One of the toughest challenges that face Chief Information Security Officers is effectively communicating with the board of directors. That begs the question, how can CISOs articulate their comprehensive and sophisticated security strategy to them?
Kudelski Security’s Secure Blueprint SaaS is a business management platform, designed by CISOs and created for CISOs. The software enables security leaders to plan, execute and evolve business-aligned security programs, allowing continuous improvement. It enables security leaders to centralize key management functions, gives them visibility on maturity and risks, and facilitates stakeholder engagement.
See what Frost & Sullivan, the global business consultants, have to say about Kudelski Security’s software:
If you haven’t got three minutes to watch the video, key takeaways include:
- Secure Blueprint measures cyber program maturity and risk by benchmarking an organization’s capabilities across cybersecurity control models like the NIST cybersecurity framework or Kudelski Security’s own cybersecurity portfolio management model
- The language that is used to communicate security strategy with the organization, the C-suite, and board of directors needs to be delivered in a business language and not tech speak
- The program facilitates and automates stakeholder engagements, taking lengthy quarterly meetings down to just a few minutes
- Secure Blueprint allows the CISO and board of directors to effectively communicate the security strategy using out of the box executive dashboards
If you’re interested in learning more about Secure Blueprint, click here.
As a refresher, what is the problem in a nutshell?
Security risks now have board-level attention and CISOs struggle to present information about their security program in ways decision-makers can understand.
They need a single solution that allows them to programmatically plan, execute and measure their programs, and the means to show their boards and executive peers the relevant metrics to justify plans and investments.
The challenge, however, has always been creating a centralized view and providing meaningful information that non-technical professionals, such as business leaders and boards of directors, find meaningful.
What is the solution?
The solution is to have a central place for all the relevant data, including plans, priorities, maturity metrics, risks and more. From there you can get a comprehensive view of the whole security program or target individual areas to present just the information of interest to the organization’s leaders.
This would provide the platform for CISOs to track investments, measure and articulate risk, track progress, and translate comprehensive technical information into something that is meaningful and actionable by business leaders.
What does Secure Blueprint look like?
Secure Blueprint is a unique SaaS solution that utilizes the most common maturity and control frameworks and provides the technical depth to manage that goes above and beyond traditional executive cyber reporting.
The software has been designed to give the user a one-of-a-kind experience, delivering business-focused analytics, initiative tracking and dashboards that keep track of your defined key performance indicators. With just a click, you’ll have all the information you need to assess risk, potential risk, set maturity and goals for all aspects of your program.
Secure Blueprint is a way for CISOs to drive continuous improvement with the end goal of being able to clearly communicate business-focused priorities and outcomes. The platform automatically generates dashboards to track specifics and used during presentations to boards and committees to show your program state and goal. We are able to clearly show the past, present, and future of your program maturity based on control frameworks. This includes analytics integrated with cyber business maturity benchmarking to ensure the CISO can not only identify program gaps but also guide investments.
No more manually created charts, no more multi-tabbed Excel sheets, Secure Blueprint is intuitive and easy to use so that you can be confident in showing your program to the board.
What are some key attributes to the program?
According to Gartner, CISOs need dashboards that cover a wide range of aspects. Secure Blueprint is a comprehensive program management platform that includes dashboards. It provides easy visibility into program maturity, program roadmap, initiatives management, investment management, cybersecurity program component heatmap and component management dashboards. Currently, CISOs are forced to build those out manually. Secure Blueprint does all this for them.
The integrated dashboards allow visualization of all these aspects and more. With just a click of the mouse, they can see every relevant detail in a manner that is easy for anyone in the organization to understand, therefore justifying the costs associated with their cyber program.
What else should we know about Secure Blueprint?
You can learn more about Secure Blueprint by clicking here.
Interview by Maxfield Barker, Sr Marketing Coordinator, Kudelski Security
Pressures facing security leaders continue to increase. More frequently industry leaders are focusing on the role of CISO as a risk management business executive, not solely a security leader. CISOs need to drive and communicate on a program that is aligned with the overarching business objectives and risk appetite. With the myriad, ever-evolving elements of a comprehensive security program and associated risks, this is a tall order. Modern CISOs need new software to facilitate these challenges. Thus, the invention of Secure Blueprint, a cyber business management platform for cyber leadership.
The following discussion with John Hellickson, vice president of US services at Kudelski Security, describes the driving need and rationale for this new category of security product.
What is Secure Blueprint and where did the idea come from?
Secure Blueprint is a new innovative approach to designing comprehensive, agile, and business-aligned security programs by Kudelski Security. It includes software that enables the CISO’s plan, execute and improve programs, keeping alignment with business objectives. It delivers metrics that demonstrate program maturity, areas of priority and risk, so smarter investment decisions can be made, and creates dashboards to enable risk-based story-telling conversations with boards and executive peers.
It’s a well-known fact that boards are being asked to know more about cyber issues, while CISOs are challenged discussing those needs with the board in a way that instills confidence in their security program.
CISOs must now think more like a CEO than ever before, as cybersecurity treated as another IT function has proven to be limiting when combating today’s advanced threat landscape. Cybersecurity is a critical concern for business and executive leaders at the highest level of all organizations and governments, therefore, bridging the gap between business objectives and prioritizing security investments is essential.
Recently, C-suite and boards are expecting more of their cyber leadership in communicating the value of selected security investments by progress improvements and reduction in business risk as outcomes. This trend is indicative of the desire by the C-suite to learn and increase support for the CISO role to prevent a cyber attack. Therefore, CISOs need to develop executive presence, change their mindset and approach, demonstrate decisiveness and agility and speak in a language that C-suite understands.
What is the biggest challenge you are addressing?
It’s hard to effectively plan, budget and justify investments if you can’t measure the maturity of your programs and the progress made. And if you don’t have this knowledge, how can you gain the necessary visibility for achieving your strategic goals? And with no ability to understand where ongoing gaps exist and demonstrate progress, how can you instill confidence in your security program and strategy with business leaders?
What does the board need to know?
Well, let’s start with what they don’t need to know. Overly detailed answers that delve into day-to-day security operations may overwhelm or frustrate the board. Unfortunately, this is what CISOs have traditionally provided due to technical backgrounds.
What boards actually need, is for the CISO to articulate relevant security threats to the organization and industry. Boards want a clear sense of cyber program target maturity and how the CISO is closing the gap. In order for CISOs to deliver this kind of information, they need to convey and be ready to communicate the following information:
- State of cyber program maturity and roadmap
- Top Industry Threats & Trending
- Priority 1 Initiatives & business outcomes
- High-Level Business Oriented Cyber Risks
- Timely related incidents and organization impact
…which is exactly what our Secure Blueprint platform provides
So, Secure Blueprint goes beyond just board reporting to helping the CISO with a structurally different approach to building and executing their security agenda.
Board reporting is crucial, though, and can be one of the most difficult aspects to master, for any CISO. But more importantly, you need to both run your cybersecurity program as a business and articulate this in the framework and language that business leaders understand.
Gartner summarizes it nicely in this article, by stating: “Organizations need to develop a strategic planning capability that enables the organization to develop and refine a roadmap of investments that recognizes a continuous change in the business, technology and threat environments.”
Cybersecurity is still a relatively young field, where evolving threats keep best practices fluid; where the intense pressure to deliver grows constantly and where company culture and industry context matter greatly. With so many variables, how can cyber leaders chart a path to success in today’s CISO role?
The solution is to run cyber programs like you run a business. Think of your cyber portfolio more as a business portfolio. Your board will want to know if your cybersecurity initiatives align with the enterprise’s objectives. The CISO needs to measure cyber security program’s success. You can do this by blending and measuring qualitative and quantitative risk along with program maturity. The CISO also needs to know what the best investments are that make the most of the cybersecurity program. These are some of the things that every CISO should have on their mind and be able to communicate on a regular basis.
Put simply, the outcome should be the ability to present a cybersecurity program strategy and progress status to C-suite in a communication method that resonates with an executive audience.
So, what does that solution look like?
Stay tuned for part two to find out!
In our previous Security Automation series post, we identified areas that should be reviewed to allow for the most success with automation. Those areas included identifying the problems, dealing with the environment, and looking for frameworks that can apply a solid foundation for the security program and its automation success. In this post, we will look at how to apply those ideas to start building a security program that is designed for automation to have a key role in the program’s success.
Identifying and Determining Risk
After reviewing the problems your organization is facing, and observing those problems in your environment, the next step is to identify areas of risk and quantifying those areas, to determine the risk level for each set of problems. How do you quantify these risk levels?
- Data gathered from monitoring tools
- Data gathered from business owners
- Internal or external scans
Data gathered from monitoring tools
Using monitoring tools such as SIEMS or log-aggregators allow for a centralized location for events happening in your environment. These tools provide vital information about the systems in your environment, and serves as the launch point for many processes and tasks, and with the vast amount of information in a centralized place, allows automation to have information readily available and accessible. Simple items, such as hostnames, users/groups, IP addresses, and application names are items that security analysts spend a lot of time gathering for each incident, and are required to get the same information for every event. Having the right monitoring tools along with automation can serve that information up to the analysts automatically for every new event.
Data gathered from business owners
Getting information from business owners, managers, or individual teams about how much risk is associated with each product, application, or service is crucial to the overall security picture for your organization. This information is often not represented well, due to teams not communicating with each, not getting the information on a scheduled basis, or not having a central place to store or visualize the information. This is where frameworks and services such as Kudelski Security’s Secure Blueprint really assist organizations determine the risk for each business owner, and rolling those risks up with the security posture of the organization.
Internal or external scans
Running continuous or scheduled scans of your environment for vulnerabilities, new or removed systems, and network changes allow you to get an understanding of what needs attention. These scans and tools give a technical picture of the potential holes in your environment, and allow both the business owner and your security team to determine the risk associated with each system, and which process to apply to remediate these systems. Automation can play a large role with these scans, from running the scans on a scheduled basis, to moving high risk systems to a quarantined zone, or to remediating the systems based on overall risk score automatically.
Identifying Common Business Issues
As areas of risk come into focus, taking a look at those areas to determine any commonality, identifying common challenges and platforms, even if it spans multiple teams. In large organizations, one of the largest challenges with both security and automation, is that each team will not communicate with each other well, often using similar platforms and duplicating the work. What common issues are occurring in each risk area?
- Fatigue from overall volume, leading to high mean time to response (MTTR)
- Lack of relevant information, leading to multiple teams responding to same issue
- Lack of documented processes
Fatigue from overall volume, leading to high mean time to response (MTTR)
Large majorities of security and IT teams across all verticals deal with alert fatigue, either from not having enough personnel to deal with the events, not properly configuring their security tools, or from not have a well-defined process for handling the events. These reasons lead to the teams not responding quickly enough, or in some cases not responding at all, with big events getting lost in the noise. It is important to recognize when these teams are having difficulty responding to events in a timely manner, especially when there are multiple teams that collaborate with each other.
Lack of relevant information, leading to multiple teams responding to same issue
Many security teams spend a large bulk of their time searching for relevant information to appropriately respond to an incident. Many times, multiple teams receive the same event, and work on the event in parallel with other teams, not knowing what the other team is doing. Building a security environment that has centralized reporting and monitoring, centralized case management, and a mandate from the executive level to communicate with other teams really allow the security team to thrive. Adding automated processes to those teams just puts more time back into the analysts workflow, augmenting their skills to respond to the event in a more efficient manner.
Lack of documented processes
All companies have a process for handling events, whether that is just having an analysts “fix” it, or a detailed workflow diagram that is followed religiously. Reliability is the biggest key for security processes, can they be completed over and over, the same way every time. When security teams do not have a reliable, documented process, it leads to having gaps in your ability to handle the events. If analysts handle events on their own, it is often found that those analysts spend more time for each event, leading to other events potentially falling through the cracks, or the same event not being handled the same way the next time. Another key for processes is they must be just flexible to change, but those changes need to be documented or version controlled as the business needs change.
Designing Processes for Automation
With a solid understanding of the risks, the common issues, and the frameworks that help build the case for automating a task to help better align with a business objective, the foundation is set to allow automation to thrive. Beginning an automation process without these key areas is automating for the wrong reasons, and generally leads to homegrown scripts and applications that require more maintenance than benefit. When starting to design an automated process, some key areas to have mapped out:
- What system(s) is the process targeting?
- What level of human interaction is wanted?
- Reporting success/failures of the process
What system(s) is the process targeting?
Knowing what system(s) to target with a process is vital to designing the process for automation. This allows for boundaries to be set for the automation to work within, keeping it from moving beyond its intended need. Knowing what system(s) also provides a better understanding of what information you will need to gather to interact with those system(s).
What level of human interaction is wanted?
Automation is not designed to replace your security team, only to augment them. Identifying key areas within the process for a human interaction to either approve the workflow to the next step, requiring someone to input a particular device target, or having someone audit the workflow once it has finished before pushing back into production.
Reporting success/failures of the process
After building simple or elaborate processes that automation can implement and really assist your security team, there has to be a way to measure the outcomes to map back into the overall security posture of the organization. By taking the automation journey this far, adding those measures back into the overall risk score for the organization allow for continuity in your security program and its risk posture.
With these areas mapped out, a documented workflow can be automated just by filling in the holes in the workflow with system info and/or adding an analyst approval step. These documented workflows that are being automated allow your team to spend less time getting information and more time responding to the incidents at hand. Don’t have a documented workflow? At Kudelski Security, we have built numerous custom workflows for customers after answering the above questions. Our team thrives on building effective processes for challenging but repetitive tasks, allowing your security team to focus on protecting your business.
In the last part of this series, we look at taking security automation to the next level, improving playbooks, and bringing multiple assets into one workflow to improve overall security efficiency.
Do you have full visibility into your cloud applications and platforms? Are all of your cloud assets securely configured and managed? Can you contain and analyze a cloud attack in an automated way?
Cloud security is top of mind for CIOs and CISOs, faced with a changing technology paradigm in which control and security responsibility has become a shared concern. Widespread adoption of software-as-a-service (SaaS) applications and infrastructure-as-a-service (IaaS) platforms as a means of improving business efficiency naturally leads to an increase in the number and frequency of cloud-based cyber-attacks.
Organizations are challenged to transition legacy systems (and the associated legacy IT management or security practices) to newer cloud paradigms, often inadvertently and unknowingly creating security risks in the process. In order to create an integrated, holistic and workable cloud security strategy, CISOs – particularly public-sector and larger enterprises – must reexamine policies and technology choices against an ever-changing and sophisticated threat landscape.
CISOs are faced with a changing paradigm whereby security responsibility in the cloud is a shared concern between the cloud service provider and customer. With shared responsibility, organizations can leverage the security foundation and, in many cases, cloud-native security tools offered by the providers to focus their efforts on securing operating systems, applications, and data. However, customers must clearly understand what their security responsibilities are and not incorrectly assume these activities are being performed by the cloud platform or application provider.
In this second paper of our Reference Architecture series, we consider cloud security and the relevant protection technologies from some of the industry’s leading vendors. We use the widely recognized National Institute of Standards and Technology (NIST) Cybersecurity Framework (CST) to identify these activities, and categorize them by their respective components from Secure Blueprint, our strategic approach to cybersecurity program management.
To fulfill these cloud security activities and address cloud risks, we highlight cloud protection technologies from leading vendors that work in concert with the native security services from leading IaaS and SaaS providers. We take a clean-sheet approach that presupposes no existing cloud security or management technologies. However, we recognize that most organizations do not start with a blank slate, and in some cases, alternative technologies to the ones that we have highlighted may make more sense based on current IT investments, business needs, regulatory considerations, etc. Organizations can also compare their incumbent risk management activities and technology solutions to identify gaps in their existing cloud protection.
Our aim is to help you to help you make smart technology decisions in an ever-crowded and noisy cloud security market.
To better understand your cloud risk posture and identify gaps that may exist with your current cloud protection technologies, click here to read our Cloud Security Reference Architecture.