As cyber security cements its place top of the list of critical priorities for CEOs and the board these days, CISOs need to get better at explaining what they and their teams are doing in simple terms and the broader implications for the business to get the support they need.
A good place to start is trying to imagine what questions business leaders might naturally have to improve their understanding of the current threat landscape and how to respond to it.
For instance, where are these attacks coming from?
According to recent data from Palo Alto Networks cyber research division, Unit 42, almost all cyber events reported by survey respondents could be attributed to just six attack sources:
- Phishing (37%)
- Software vulnerabilities (31%)
- Brute force credentials (9%)
- Previously compromised credentials (6%)
- Insider threat (5%)
- Social engineering (5%)
Interesting numbers, however, to the uneducated they can be misleading.
While ‘insider threats’ make up just 5 percent, they can account for vastly greater damage and loss due to the unique access that staff and other trusted people are typically granted. Within this category, the so-called ‘disgruntled worker’ poses amongst the greatest cyber threat facing any organisation, motivated as they are by revenge, coupled with detailed knowledge about how to inflict the most pain and / or obtain the greatest reward.
Many CISOs are now working more closely with departments like HR to develop so-called behavioural analytics to pay closer attention, say when an employee is passed over for a promotion. HR is also expected to work more closely with CISOs and the tech team to ensure access privileges are revoked when staff leave, and this is something that business leaders need to be alert to and support.
Phishing attacks on the other hand are relatively easy to launch, especially at scale. And of course, most CEOs and board members understand what these sorts of attacks entail, and the importance of improving education to prevent staff from falling victim.
If we look at the next most common source of attack ‘software vulnerabilities’, this is something that senior business leaders need to know more about, given that TAs seem to be finding and exploiting them faster, often with disastrous effects.
Unit 42 reports that a whopping 1 in 3 cyber breaches stem from inadequate patch management, and that TAs take a mere 15 minutes on average to develop payloads that attack CVEs (common vulnerabilities and exposures).
Does your cyber plan look ‘ROSI’?
‘Return on security investment’ or ROSI is emerging as an important area of discussion amongst CISOs and their colleagues in the executive team as the costs of cybersecurity-related activities continues to rise.
Of course, demonstrating ROSI is no easy task and remains very much a work in progress because we’re talking about measuring the value of preventing something from happening.
A good place to start is providing the executive with detailed documentation along with a clear plan that identifies an organisation’s critical assets or ‘crown jewels’. A key part of this involves creating scenarios that run through the circumstances that might lead to such assets being compromised and what it would mean for the business, staff and stakeholders.
Unit 42 reports that it’s often a missing piece in between creating a critical asset inventory and getting business buy-in for that inventory. They recommend presenting the board with a ‘value at risk assessment’ outlining what it would cost, for example, if an asset got compromised by a competitor.
It’s also important that the executive understands what their ‘jewels’ are, which assets TAs are most interested in. Unit 42 further notes that the current top 5 are:
- Source code
- Sales pipeline
- Marketing materials
- Commercially Sensitive Data
Looking again at patching metrics, typically, CISOs will report on the number of patches deployed in a given period. But might it be better to take the number of ‘critical’ patches verses remaining patches and to then report on the estimated time to complete everything, with the ‘actual’ time to report revealed in the next reporting period?
This is likely to resonate more strongly with business or ‘non-security’ leaders.
Spiralling patch management costs might also help CISOs and other tech leaders make the case for the retirement of technical debt, especially as legacy systems attract more scrutiny from government and regulators tasked with addressing cyber threats.
Ideally CISOs and their teams should involve the executive and wider business in the design and execution of ‘fire drills’ or TTX (table top exercises) to develop ‘muscle memory’ and to analyse and refine how everyone would respond in the event of a cyber-attack targeting these or other assets.
Initiating procedures like this helps to reinforce the reality of cyber risk today for the executive and wider organisation.
This all costs money of course, but if CISOs are able to compare this investment with the costs of doing nothing, then it’s more likely they will get the financial and organisational support they need.
Download the Report titled: 5 Security Concerns for CISOs and How to Address Them: here or if you would like to discuss your security requirements to ensure your data and staff are protected email here to get in contact with one of Enablis’ security experts.