Blogs
Are Companies Not Paying Enough Attention to Cybersecurity? - Through the GRC Lens, April 2021
- IT Risk & Cyber Risk
- 11 May 21
4 min read
Introduction
It feels like we’ve suddenly entered a rabbit hole of cyberattacks. Starting from the SolarWinds attack to Facebook’s old leak resurfacing, to the LinkedIn hack, and more, 2021 has so far been immensely challenging for cybersecurity officials, leaving only one thing on their priority list – cyber resilience – broadening protection, detection, and response measures to future-proof their cyberattack mitigation strategies.
_____________________________________________________________________
The data breach crisis escalated last year as more records were compromised in just 12 months than in the previous 15 years combined reported Canalys in a special report ‘Now and Next for the cybersecurity industry’, adding that cybersecurity must be front and center of digital plans, otherwise there will be a mass extinction of organizations, which will threaten the post-COVID-19 economic recovery.
However, not just the last year, 2021 has also brought with it a fresh set of unfortunate news. Beaming’s analysis of commercial internet traffic found that UK businesses encountered 172,079 cyberattacks each, on average, between January and March 2021, the equivalent of 1,912 per day, reported Information Age.
And although, there seems to be an increase in number of attacks, a new report from Audit Analytics, “Trends in Cybersecurity Breach Disclosures,” revealed that cyber breach disclosures fell in 2020 for the first time in five years. “It would not be surprising to learn of additional attacks that occurred throughout 2020 that remain undisclosed,” Audit Analytics said.
Post this report, Booking.com was fined €475,000 after failing to report a serious data breach that happened in 2018. The Dutch Data Protection Authority imposed the fine, after calling the incident a “serious violation” of the EU’s data protection regulation. AP vice president Monique Verdier said in a statement: “This is a serious violation. A data breach can unfortunately happen anywhere, even if you have taken good precautions…But to prevent damage to your customers and the recurrence of such a data breach, you have to report this in time.”
According to Compliance Week, “The costliest cyber-security breaches aren’t necessarily those that result in the largest loss of records as much as the type of data stolen.” But it does seem like negligence and non-compliance have a number that keeps going up. The world’s top brands across sectors might lose between $93 billion and $223 billion because of a data breach, a first-of-its-kind study by Interbrand and Infosys, called ‘Invisible Tech, Real Impact’, has found. Following the report, Macquarie was slapped with a $500m capital buffer after ‘multiple breaches’ by the Australian Prudential Regulation Authority.
More recently, Gartner released its Emerging Risks Monitor Report which identified cybersecurity control failures as the top emerging risk in 1Q21 in a global poll of 165 senior executives across function and geography. Cybersecurity control failures also ranked third overall in “risk velocity,” an additional metric that Gartner tracks in the Emerging Risks Monitor Report.
Current research estimates that this year alone, businesses will spend $106 Billion on cybersecurity, and that is a direct result of a 300% increase in cybercrimes that have been reported to the FBI since COVID-19 started, said Suzy Greenberg, Vice President of Intel Product Assurance and Security for Intel, in conversation with Forbes.
The Need of the Hour
Security and risk management leaders must address these eight top trends: Cybersecurity Mesh, Identity-First Security, Security Support for Remote Work, Cyber-Savvy Board of Directors, Security Vendor Consolidation, Privacy-Enhancing Computation, Breach and Attack Simulation, and Managing Machine Identities, to enable rapid reinvention in their organization, said Gartner, Inc, adding that by 2025, 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member, up from less than 10% today.
While talking to Strategic Risk Europe about the art of the con, cyber security strategist Eddie Doyle said, “Threat actors are always going to be out there, so creating technologies to stop them is necessary…We’re already starting to see the future, which is all about blockchain and artificial intelligence…but today, what we can do is make sure that every employee is identified within our system, and that the remote access control is unique to each and every person. You need massive granularity on a system so you can see where users go, what they’re doing, and what things they’re trying to touch and not trying to touch.”
The World Economic Forum (WEF) recently published a report in collaboration with the National Association of Corporate Directors (NACD) and the Internet Security Alliance (ISA), and PwC. The report listed six consensus principles for cybersecurity board governance:
- Cybersecurity is a strategic business enabler
- Understand the economic drivers and impact of cyber risk
- Align cyber risk management with business needs
- Ensure organizational design supports cybersecurity
- Incorporate cybersecurity expertise into board governance
- Encourage systemic resilience and collaboration
Gaurav Kapoor, Co-Founder and Chief Operating Officer at MetricStream, called for a collaborative effort between organizations and regulators to ensure operational resilience in these unprecedented times. “Due to remote working and rapid digitization, the year 2019 and 2020 witnessed the highest number of cybersecurity breaches, financial frauds and third-party risks,” Gaurav said. “It is now critical for companies especially banks and financial services institutions, and regulators to work together to create the conditions where companies take advantages of business growth opportunities and accelerate digital transformation while remaining operationally resilient throughout.”
Jump to Topic
Related Resources
Blogs
Understanding Cloud Security and GRC
- GRC
- 05 May 21
4 min read
Introduction
Do you find Cloud Security daunting? Do you understand the different cloud relationships? Do you know standards that you can use as references? Do you understand Governance of Cloud Security? If you answered no to even one of these questions, this article will help you gain a better understanding of each of these areas and give you a great overview.
Cloud Security is often not treated as a priority by organizations using the cloud because there is an erroneous assumption, that cloud providers all know how to secure the data in the cloud and this is why they use cloud services so it’s one less thing to worry about. Organizations, that were not prepared for the pandemic and working remotely, rushed to cloud computing. Many of these organizations failed to consider risks or compliance with standards.
In traditional IT, the organization manages all of the levels of integration on its own. There are three main customer cloud relationships. The first is IaaS, Infrastructure as a Service, PaaS, Platform as a Service and SaaS, Software as a service. These can be public or private cloud providers.
Levels of Integration
- IaaS, the organization manages applications, data, runtime, middleware, and the operating system. The cloud provider manages virtualization, servers, storage, and network.
- PaaS, the organization manages applications and data. The cloud provider manages runtime, middleware, operating systems, virtualization, servers, storage, and network.
- SaaS, the organization manages none of the cloud computing. The cloud provider manages application, data, runtime, middleware, operating systems, virtualization, servers, storage, and network
Vulnerabilities
The National Security Agency (NSA) classified cloud vulnerabilities into four main categories: misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities.
The risks in cloud security must be managed by both the customer and the provider. Organizations that are customers can implement governance, technological, and strategic controls to mitigate risks.
Governance and Policies
Management should ensure that policies for cloud computing include guidance for implementation. Before developing and implementing the policies, risk concerns should be pondered and discussed. Examples of concerns include access to data in the cloud by cloud providers, what assets are going to be managed by the cloud provider, what processes are going to be multi-tenant, where do the cloud provider servers reside geographically, and many more. These concerns should also be managed with the cloud provider and included within contracts depending on the cloud implementation strategy that is chosen -IaaS, PaaS, and SaaS.
Controls
Organizational responsibility for data does not end when using the cloud. Some controls that should be considered and implemented include but are not limited to:
- Access control for network services
- Asset management including classifying information that is being stored in the cloud, and assigning responsibility for assets based on the category of cloud service that is chosen, and labelling of information.
- Communications security for the network and transfer of information
- Human resource security prior to employment, during employment, and when an employee changes position or is terminated.
- Incident management
- Information access restrictions by using controls such as password management, secure log on procedures, and privileged utility programs
- Information security related to business continuity management
- Key management
- Management of privileged rights through authentication techniques such as multi-factor authentication
- Management of secret authentication information and ensuring the cloud provider meets the requirements of the organization
- Operations security such as backups, logging, and monitoring technical vulnerability management
Compliance
In addition to governance, risk, and compliance(GRC) is a must. Compliance with legal and contractual requirements is essential. These are some International Standards Organization (ISO) standards and National Institute of Standards and Technology (NIST) standards that should be considered.
- ISO/IEC 17788:2014, Information technology — Cloud computing— Overview and vocabulary
- ISO/IEC 17789:2014, Information technology — Cloud computing— Reference architecture
- ISO/IEC 27001:2013, Information technology — Security techniques — Information security management systems — Requirements
- ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information security controls
- ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- ISO/IEC 27018:2014, Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- NIST SP 500-292, Cloud computing reference architecture
- NISTIR 7956, Cryptographic key management issues & challenges in cloud services
Summary
Bad actors are finding new and better ways of getting access to data and attacking clouds each year such as abuse of cloud services, account or service hijacking, cloud malware injection attacks, denial of service attacks, insider attacks, man-in-the-cloud attacks, side channel attacks, and wrapping attacks, etc. Organizations must be prepared with the better implementation and management of cloud security to deal with bad actors.
Top 3 Takeaways
There are three relationships you can have with a Cloud Provider: IaaS, Infrastructure as a Service, PaaS, Platform as a Service and SaaS, Software as a service. The decision on which one to choose depends on how much you want to manage vs. having it done for you.
Even when the Cloud Provider is managing all levels of integration, there are still many controls that you should consider implementing.
Before developing your policies, a Risk Assessment should be done and controlling these risks should be managed with the Cloud Provider
Jump to Topic
Blogs
Cyber Resilience: The New Paradigm for Cyber Risk Management
- IT Risk & Cyber Risk
- 01 March 21
4 min read
Introduction
With the growing frequency and sophistication of cyberattacks, cybersecurity leaders are on high alert to implement and maintain an effective and sound cybersecurity program. Cyber risks and the challenges of ensuring robust cyber health are further exacerbated as the digital interconnectivity of people, processes, and organizations continues to intensify.
Cyberattacks are growing at an alarming rate and do not show any signs of slowing down. Attacks on web applications alone surged by a whopping 800% in the first half of 2020, according to a report by CDNetworks. The Center for Strategic & International Studies (CSIS) estimates that cybercrime costs the world nearly $600 billion every year. Furthermore, private sector companies are expected to lose $5.2 trillion in revenue to cybersecurity attacks over the course of five years, from 2019 to 2023, as per a report from Accenture.
It is important to note here that organizations are often not the victims of a targeted attack, such as hacks, DDoS (Distributed Denial-of-Service) attacks, and others. Untargeted attacks, such as those carried out via malware (worms, spyware, adware, computer viruses, etc.), phishing emails, etc., are not directed towards any specific person or business and are more common. These attacks indiscriminately infect devices, casting a net as wide as possible. According to CSO Online, phishing attacks account for over 80% of reported security incidents.
Today, organizations simply cannot assume that they can have an impenetrable cyber defense mechanism. As such, the global narrative has been gradually shifting from cybersecurity to cyber resilience in recent years—focusing on not just averting cyber breaches but also designing a strategy to minimize impact and potential loss and ensuring continued business operations during the attacks.
Cyber Resilience—Daunting Yet Possible
As cybercrime incidents continue to proliferate across the globe, achieving cyber certainty seems to be a pipe dream for companies. Achieving cyber resilience, however, is not only a realistic goal but also indispensable for businesses to thrive in this digital era.
Embarking on the path to achieve cyber resilience starts with the identification of the cyber threats that an organization is exposed to (such as ransomware, malware, phishing attacks, etc.), prioritizing the risks depending on the impact and probability of them occurring, and devising an effective response plan. In today’s digitized world, checking an organization’s cyber health has become an iterative process requiring continuous monitoring of business processes and IT infrastructure for identifying and addressing any vulnerable areas or loopholes.
Achieving the state of sound cyber resilience could be a daunting proposition for any organization. It has been noted that quite often organizations put more reliance on tools and techniques for building cyber resilience capabilities rather than the expertise of people and well-designed processes. The best practice is to find the right mix of people, processes, and technology while devising the cyber resilience management framework.
A cyber resilience framework is a structured approach that helps organizations proactively prepare for, effectively respond to, and swiftly recover from cyberattacks. It provides a comprehensive strategy to manage cyber risks.
An effective cyber resilience management program also requires integrating cybersecurity into business strategy and engaging the entire spectrum of stakeholders in the process for better decision-making.
MetricStream is helping organizations achieve cyber resilience in a simplified and streamlined manner, saving time, effort, and resources. With the MetricStream CyberSecurity Solution, organizations can proactively anticipate and mitigate IT and cyber risks, threats, vulnerabilities; have a 360-degree, real-time view of IT risk, compliance, policy management, and IT vendor posture; and implement an effective business continuity and disaster recovery program.
The Regulatory Perspective
International standard-setting bodies and national-level regulatory bodies are regularly publishing policies, guidelines, best practices, and more to help organizations prevent or mitigate cyberattacks.
The International Organization for Standardization (ISO), an international standard-setting body composed of representatives from various national standards organizations, has published ISO/IEC 27001 which provides requirements for an information security management system (ISMS). There is also the ISA/IEC 62443 series of standards, developed by the ISA99 committee, which provides a framework to address and mitigate existing and future security vulnerabilities in industrial automation and control systems (IACSs).
In addition to these global standards, there are various national standards such as the NIST Cybersecurity Framework, Cybersecurity Maturity Model Certification (CMMC) in the United States, Cyber Essentials in the United Kingdom, and the BSI IT Baseline Protection Catalogs in Germany, among others, which are intended to strengthen the cyber resilience of organizations operating in these countries.
Governments have also put into effect various cybersecurity regulations that govern the cybersecurity measures implemented by organizations. In the U.S. for example, healthcare organizations have to comply with the Health Insurance Portability and Accountability Act (HIPAA) while financial institutions have to adhere to the Gramm-Leach-Bliley Act. Organizations in the European Union have to adhere to the Network Information Security Directive, EBA ICT guidelines, the General Data Protection Regulation (GDPR), and other such regulations.
In 2020, the World Economic Forum created the Partnership against Cybercrime initiative that aims to explore ways to support and strengthen public-private cooperation against cybercrime and overcome existing barriers to cooperation. Such initiatives are particularly important for reinforcing the fight against cybercrime by businesses and regulators alike.
To conclude
The lack of a mature cyber resilience program and the resulting inability to thwart cyberattacks or minimize their impact can not only lead to regulatory fines and penalties but also reputational damage, loss of customer trust, and even threaten the very existence of a company. Public-private collaborative efforts to fight cybercrime, bringing together their respective strengths, capabilities, and resources, could go a long way to control the growing menace of cybercrime.
To learn more about cyber resilience read MetricStream’s eBook, A Shift from Cybersecurity to Cyber Resilience, which delves into the growing focus on cyber resilience management, the importance of cyber risk quantification, and provides quick tips on cyber resilience best practices and how to combat cyberattacks effectively with a cybersecurity incident response program.
Jump to Topic
Related Resources
Blogs
Lessons Learned from the FireEye Breach
- GRC
- 21 December 20
4 min read
Introduction
The recent FireEye breach is perhaps the most significant cybersecurity headline of 2020, with one of the leading advanced threat detection vendors falling victim to an apparent state-sponsored attack. As new details of the breach unfold, the nexus between cybersecurity and risk management become increasingly evident, forming the basis of several lessons learned.
Third Party IT Vendors – Your Weakest Link in Security
Over the last 10 years, IT departments have gained undeniable advantages and realized significant business benefits by utilizing third-party IT solutions. Rather than building costly on-premise IT infrastructure and services, agile businesses have reliably turned to third-party vendors, such as Amazon AWS, Salesforce, Microsoft and others to effectively and efficiently host, manage and provide mission-critical business and IT services.
Following in this practice, FireEye reportedly used the third-party network performance, management and monitoring software from SolarWinds, which appears to be the crux of the breach. However, the fact that the breach potentially stemmed from SolarWinds is irrelevant. The fundamental issue here is that supply chain and third-party IT solutions present real risks to enterprise security architectures.
Lesson Learned – Implement Third-Party Risk Management Solutions
The proverbial ship has sailed when it comes to outsourcing IT services, and despite recent attacks, businesses have much to gain (e.g. cost savings, agility, flexibility, productivity, etc.) by using outsourced and cloud-based services. Knowing this, the prudent course of action is to implement a solution that reduces risk associated with third-party vendors.
One such solution is the MetricStream Third-Party Risk Management offering, which protects businesses from existing and potential third-party threats. Built on the MetricStream M7 Integrated Risk Platform, MetricStream’s Third-Party Risk Management product provides an integrated, real-time view of the extended enterprise. It strengthens resilience, contains costs and optimizes business performance by automating the end-to-end processes for information gathering, onboarding, real-time monitoring, risk, compliance and control assessments and risk mitigation.
Policy – Without Policy Security is Toothless
In the cybersecurity world, policy and policy management is often overlooked and undervalued. However, without policy, enforcement of enterprise security programs is futile and inefficient. We see this every day in society. We have laws to protect citizens, but without the police (policy enforcement), we would live in a lawless society.
Every breach is an opportunity to learn, strengthen security and become more resilient. Policy factors into this, and should be included as part of a post-breach review. In fact, most breaches are not nearly as sophisticated as the FireEye breach, but are instead the result of employees not following security policies. For example, a spear-phishing campaign often succeeds because an employee clicked on a link embedded in a suspicious external email, even though corporate policy states not to do so.
Lesson Learned – Review Policy Management to Strengthen Security
MetricStream Policy and Document Management built on the M7 Integrated Risk Platform, streamlines and simplifies the creation and communication of organizational policies, while providing a centralized policy portal to store and access the latest policies. It delivers a contextual view to policies by mapping policies to regulations, risks and controls, thereby strengthening compliance while highlighting potential risks. Policy and Document Management raises awareness throughout an organization and brings policies to everyone, including first line employees, who are often the targets of cyberattacks.
Communications – Transparency is Critical to Recovery
One observation noted from the FireEye attack is the speed and transparency of their communications. Kudos to those involved, as often a breach is solely managed by Legal and/or IT. Whenever a substantive breach occurs, businesses face damage to their brand, sales efforts, customer success and partner base.
Not only do breaches potentially trigger lawsuits, but for many corporations, a material breach can also trigger SEC Regulation FD (Fair Disclosure) consequences. Cybersecurity incidents are often listed as part of corporate governance documentation relating to Regulation FD.
For those not in Legal or Corporate Communications, Regulation FD basically states that a corporation must prevent the selective disclosure of material, non-public information that could be used in the decision-making process of buying or selling a security. Depending on the severity of a cybersecurity incident, Regulation FD may apply.
Lesson Learned – Incident Response Must be Documented
As FireEye has shown, clear, quick and transparent communications is the way to best manage brand-challenging situations. Learning from their experience and response, every organization should have a PSIRT (Product Security Incident Response Team) policy in place BEFORE a breach or serious incident occurs. Response teams are usually comprised of different members within the enterprise, including representatives from Corporate Communications, Legal, IT/Security and the C-Suite. With MetricStream Policy and Document Management, creation of a PSIRT policy and process is simple and intuitive – a must have for any organization.
In conclusion, the FireEye breach will continue to dominate headlines as more information is revealed about the attackers, their processes, tools and techniques. As well, we hope to gain insights from what has transpired to find new and better ways to strengthen security and improve resilience. Clearly, more lessons are to be learned.
Jump to Topic
Related Resources
Blogs
Communicating Cybersecurity Effectively to the Board
- IT Risk & Cyber Risk
- 23 June 20
5 min read
Introduction
Cybersecurity has always been an unsought after investment like insurance – only useful when something bad happens. And It’s always been challenging for security leaders to communicate the value of cybersecurity investments to boards and peers. Everybody in an organization has their own perspective when it comes to cybersecurity, and that’s the reason that security professionals have always found it difficult to convince the management and get the budget approved.
But the situation is changing, as boards and management are getting aware of the importance of cybersecurity. Now it’s the security leader’s responsibility to communicate the importance of cyber security effectively. This also becomes highly important in the current scenario where huge risks of cyber breaches are looming and organizations are cutting cost because of slow business, to survive this pandemic.
In this blog, we talk about the best practices to effectively communicate cyber security to the board and management.
Be in Your Audience’s Shoes: Speak the language of the board and quantify cyber risks:
As per Deloitte’s 2019 Future of Cyber Survey, half the C-level executives responded that their organizations do not use any quantitative risk evaluation tools at all; while the other half still rely largely on the experience of their cyber experts or maturity assessments.
- Quantify Cyber Risks: In today’s “cyber everywhere” era, it’s of utmost importance to be able to accurately quantify cyber risks ahead of time and adversaries. CISOs who are able to communicate the dollar value loss to the organization in case a breach happens— make more sense to the board and C-suite executives.
- Communicating return on Security Investment (ROSI): The board and management are always concerned about the output of the investments made. Security leaders can calculate return on investment (ROI) by considering the investment on a risk basis. This can be done by calculating ROSI (return on security investment):
ROSI (%) = (ALE-mALE) – Cost of Solution ÷ Cost of Solution
ALE = annual loss expectancy, or the total financial loss expected from security incidents
mALE = ALE + the savings delivered by the security solution
Presenting the cybersecurity investment vs. risk reduction in terms of dollar value can be a good way to communicate the importance of cybersecurity for the organization.
- Use simple comprehendible language: It’s important that security leaders communicate cyber-risk in a language that the board and the rest of the C-Suite can comprehend. Because if you try to explain them malware and technical stuff, it’s a waste of time for them as they are not savvy about the technical details of cybersecurity.
- Competitive Comparisons: Comparing with peers in terms of risks scores,their cybersecurity posture, industry average etc. can be helpful as board and C-level executives wants to stay ahead of competition in terms of their readiness to face challenges.
Communicate the severity/losses of not having robust cyber security program:
According to the World Economic Forum’s Global Risks Report, “Data fraud, data theft, and cyberattacks as among the top five biggest risks world faces.” That’s because huge business impact of cyberattacks — for example, it has cost Maersk an estimated sum of $300 million after the NotPetya malware shut down operations and that Verizon paid $350 million less for Yahoo after it suffered two cyberattacks.
- Quote reports on losses due to not having a robust cybersecurity program: Security leaders can use this as a tool to communicate the value of having a robust cybersecurity program. For example: they can quote industry research such as: “According to a recent Accenture report, the average cost of cybercrime to an organization has risen to $13 million. Organizations must understand that cyber risk is a business risk for businesses of all sizes and industries”.
- Use real word stories and facts: Using proper reports, stories and facts while presenting to the board helps them to understand the financial risks associated if they get hacked. Stories about recent breaches of peers can be very relevant here.
- Prepare a cybersecurity plan and roadmap: Communicating a cyber security plan to achieve the desired level of cybersecurity maturity and providing quantifiable insights on improvement will help the management comprehend it better. Security leaders should come with a plan covering their existing cyber risks and the roadmap to fill those gaps.
Build trust and engage leadership
Winning the trust of the leadership and establishing credibility for yourself is again very important to build a culture of “Cybersecurity Everywhere” and convince management for required resources.
- Engage leadership in cybersecurity discussions: Security leaders should engage leadership in cybersecurity dialogues and build trust. Security leaders should not wait for board meetings to engage with the leadership on cybersecurity communications, they should communicate to the leadership about the progress of different cybersecurity programs and take their feedback and advice on regular basis wherever possible.
- Get your colleagues on your side: It’s always good to have someone to support your point of view while presenting to the board. To build trust with leadership it will be helpful for security leaders to get support from their colleagues while communicating cybersecurity to the board– to make them understand the value of “cyber-everywhere” mentality.
Be prepared to face objections and questions
When security leaders are preparing to present to the board to C-suite executives, they must be ready to face with all kind of non-tech, and sometimes technical questions as well.
- Be ready with all the required collaterals: Have all standard collaterals on hand, depending on the agenda of discussion. If it’s a budget approval board meeting, security leaders should be ready with the current state of cyber security and gaps and their action plan to fill the gaps and create robust cyber security. They should have collaterals like case studies, use cases, ppts, and risk quantification data wherever possible.
- Listen carefully to the board and provide answers: Prepare to defend and answer questions around cybersecurity investments and on other related topics. Sometimes you might get a surprise question, be a composed listener and answer carefully.
It is critical for CISOs and security leaders to communicate the value of cybersecurity effectively. If they are unable to communicate and quantify their cybersecurity risks properly, priority projects will not get enough funding as required, and this would lead to increased cyber risk for the organization.
Jump to Topic
Related Resources
Blogs
Communicating Cybersecurity Effectively to the Board
- IT Risk & Cyber Risk
- 23 June 20
4 min read
Introduction
Cyber security has always been an unsought goods like, insurance, which is useful only when something bad happens. And It’s always been challenging for security leaders to communicate the value of cybersecurity investments to board and peers. Furthermore, everyone in an organization has their own perspective when it comes to cyber security. That’s partly why security professionals find it difficult to convince management for budget approval.
But situations are changing, as boards and management are understanding the importance of security. Now it’s the security leader’s responsibility to communicate the importance of cyber security effectively. This has become very important during the pandemic when huge risks of cyber breaches are looming and organizations cut costs due to slowing business to survive the pandemic.
In this piece, we talk about the best practices to effectively communicate cyber security to the board and management.
Be in your audience’s shoes: Talk in the language of the board and quantify cyber risks.
As per Deloitte’s 2019 Future of Cyber Survey, half the C-level executives responded that their organizations use any quantitative risk evaluation tools at all while the other half said they still rely largely on the experience of their cyber experts or maturity assessments.
- In today’s “cyber everywhere” era, it’s more critical than ever to be able to accurately quantify cyber risks ahead of time.
- Security leaders should come with a plan for their existing cyber risks, and if a breach would occur, what would be the dollar value loss to the organization. And relate the impact of cyber attacks to the organization's value creation — business operations, reputation and loss exposure in terms of dollars — all of which effect the future of the organization.
- It’s important that security leaders communicate cyber risk in a language that the board and the rest of the C-suite can comprehend. Some are not savvy about the technical details of cyber security.
- Compare with peers’ your risk scores, cyber security posture, industry averages, etc. as boards and C-level executives want to stay ahead of the competition in terms of their readiness to face challenges.
Communicate the severity and losses of not having a robust cyber security program
According to the World Economic Forum's Global Risks Report, data fraud, data theft and cyber attacks are among the top five biggest risks world faces. That's because of the huge business impact of cyber attacks. For example, it cost Maersk an estimated sum of $300 million after the NotPetya malware shut down operations. Verizon paid $350 million less in its acquisition of Yahoo after the tech company suffered two cyber attacks.
- According to a recent Accenture report, the average cost of cyber crime to an organization has risen to $13 million. Organizations must understand that cyber risk is a business risk for businesses of all sizes and industries.
- Use proper reports and facts while presenting to boards helps them to understand the financial risks associated if they get hacked.
- Present a plan to achieve the recommended level of cyber risk and provide quantifiable insights on improvement
Use simple language: Build trust and engage leadership.
Again, it’s very important to keep in mind to use simple language and avoid technical jargons as much as possible when presenting to the board or trying to make your point to any non-technical C-suite executive.
- Security leaders should engage in dialogue to build trust and engage leadership. They should use real world breach stories, including ones from their peers and the kinds of losses they faced. These are more relatable to the board and management than listening to technical dialogue, which they might not understand.
- It is helpful if security leaders can get support from their colleagues while communicating cyber security to the board. Make them understand the value of a “cyber everywhere” mentality.
Be prepared to face any kind of objections and questions.
When security leaders are preparing for a presentation to a board or C-suite executives, they must be ready to face all kinds of non-tech, and sometimes, technical questions.
- They should be ready with standard material, depending on the agenda of discussion. If it’s a budget approval board meeting, security leaders should be ready with the state of current cyber security and any loopholes their action plans can fill to create a robust cyber security environment. They should also have collaterals like case studies, use cases and risk quantification data, whenever possible.
- Prepare to defend and answer questions around cybersecurity investments.
In summary, it’s critical for CISOs and security leaders to communicate the value of cyber security effectively. If CISOs are unable to communicate and quantify their cyber security program, priority projects don’t get funded which leads to increased breach risk. Fortunately today, there are many tools on the market that significantly improve a CISOs’ ability to effectively and systematically report to the board.
Jump to Topic
Related Resources
Blogs
Risk Quantification Heightens Value in Cyber Vigilance
- IT Risk & Cyber Risk
- 22 May 20
4 min read
Introduction
In this “New Normal” of COVID-19, where we rely more than ever on the digital world of virtual meetings and get-togethers, online shopping and delivery alerts, tele-medicine visits and triage – our security and cyber teams are on high alert to protect both regulated and sensitive data.
Ordinarily, most security and cyber teams patrol and prod an organization’s infrastructure, analyzing weaknesses and locking down IT assets to close gaps. Remediation comes in many flavors, from restricting access to tightening configurations based on recommended security settings, to partitioning networks to sequester sensitive information.
Getting a bee line on what ‘crown jewel IT assets’ need high priority attention is the mantra of these teams. It’s an ongoing challenge with the attack surface becoming more complex with third parties, cloud service providers and layers of software and technology blurring the lines of demarcation between what is ‘inside’ and ‘outside’ the organization. It is widely understood now that the concept of a ‘fixed perimeter’ is dead. With the advent of Work for Home, Distance Learning, and the dramatic increase in the use of digital solutions, the threat landscape is growing exponentially. And with it, risk to process, people and technologies.
Risk Quantification is Now Critical to Prioritize Successful Asset Protection
So how can teams understand what remediations to prioritize and where to apply scarce resources to lower risk by closing gaps?
A best practice that is quickly emerging in IT, security and cyber programs is risk quantification.
Risk quantification strives to create an operating risk score, based on multiple factors, in the context of business processes, current events and likely future events, network use and user behaviors with characteristics of data. Properly executed, teams can continuously calibrate and tune algorithms that produce scores. Ideally, scores produce a forward-looking view based on changes in the external environment, business processes and technologies.
For example, cyber risk postures are shifting with as threat actors target attacks on video conferencing and VPN traffic due to the uptick in the number of people working and learning from home. At the same time, the internet is stressed with an increase in streaming and gaming traffic. Spear-phishing and scams are on the rise. If email comes through that looks legitimate, pertaining to personal finance or health issues, employees working from home are apt to click and be trapped, increasing the risk of a bad actor penetrating their organization and threatening information and assets.
How to Quantify Risk With a Top-Down, Bottom- Up View
Teams strive for a top-down and bottom-up 360 view of risk to recommend mitigation investments. The diagram below shows how operational risk, resilience teams and cyber teams can get on the same page to do just that. Driving to a common risk score is a way to make sure teams use aligned techniques and methods.
Top-down views take information from the business in terms of dollars rather than just the days or hours to return to operations (RTO) or an recovery point objective (RTO). RPO and RTO are typically used to measure in resilience through business impact assessments (BIAs) and aren’t sufficient for risk quantification.
Cyber teams can work hand-in-glove with operational and resilience teams that look at inherent and residual risk within a high priority business process. Operational risk teams understand concepts like annual loss expectancy and can put a value of the criticality of a process – say keeping the order processing system up 24×7 – in terms of real dollars.
From a bottom-up perspective, security and cyber teams map threat and vulnerabilities to assets that support critical business processes. They strive to estimate the real cost of mitigating vulnerabilities; for example, strengthening access controls, patching software, replacing an unsupported application, implementing automated controls through firewalls, re-architecting and segmenting networks, outsourcing some apps to a 3rd party operating in the cloud, or taking on cyber insurance. There are limited options. With a risk score supported by a top-down view, cyber teams will be able to weigh one or a combination of mitigation strategies for optimal defense in depth.
For example, a team will have insight into the dollar amount to invest in and deliver the mitigation, such as deploying stronger anomaly detection software on a critical business process.
Risk Quantification Creates Agility and Speed in Remediation
With Risk Quantification, teams can increase their insight, agility and speed in remediation efforts. They can use scores to compare a forward-looking risk with dollar investments to mitigate against dollar impact. Teams can prioritize efforts based on the risk quantification score and the dollar magnitude of impact.
The leverage best practice, security and cyber teams must continue to diligently deploy and refine risk quantification methods – as a scalable discipline – and use them effectively to invest in the just the right areas as our cyber programs evolve with increasing digitalization.
Stay tuned!
Over the coming weeks, we will explore more best practices and how security and cyber teams are adapting to COVID-19, outlining how risk quantification methods tie to the digital asset/impact chain, how to move from risk to resilience, and orchestrate risk across IT, cyber, op risk, incident and crisis response and other disciplines.
Jump to Topic
Related Resources
Blogs
Through the GRC Lens – April 2020
- IT Risk & Cyber Risk
- 21 May 20
3 min read
Has “work-from-home” opened the door to more cyber-attacks?
In the last few months, the COVID-19 pandemic redefined risk management, forced businesses to review their cyber-attack mitigation strategies to understand the gaps in their approach to cybersecurity. Today, the world seems to be gradually re-emerging from the crisis and getting a grip on understanding the aftermath. Globally, businesses are beginning to prepare themselves for their return to work, anticipating the mid- to long-term implications of the crisis and working towards strategically responding to the challenges. While the world gets ready to adapt to the New Normal, let’s find out what made it to the headlines in April, through the GRC lens.
Redefining the remote work environment
In early March, JP Morgan, experimented by allowing 10% of their employees to work from home. A month later, JPMorgan’s Co-president Daniel Pinto, said that staff could work from home on a rotational basis more permanently, in line with the bank’s future vision of work. Recently, tech-giant Facebook also announced that most of its employees will be allowed to work from home through the end of 2020 and Twitter made WFH permanent for all its employees.
After witnessing no significant drop in productivity with the WFH regime, organizations around the world, seem to be getting comfortable with the idea. The new social distancing policies have also got organizations reconsidering their plan to get back to office.
Arguably, COVID-19 proved to be the greatest catalyst for rapid change in workplaces. According to the Bureau of Labor Statistics, only 29 percent of Americans were able to work from home before the COVID-19 era. It now appears that this could outlast the lockdown. However, this growing shift to virtual ways of working dramatically altered the cyber threat landscape, with a potential for greater risks, this year.
Strengthening the cyber defense
In the beginning of April, Marriott International revealed that a security breach may have exposed the personal information of 5.2 million guests. Soon enough, Cognizant was hit by ‘Maze’ ransomware attack, causing disruptions to some of its clients. Zoom, a heavily-used video-conferencing app, was again compromised by credential stuffing and over 5,00,000 credentials were sold on the dark web. Recently, Unacademy, an India-based online learning platform also suffered a data breach that exposed details of 22 million users.
Phishing increased by 350% since the coronavirus outbreak started (between January to March 2020), according to data gathered and analyzed by Atlas VPN. It goes without saying that remote work inevitably brings a new set of risks and challenges.
While we can’t solely blame the shift from office spaces to work from home for the increase in cyberattacks, organizations need to step up their cyber game to align better to this new way of working.
In a recent virtual conference, hosted by Global Cyber Center of NY, William Altman, the company’s Senior Analyst, said, “Organizations of all kinds are facing an uptick in email-based threats, endpoint-security gaps and other problems as a result of the sudden switch to a fully remote workforce…It’s now more important than ever to consider both the security practitioner as well as ethical-hacker perspectives in order to stay secure, that’s what this is all about.”
Looking at the brighter side, we can believe that every crisis comes with opportunities for reinvention and differentiation. Although, no one could have predicted the upheaval caused by the COVID-19 pandemic which disrupted businesses and economies around the globe, it has now become imperative for organizations to pay extra attention to the blind spots in risk management and strengthen their cyber defense.
Jump to Topic
