and measured, and that leads to poorly calibrated, ineffective, inefficient controls, which often set a false sense of security, deliver weak cyber resilience results, and burn a lot of cash.

5. Inability to Show Results That Matter in a Convincing Manner
One of the best and clearest ways to show results is a well-structured set of red-team exercises.

Red teams can be particularly valuable because they can variably emulate threat sophistications and tactics, they can be multimodal (that is, cyber, physical, social), and be pace-throttled.

More importantly, they should aim at strategic security goals (with the ability to act variably and evaluate SecOps performance), robustly evaluate strategic priorities, and prove SecOps performance — down to the control and specific resources levels. In this way, red teams can be the objective rudder on the security program.

The Rodney Dangerfield Effect
If CISOs don't address these success enablers, they will have a difficult time propelling themselves to a position of appropriate influence or maintaining their position. They will then experience poor perception and traction, and frustration from executives. They may not receive the funding or resources they need, or executives won't be convinced they're delivering satisfactory results.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "10 Security 'Chestnuts' We Should Roast Over the Open Fire."

Douglas Ferguson, a security professional of over 20 years, is the founder and CTO of Pharos Security. Pharos specializes in aligning security goals and strategy to the business and a calibrated risk appetite, ensuring an integrated business plan and optimized ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...