Knowledge Center: Article
What your business may still be missing in cybersecurity4/12/2018
Many businesses are investing significant time and money to fortify their cybersecurity defenses, remediate vulnerabilities, and manage and mitigate their exposure to cyber risk. Yet, even after businesses have analyzed recent cyberattacks and put protections in place, breaches are still assailing them and affecting their bottom line. Gartner predicts worldwide IT security spending will be around $132 billion by 2021,1 yet the cost of cybercrime keeps rising, with data breaches expected to cost businesses $8 trillion from 2017 to 2022.2
Despite the gloomy picture these statistics paint, many companies have made progress maturing their security posture, particularly in regulated industries such as financial services, where it is increasingly—and rightly—a boardroom topic. However, because of today’s highly digitized, connected business world, cyber is now a risk for all organizations across industries, not just those that hold sensitive data. And the majority of companies are only just beginning their journey to implement better risk-management practices.
One of the major reasons for the gap between security spending and effective risk management is that many large organizations, even those with significant budgets and well-staffed security teams, still don’t recognize that cybersecurity is a business issue and not just an IT issue. Instead of relegating this important enterprise risk to the already overstretched IT team, businesses should be instating a chief information security officer (CISO) who is empowered to work with the chief risk officer (CRO) and other stakeholders throughout the organization. Together, these individuals can look at the impact of cyber risk across the entire business, identify critical assets, and plan and test effectively.
Rocco Grillo has more than 25 years of experience providing organizations with security and risk management services. As executive managing director of the global Cyber Resilience business at Stroz Friedberg, Grillo is responsible for overseeing and supervising teams that perform cybersecurity, incident response investigation, red team penetration testing, and application security services. Prior to joining Stroz Friedberg, Grillo was the managing director and global leader of Protiviti’s Incident Response and Forensics Investigations practice and helped develop RedSiren Technologies, a leading managed-security services provider that evolved out of Carnegie Mellon.
The CISO advantage
Many organizations—even those that allocate large budgets to IT security—still don’t have a CISO. However, in my experience, a large number of breaches could likely be prevented—or their impact reduced—with basic “blocking and tackling”: better governance, better security practices and processes, a better security culture, and better cyber hygiene.
Often, organizations bury the CISO role in IT, under the misapprehension that security can effectively be managed by spending on tools and technology. And where the role of the CISO expands to address regulatory requirements, many organizations mistakenly take a “check-the-box” approach to compliance. Businesses are doing their CISOs a disservice if they are conducting compliance audits or implementing security technologies in a vacuum.
To establish an enterprise-wide culture of strong cyber-risk management, a CISO needs sponsorship from the executive team and the board, as well as sufficient staff and budget. Even if a company has the newest and most innovative security technology in the world, the human element can be the Achilles’ heel of a security program. Just one colleague can expose the company to risk by, for example, clicking on a malicious link, poorly managing passwords, or lacking training and awareness around social engineering and phishing risks. The CISO must work closely with others across the C-suite to implement processes and policies that help manage such issues that permeate the entire company and that can lead to exposure.
Moreover, CISOs must forge relationships with every function across the organization, so they can embed security considerations into every business decision. And increasingly, CISOs must understand how business strategy and initiatives will impact security measures. For example, they should work with corporate development teams or the chief executive on potential acquisitions, innovation and digital officers on the adoption of new technologies, and the legal team to assess the compliance risks associated with new regulations or the implications of implementing deals based on contracts with new customers. Armed with this knowledge of the business, the CISO is in a more powerful position to work with the risk officer and the finance team to assess and quantify the business’s financial exposure to cyber risk. CISOs can also ensure their knowledge of the organization’s information security posture is reflected in any cyber insurance policies the company purchases.
Given the dynamic nature of cyber risk and the ever-changing nature of business, CISOs need continuous access to the strategic initiatives within the organization. Thus, the board and the chief executive of the company need to set appropriate expectations at the top, making it clear that all departments are required to work constructively with the CISO. The information security team must be involved in strategic conversations early enough to make an impact, not included as an afterthought. Ideally, the board would aim to appoint a member with security advisory expertise, but it at least needs a member who is able to ask the right questions of the CISO and knows what critical assets the CISO is tasked with protecting.
Identifying critical assets
Given security budgets are finite, a key element in ensuring funds are directed most efficiently is identifying the organization’s critical assets and prioritizing resources accordingly. The CISO must lead this effort, working closely with the business leadership to understand where the commercially valuable assets are stored, how they are accessed, and how the business interacts with them.
Critical assets go beyond financial, credit card, or healthcare data. These assets might include manufacturing supply chains, professional services’ people, clients’ information, regulatory data, or trade secrets. Indirect critical assets could be third-party service providers, brand, and, ultimately, the organization’s reputation. Ultimately, the levels of protections should be balanced against the value of assets: businesses should not be using a $1,000 safe to secure a $100 bill, but they also should not just leave that $100 bill sitting out on the counter. Companies need to identify their critical assets and then determine whether those assets are being protected according to their importance. Usually the answer is no.
How to plan and test effectively
Because of the evolving nature of cyber risks and the ever-changing attack landscape, it may be difficult for companies to become secure. And since companies evolve continuously—for example, by implementing new technologies—staying secure is even harder. Planning, then, should address these evolutions and the corresponding shifts in what constitute the company’s most critical assets.
The security posture needs to be assessed, tested, monitored, and rebalanced regularly, and organizations need to be conducting effective cyber due diligence. On a day-to-day or month-to-month basis, companies should be testing their controls—for example, through red teaming and penetration testing. They should also be reviewing what they consider to be the most critical assets, how those assets are being protected, and how those assets could be exploited. Answering these questions requires input from all areas of the business—another important reason that the CISO should be able to navigate across different parts of the company. All these factors and activities should be in the DNA of the company culture.
By normalizing these actions, businesses put themselves in a position to check how they would respond to being compromised, control the damages, and restore normal business operations with limited impact on and damage to the organization. Organizations should also test and regularly update incident response plans with all of the stakeholders from across the organization who would be responsible during an incident. It’s critical that everyone involved knows their role, when to escalate an incident, how to communicate it externally and internally, and when to notify external providers, for example, who are held on incident response retainers.
In the case of a ransomware attack, it is not just a matter of whether or not the organization should pay. The business needs a plan for recovering systems; bringing in a forensics investigator; liaising with law enforcement and legal teams; minimizing business interruption; and communicating to clients, employees, and others. It is also critical to understand the implications for the company’s insurance policy and any exclusions that may apply. Again, all of these planning steps require that multiple stakeholders across the organization are aligned and prepared in advance.
Getting the most out of a CISO
Given the complex and shifting cyber-risk management environment in which businesses of all sizes and across all industries are operating, hiring a CISO is definitely a worthwhile investment. However, it is critical that the CISO and the information security team have the backing of the entire C-suite to implement their goals and protect the business’s critical assets. Only in this way can the CISO be the CEO’s most valuable asset in managing and mitigating the impact of cyber risk across the entire organization.
About the author
Rocco Grillo is an executive managing director at Stroz Friedberg, where he is responsible for the firm’s global Cyber Resilience business.
The author wishes to thank Phil Schneidermeyer for his contributions to this article.
1 Gartner, Forecast: Information Security, Worldwide, 2015–2021, 3Q17 Update, November 8, 2017.
2 James Moar, The Future of Cybercrime and Security, Juniper Research, April 25, 2017.