by Graeme Payne | Nov 8, 2022 | Advisory Services, CISO
Over the last few years, there has been increasing interest by CISOs and business leaders in cybersecurity risk quantification. Many of the CISOs we are working with are keen to connect security risk to the language of business. In this article, Graeme Payne reviews how cyber risk quantification and decisioning can be used to communicate cyber risk more clearly and accurately to the business, including:
- Pitfalls of the traditional approach to communicating cyber risk
- The shift to cyber risk quantification and decisioning
- Where to start your cyber risk quantification journey
- Why now is the time to start
Cybersecurity risk is now ranked by Global CEOs as the top threat to growth. The increasing digitization of business, expansion of digitized data, and high reliance on technology have created many opportunities for threat actors to attack companies’ systems and data.
While senior business leaders and Boards of Directors intuitively understand that cybersecurity is a key risk, they are challenged to evaluate it in relation to other risks such as credit, liquidity, and market risk. At the same time, security leaders want to be able to communicate risk in business terms.
Understand the evolving roles, skillset, and practices of the CISO in our research report “Recommendations to Address the Security Leadership Talent Gap”
Pitfalls of the traditional approach to communicating cyber risk
The traditional approach to communicating cyber risk has been to use ordinal scales for determining the likelihood and impact of a risk, for example, 1 (low) to 5 (high). Risks are then plotted on a risk grid so that management can visualize the relative severity of the risks facing the organization.
In their book How to Measure Anything in Cybersecurity Risk, authors Douglas Hubbard and Richard Seiersen point out many of the pitfalls of using these techniques. Pitfalls of the traditional approach to communicating cyber risk include:
- Heavy reliance on the subjective judgment of the risk assessor to determine likelihood and impact.
- A greater tendency to inflate risk due to the uncertainty of measurements
- A perception that risk measurements are based on a scientific approach that provides a “placebo effect”
- A lack of evidence that traditional risk scoring and risk matrices improve cybersecurity decision making
- A belief that some elements cannot be measured, or are too few to be representable
Instead, they argue for a more quantitative approach to measuring cybersecurity risk.
The shift to cyber risk quantification
There are multiple approaches and tools available to help CISOs in quantifying cybersecurity risk. Kudelski Security has teamed up with X-Analytics, a leading provider of cybersecurity risk decisioning services. X-Analytics is a patented and validated cyber risk decisioning platform that is changing how executives, boards, and the risk management industry understand and manage cyber risk.
X-Analytics leverages a combination of firmographic data about the organization and historical cybersecurity incident data to deliver financial metrics that enable better cyber risk decisions. Key factors addressed in the model include:
- Threat
- Impact
- Inherent risk
- Control effectiveness
- Residual risk
- Loss categories
The model also allows for “what if” simulations to model potential investment returns in evolving the security program.
When to use a cyber risk decisioning platform
The adoption of cybersecurity risk quantification is a journey. In working with our clients, we have identified several use cases for when to use a cyber risk decisioning platform.
Evaluating cyber insurance and self-insurance
The relatively immature nature of the cybersecurity insurance market has resulted in the insurance industry experiencing high losses. Consequently, insurance premiums, underwriting standards, and contract exclusions have all increased. In some cases, organizations are deciding to self-insure their cyber risk.
Using X-Analytics we have been able to help our clients through this decision process and optimize the insurance spending and capital allocation needed to address the overall cyber risk.
Justifying and prioritizing cybersecurity investments
By measuring the amount and range of potential financial impacts resulting from cybersecurity risk, the senior management, Board, and CISO can now engage in a discussion about cyber risk appetite and risk tolerance expressed in financial terms.
Now investments to reduce financial exposure can be considered alongside other investments that generate revenue or reduce risk. Armed with quantified financial dashboards and metrics, the key stakeholders are all using the language of business to discuss cyber risk and return on investment.
X-Analytics provides “what if” analysis features that allow a range of investment options to be considered and measured.
Evaluating a potential acquisition
When a company is considering an acquisition, it is often difficult for the security leader to evaluate the potential risks inherent in the acquisition. Due diligence is often limited, and there is a lack of detailed information to really understand cyber risk. Using a risk quantification platform can provide a quick analysis of the potential cyber risk that the organization may assume if the acquisition is completed.
Evaluating the impact of specific threats
Cyber risk quantification analysis allows the security leader to focus on the potential financial impact of specific threats. For example, Boards of Directors are very interested in the company’s exposure to ransomware. Using a tool like X-Analytics allows the security leader to provide a specific financial quantification of that risk profile. Management can then evaluate whether the analyzed risk is acceptable or if not, what mitigations need to be implemented to reduce the risk to an acceptable level.
Communicating cyber security program effectiveness
As the senior management and Board become accomplished in understanding and using a risk quantification model for cyber risk, the security leader can now use it to measure and report on the overall security strategy and program. As changes occur in the threat landscape and business environment, these can be seen in changes in the loss estimates. Similarly, as investments are made in security controls and processes, the payback in terms of reduced risk exposure can be measured and reported in financial terms.
Where to start your cyber risk quantification journey
We have four tips to help security leaders get started on their cyber risk quantification journey:
- Get comfortable with the risk decisioning model.
- Socialize the model with peers.
- Integrate the decisioning model into your overall risk framework.
- Leverage the model to communicate the organization’s overall risk profile.
Get comfortable with the cyber risk decisioning model
First, the security leader needs to be comfortable with the risk decisioning model and the underlying assumptions. They don’t need to be a financial expert but understanding the basic inputs and drivers of any model is important. Experiment with different assumptions and inputs to understand the model sensitivity and drivers. Leverage experienced consultants to help ramp up quickly.
Socialize the cyber risk decisioning model with peers
Second, socialize the risk quantification model and dashboards with peers. Finance, insurance, and other risk professionals in the organization will want to understand the model. Start with one of the use cases described above and build from there. For example, use the model to help with your next cyber insurance review.
Integrate the decisioning model into your overall risk framework
Third, find ways to integrate the risk decisioning model into your overall risk framework. Consider how it can be used to help in managing your risk register, determine risk impacts, and evaluate risk treatments.
Use the “what if” analysis tools to help evaluate the efficacy of risk treatments. Expand the tool to measure risks at a business unit level. Use it to measure and manage supply chain risks.
Leverage risk quantification and decisioning to communicate overall risk profile
Finally, leverage risk quantification and decisioning to communicate the overall risk profile of your organization to your Board and senior management. Use the tools and models to help in your discussions of risk appetite and risk tolerance. Align your security investments and strategic roadmaps with the risk profile to demonstrate how investments in developing and maintaining capabilities are providing a payoff in risk reduction.
Why now is the time for cyber risk quantification and decisioning
In Cyber-Risk Oversight 2020, the National Association of Corporate Directors provides the following guidance:
“To address these increased expectations, companies need to understand the financial impact associated with cyber-event risk. Boards of directors and management are also expected to demonstrate to investors due care in the governance and oversight of cyber risk…. Leveraging these mathematical and scientific methods for improved analyses can allow for more effective decision making compared to qualitative types of risk scoring and heat map risk reporting.“
Regulators such as the Securities and Exchange Commission and investor groups are also calling for increased disclosure of cyber risk, including understanding the financial implication of cyber risk.
Now is a great time for security leaders to step forward and take the lead in cyber risk quantification. I would encourage security leaders to start experimenting and getting comfortable with cyber risk decisioning.
To get started on your cyber risk quantification and decisioning journey, get in touch with our advisory services team here.
by Kudelski Security Team | Nov 2, 2022 | CISO, Cyber Resilience, Incident Response
Building an effective cyber incident response plan requires more than having the right tools in place or engaging the right cyber incident response services. As a security leader, you’re responsible for building the right security foundation and fostering a culture of teamwork and open dialogue during a crisis. Summarizing a recent webinar, this article will explain:
- 3 Common Pitfalls in Cybersecurity Incident Response
- 8 Practical Tips for Building an Effective Incident Response Team
- 4 Technical Fixes to Reduce the Likelihood of a Breach
It almost goes without saying that everything is connected to the internet these days. It’s a business enabler and a necessity in the global economy. But it’s also a playground for cybercriminals.
The good news is the impact of cyberattacks like ransomware can be minimized or entirely prevented with an effective incident response plan in place. And it doesn’t require fancy techniques like AI and machine learning. Don’t get me wrong AI and machine learning can help detect attacks. But they are frequently overrated. It won’t do the job we would all like to think it can do.
Based on our team’s experience investigating breaches for clients, here are the common pitfalls we see CISOs fall into during an incident and some practical tips for avoiding them.
Three Common Pitfalls in Cybersecurity Incident Response
There are three characteristics that come up again and again in organizations that experience an incident, and they are all totally avoidable.
#1 Speed-Based Trust – Thinking Security Vendors Will Do the Full Job for You
Collectively, we have a culture of outsourcing trust. Where we used to trust our peers or institutions, we are now in an era of outsourced, “speed-based” trust. We assume trust in exchange for convenience.
Just as we trust Uber to get us to the right location safely, we trust our security vendors to keep our organizations safe. None of these security vendors, however, can fully address our security issues. We’re going to have gaps.
We call this a Swiss Cheese Model of security. While an MSSP or EDR solution may have you covered when it comes to detection and response, you’re still going to have to assume responsibility for applying patches to close any backdoors that may go undetected and ensure that your systems have secure configuration.
#2 Not Doing the Basics (It Was Never Going to End Well for the Titanic)
Almost worse than the Swiss Cheese Model of security is the Cyber Titanic Model. In the Cyber Titanic Model, you believe you have built a ship that can’t sink. You believe so much in the tools you have invested in, that you let your guard down. Maybe you even relax your security requirements.
Eventually, the boat will sink, and you will not be prepared.
Investing in endpoint detection and network security makes sense, but you need to balance it with basic security practices. If you don’t have a solid foundation of patching, configuration, segregation and hardening, you will just be investing in a sinking boat. Too many times we see breaches that could have been prevented if the basics were in place.
#3 Not Understanding Where to Harden vs. Add New Solutions
To put a finer point on this, detection technology isn’t the end-all-be-all when it comes to preventing an attack. Often security vendors will use the MITRE attack framework to show you how much coverage they can give you across the phases of the attack. This can be helpful but also misleading.
Detection is not the only way to prevent attacks. You can also use MITRE to understand where you need to harden your system to make it harder or impossible to breach your security at each phase of an attack, to begin with.
Watch the webinar “Common Pitfalls Every C-Level Should Know About – Stories From Our Incident Response Team”
Tips for Building a More Effective Incident Response Team
Building a more effective incident response team requires more soft skills than technical skills. Leadership, communication, and policy are critical to improving response outcomes. Here are my top tips.
#1 Understand Organizational Bias
We all have bias because we have experience in certain areas and blind spots in others. Having bias is not the issue. It becomes a problem when you do not recognize the bias.
As a CISO, you will have to understand the bias of your team. They may have a limited view of an issue because they are specialized in a specific area of security. You need to identify the biases, articulate them, and map them. This is foundational to addressing incident response blind spots.
Watch out, especially for the more expert or senior team members who may be very confident in explaining an issue, but don’t have the whole picture.
#2 Bridge Skills to Avoid Bias
One way you can break through the bias is by bringing different teams together to solve a problem. Ask questions that require teamwork to answer. Instead of “Are we secure?”, ask “How bad could it get?”
Then put together a purple team to work together to create a joint report with agreed-upon points of action. This creates a culture of exchange. Teams with better communication will be much better equipped to respond in a crisis situation.
This can cause the organization to focus on a very narrow component of security without addressing the entire ecosystem.
#3 Develop KPIs with Value
Bad KPIs run rampant in security. Security can be hard to report on. But because we want to prove our value, we end up reporting on KPIs that don’t actually mean anything.
We say we blocked one million attacks on our firewalls, or we processed three trillion events because we want to look like we are effective. But what do these numbers actually tell us? If we say we blocked one million attacks on a firewall, all that communicates is that we configured a firewall. If you’re asked for those numbers, challenge the requester, and ask what they’re really trying to understand.
Instead, I recommend going smaller and more actionable with your metrics. Rather than how many attacks we blocked, try reporting on metrics like these:
- # of common attack vectors removed
- # of new techniques added to detection coverage
- % decrease in the attack surface
#4 Shrink Your Digital Footprint
Think about all the data stored in email, your Google accounts, and your mobile apps. All that data can be exfiltrated. Reducing your personal and corporate digital footprint also reduces the impact of a successful attack.
When data is no longer needed, delete it rather than archive it. If you have a legal requirement to keep the data, encrypt it and store the keys off the server. Encrypted data leaks have little to no impact on security, as long as the secret keys remain secret!
Further, how you store data is important. If you have a document on SharePoint called “Insurance Policies” or “Digital Assets Value”, you are giving an attacker a flashing arrow to the documents they need to hold you ransom. If they know your insurance policy is for one million dollars and that one day of disruption would cost your company ten million dollars, they know exactly what to ask for.
#5 Augment your team
Major incidents require more work than your day-to-day security operations. It would be difficult to scale your internal team for such a situation.
Bringing in external partners can help augment your incident response team. Remember to look beyond security when it comes to team augmentation. Your incident response plan will likely include system administrators, cloud administrators, etc.
As a rule of thumb, if you don’t have a dedicated team member working on a required security discipline on a monthly basis, you may need to find an external partner in the event of a breach. While thinking about this, don’t forget your IT. You’ll need to augment your IT operation capabilities. Rebuilding an infrastructure can absorb a lot of resources.
There are different options. Emergency response support, preparation and resilience support. The best option to go for is usually a 24/7 incident response retainer because you have guaranteed response support when things go wrong. It’s a safe investment – many companies will ensure the retainer can be reassigned to another program, if not spent on incident response services.
#6 Explore Different Response Paths
There is no one-size-fits-all incident response plan. It is up to you, the CISO, to explore different paths and choose the one that will work the best for the organization. In some cases, it may make sense to choose the plan that results in the least business impact. In other cases, it may make sense to err on the side of security.
Augmentation, as mentioned above, can help your team move faster and work on steps in parallel. After all, your incident response process should not be linear; that will only slow things down. If you do augment your team with an external partner or security provider, carefully consider their recommendations and the tradeoff between value and cost.
For example, forensic disk imaging might make sense as part of the plan, but it could overwhelm your IT team with time-consuming tickets. Additionally, security providers may take advantage of an organization’s desperation during an incident, knowing they’ll do anything to get the business back up and running.
Challenge every recommendation and request. Look at the types of requests, the costs, and the hours associated. Ask “Is this really necessary?” or “Could we do this differently?” Explore all the different response paths and choose a way forward.
#7 Foster Open Dialogue
Creating a culture of open dialogue during an incident is incredibly important. If people are afraid to speak up or ask questions, you will not be able to accurately assess the team’s understanding of the question. There are a number of reasons a team member may not feel comfortable asking questions:
- Fear of looking stupid
- Tensions within the team
- Power dynamics created by an authority figure or expert
“Asking questions may mean that you don’t understand something. But not asking questions, will mean that you remain ignorant.”
As a CISO, you need to be able to spot this behavior and act on it very quickly. You must ensure that everyone has the right level of understanding to do their work. It’s how you will turn an incident into a constructive, rather than destructive, experience where everyone is learning from each other.
#8 Show Your Appreciation
Breaches are stressful for everyone in the organization. As a C-level, you can send signals to your team that you understand the toll an incident takes on them and their families.
It could be as simple as providing food, drinks, and a place close to the office for the team to stay. For remote employees, you could provide a meal of their choice for themselves and their family. It sends a really strong message that you appreciate the work that they (or their mother, father, or spouse) are doing to help the organization. These types of signals can change the mood.
Learn more about Kudelski Security’s Incident Preparedness and Cyber Resilience advisory services
Four Technical Fixes to Reduce the Likelihood of a Breach
In addition to the nontechnical guidance above, I’d like to leave you with four of the low-hanging technical fixes that could significantly reduce the likelihood of a breach. In 70% of the cases we’ve investigated, one of these four best practices was missing.
#1 Proper Segmentation
Often in breach scenarios, we find the organization has a flat network, which makes it much easier for the threat actor to move through.
#2 Zero Trust
Understand the zero trust framework and how to apply it in your organization. Achieving zero trust won’t happen overnight. It’s very iterative work, so be patient.
#3 Timely Patching / Emergency Patching
Threat actors will quickly be there to exploit new vulnerabilities. For that reason, it’s important to have an emergency patching plan in place. Ask yourself “Do I want to have an operational issue or a security issue? Would I rather have a system down or data leaked?”
#4 Configuration
Misconfiguration can have a huge impact, and so, proper configuration can also have a huge impact. Sometimes it’s just a small detail that is overlooked that would allow an attacker to gain access to something they shouldn’t.
Download the Infographic: 15 Practical Tips for More Effective Cybersecurity Incident Response
Get in Touch
It is my hope that if you follow the advice presented in this article, that you will never need our services. However, if you do experience a breach or if you would like a pre-emptive review of your current configurations, architecture, or incident response plan, please get in touch with our incident preparedness and response team here.
by Ernie Anderson | Oct 13, 2021 | CISO
Ernie Anderson, Head of Professional Services at Kudelski Security, knows a thing or two about enabling the CISO to fulfil their mission. Being one of the most difficult jobs in the cybersecurity industry, a CISO needs lieutenants to have an effective security team. With lack of funding in companies’ security programs and rampant attacks around the globe, it takes more than just industry knowledge to excel as a deputy CISO. Ernie recently sat down with Security Magazine to talk about the importance of a deputy CISO. Read his interview in Security Magazine’s 5 Minute CISO Q&A below.
Security: What is your background, current role and responsibilities?
Anderson: I have nearly 20 years of professional experience in cybersecurity consulting, including extensive work with CISOs and CIOs across multiple industries to define cybersecurity strategies and establish risk-driven cybersecurity programs. Before joining Kudelski Security, I was the North America practice lead for IBM’s Data and Application Security Services and have worked at Booz Allen Hamilton and Ernst & Young.
Currently, I lead Kudelski Security’s portfolio of professional and consulting services, including our CISO advisory consulting, technology and staff augmentation. Our services teams partner with CISO clients to help them define and execute a more strategic approach to their cybersecurity business. That includes project engagements and long-term support agreements that help define security strategies, deploy and optimize technologies, and provide skilled subject matter expertise.
Security: CISOs can have (arguably) the most challenging jobs on the organizational chart. Why is this the case, in your opinion?
Anderson: There are a variety of trends that have done the job of CISO, one of the most difficult within a business. Companies have finally started putting more investment into security and risk management programs, so CISOs have a wider range of responsibilities, including being part of the executive team and more frequent reporting on progress to other leaders and the board (and taking the heat if sufficient progress is not made). There is increased pressure on CISOs to protect companies against increasing cyberattacks and risks, particularly when ensuring the remote or hybrid workforce is to access company networks securely. And many CISOs still lack the resources they need, whether it’s security tools or people.
Security: Why is a deputy CISO critical to addressing security risk management?
Anderson: Given all the challenges CISOs face and increasing responsibilities on their plate, having lieutenants or deputy CISOs is critical for an effective security team. Not preparing people to be able to take on the role of deputy CISO has created a virtuous cycle – there’s no one to take the CISOs place when they leave an organization, and the organization must then look to hire someone with experience from outside the organization, thus taking a CISO from another company. This is especially critical given the short tenure of CISOs – an average of two years. CISOs need to prioritize finding and training security deputies from within their organization and start early – it can take up to four years for someone to be fully trained to take on the role.
Security: What skills/qualities should a deputy CISO have?
Anderson: As the role of the CISO evolves, so too do the skills they need to succeed. Modern CISOs need business acumen to understand business processes and their organization’s goals, as well as the soft skills of relationship management and communication to effectively communicate risks and the importance of security to executive leaders and other key organizational stakeholders. Many CISOs are also more visible internally and externally, so they need the ability to lead people with a diverse group of skillsets, coaching skills to train and mentor deputies, and continually developing their skills to stay on top of the latest security management practices and tools.
Someone moving into the role of a deputy CISO needs to understand all the skills and qualifications required of a CISO to support them. That starts with understanding the domains typically overseen by CISOs – from security operations and identity management to risk and governance and regulatory and compliance issues.
Think of a deputy CISO like an understudy in a play – they must develop the skills to take on the CISO role when needed. For example, while a CISO is responsible for managing risk at the highest level of an organization by overseeing people, strategy and technology, a deputy could be expected to support that by managing risk across different security domains.
by Jason Hicks | May 28, 2021 | CISO
No matter how good a CISO is, there aren’t enough hours in the day to handle the myriad of new responsibilities that have been thrown at them. To be effective and ensure a strong security posture, CISOs need a lieutenant to head up each domain that falls within their scope.
Given all the challenges CISOs are likely to face moving into the new year – from supporting a permanent remote workforce and accelerating digital transformation to preparing for an expanded threat landscape – it is more critical than ever that they bring on strong deputy CISOs.
2021: The year of the security lieutenant
Every year we talk about the shortage of cybersecurity personnel, but it is a challenge that continues to put pressure on companies generally and CISOs specifically. One of the biggest reasons for that challenge in the security industry is the lack of effective grooming for future leaders. When organizations need to hire a CISO, they generally have to look outside for a candidate with prior experience in the role. If this trend continues, the industry will be hard-pressed to ever overcome the shortage of qualified security leaders.
This year, the skills gap will be especially acute for small and medium-sized businesses who cannot afford to hire nor retain the right candidate. That is why finding and training security lieutenants from within needs to be a priority, both for CISOs to be successful in their role and to ensure their organization has qualified individuals who can take the reigns as CISOs of the future. Further, that training needs to start early since it can take an average of three to four years.
Mastering the lieutenant role
Deputy CISOs serve as the second in command, helping CISOs identify, track and respond to current security risks and oversee the implementation of new processes and strategy.
There are eight vital competencies that every security lieutenant – junior or otherwise – needs to master:
- Understand the business. Security is different for every company. It is about mitigating risk, and if a lieutenant doesn’t fully understand the business’ crown jewels, they’ll waste a lot of time chasing down the wrong perceived risks. Lieutenants should spend at least a few weeks working on the front lines of the business to ensure they have a good understanding of how the organization’s systems are used in the real world.
- Support the CISO in managing risk across security domains. This should be a given – managing risk is a huge part of security, and deputies should be heavily involved in this function.
- Maintain lines of communication across regions and business units. For a long time, the security team has been siloed and kept separate from other company departments. It is time to break down those silos. Collaboration between the security team and the rest of the organization is a must, both to advance security objectives and to improve the overall health of the organization.
- Oversee the implementation of security controls and policies. Every security deputy should have the technical knowledge and experience to identify and oversee the implementation of suitable security controls and policies starting with basic hygiene. Identity and access management (IAM) plays an important role, and lieutenants need to take the lead to ensure assets – from people to data – are kept safe.
- Listen to business needs and look for ways to support them. Security should never be seen as a ‘blocker,’ but more as a business enabler. Security leaders and deputies should promote security by proactively building relationships across the organization and being able to explain how stronger security also supports business objectives.
- Always be ready to embrace change. Change is a constant theme in security, and professionals should never shy away from it. They should drive cultural change based on risks and employee behavior and promote security throughout the organization.
- Understand technology, risk, security and organizational context. Most security professionals are highly technical; however, far fewer have a deep understanding of how security fits into a wider business context. Even fewer have first-hand experience measuring, tracking and managing security risk in an evolving business environment.
This mixture of skills, knowledge and experience is critical. CISOs should choose deputies who actively work to develop these areas throughout their careers.
- Educate the organization on cyber risk and readiness. Breaches from human error have cost companies $3.50M in 2019 alone, which can be at least partially attributed to the majority of employees’ lack of understanding about security and how their actions affect the security of the organization. Creating an enterprise-wide security culture is something all security professionals should strive to achieve, and it’s particularly important for security leaders.
Security isn’t something that can be achieved by the CISO alone. It requires the support of the full security team and the whole business. Through 2021, we will see how organizations and security leaders will start to include in their plans how to reduce the talent gap and leverage internal talent to train security lieutenants.
The next generation of security leaders will need to take every opportunity to educate their colleagues about security best practices and cyber risks, as well as how security is an enabler for achieving business outcomes to help grow their own skills and ultimately protect all the entry points to their organization.
This article was originally featured in Cybersecurity Magazine.
by Jason Hicks | Mar 30, 2021 | CISO
No matter how good a CISO is, there aren’t enough hours in the day to handle the myriad of new responsibilities that have been thrown at them. To be effective and ensure a strong security posture, CISOs need a lieutenant to head up each domain that falls within their scope.
Given all the challenges CISOs are likely to face moving into the new year – from supporting a permanent remote workforce and accelerating digital transformation to preparing for an expanded threat landscape – it is more critical than ever that they bring on strong deputy CISOs.
2021: The Year Of The Security Lieutenant
Every year we talk about the shortage of cybersecurity personnel, but it is a challenge that continues to put pressure on companies generally and CISOs specifically. One of the biggest reasons for that challenge in the security industry is the lack of effective grooming for future leaders. When organizations need to hire a CISO, they generally have to look outside for a candidate with prior experience in the role. If this trend continues, the industry will be hard-pressed to ever overcome the shortage of qualified security leaders.
This year, the skills gap will be especially acute for small and medium-sized businesses who cannot afford to hire nor retain the right candidate. That is why finding and training security lieutenants from within needs to be a priority, both for CISOs to be successful in their role and to ensure their organization has qualified individuals who can take the reigns as CISOs of the future. Further, that training needs to start early since it can take an average of three to four years.
Mastering The Lieutenant Role
Deputy CISOs serve as the second in command, helping CISOs identify, track and respond to current security risks and oversee the implementation of new processes and strategy.
There are eight vital competencies that every security lieutenant – junior or otherwise – needs to master:
- Understand the business. Security is different for every company. It is about mitigating risk, and if a lieutenant doesn’t fully understand the business’ crown jewels, they’ll waste a lot of time chasing down the wrong perceived risks. Lieutenants should spend at least a few weeks working on the front lines of the business to ensure they have a good understanding of how the organization’s systems are used in the real world.
- Support the CISO in managing risk across security domains. This should be a given – managing risk is a huge part of security, and deputies should be heavily involved in this function.
- Maintain lines of communication across regions and business units. For a long time, the security team has been siloed and kept separate from other company departments. It is time to break down those silos. Collaboration between the security team and the rest of the organization is a must, both to advance security objectives and to improve the overall health of the organization.
- Oversee the implementation of security controls and policies. Every security deputy should have the technical knowledge and experience to identify and oversee the implementation of suitable security controls and policies starting with basic hygiene. Identity and access management (IAM) plays an important role, and lieutenants need to take the lead to ensure assets – from people to data – are kept safe.
- Listen to business needs and look for ways to support them. Security should never be seen as a ‘blocker,’ but more as a business enabler. Security leaders and deputies should promote security by proactively building relationships across the organization and being able to explain how stronger security also supports business objectives.
- Always be ready to embrace change. Change is a constant theme in security, and professionals should never shy away from it. They should drive cultural change based on risks and employee behavior and promote security throughout the organization.
- Understand technology, risk, security and organizational context. Most security professionals are highly technical; however, far fewer have a deep understanding of how security fits into a wider business context. Even fewer have first-hand experience measuring, tracking and managing security risk in an evolving business environment.
This mixture of skills, knowledge and experience is critical. CISOs should choose deputies who actively work to develop these areas throughout their careers.
- Educate the organization on cyber risk and readiness. Breaches from human error have cost companies $3.50M in 2019 alone, which can be at least partially attributed to the majority of employees’ lack of understanding about security and how their actions affect the security of the organization. Creating an enterprise-wide security culture is something all security professionals should strive to achieve, and it’s particularly important for security leaders.
Security isn’t something that can be achieved by the CISO alone. It requires the support of the full security team and the whole business. Through 2021, we will see how organizations and security leaders will start to include in their plans how to reduce the talent gap and leverage internal talent to train security lieutenants.
The next generation of security leaders will need to take every opportunity to educate their colleagues about security best practices and cyber risks, as well as how security is an enabler for achieving business outcomes to help grow their own skills and ultimately protect all the entry points to their organization.
This article originally appeared in Cyber Security Magazine as The CISO Legacy: Security Lieutenants. For additional CISO tips and strategies for closing the cybersecurity skills gap and preparing future security leaders, download Kudelski Security’s Executive Research Addressing the Security Leadership Talent Gap.
by Andrew Howard | Mar 9, 2021 | CISO, Cybersecurity
The security industry has faced a variety of challenges throughout 2020. The pandemic put pressure on security and IT operations and shone a spotlight on underlying issues many organizations were facing in terms of their digital transformation and security posture. If that wasn’t enough, the threat landscape also shifted and is now more volatile than ever.
As security leaders prepare to handle what lies ahead in 2021 and beyond, there are three key trends they should pay special attention to: the increase in adoption of policy-based security models, new ransomware threats and greater utilization of artificial intelligence.
Adoption of policy-based security models
The prospect of moving an onsite workforce to a remote setting had a huge impact on many organizations, as they realized they weren’t ready for such a dramatic shift. Moving to remote work due to COVID-19 exacerbated the shortcomings of the traditional enterprise perimeter security model. This led to more organizations choosing policy-based security models, such as Zero Trust, to ensure the protection of their employees while remote work continues to be a norm.
As remote work becomes more normalized – beyond the pandemic -, rather than equating trust to a corporate network location, a Zero Trust model analyzes information about the user, data, applications and devices to contextualize security risks and dynamically adapt access rights. Successful adoption will depend on organizations fully integrating various tools within their environment, from authentication systems and network security appliances to endpoint detection and response.
Increase in data breaches and ransomware attacks
Attackers are constantly changing their methods, resulting in new and evolving risks. It is important for companies to be prepared and aware of new threats to stay ahead of them and protect their data from any potential compromise.
Looking ahead, companies should expect to see an increase in ransomware, with bad actors increasingly threatening to expose encrypted files if they refuse to pay a ransom.Organizations have begun to do a good job in building, testing and operationalizing their office backup strategies to mitigate the risk of ransomware. Unfortunately, most of these organizations have failed to mitigate the actual risks, if data has been compromised before – whether directly from the company or through third parties – threat actors will still be able to gain a foothold into the company’s assets. The focus moving forward should fall into ensuring they have robust backup and data recovery strategies that can help address the systemic weaknesses attackers are exploiting.
We’re also going to see a considerable increase in the use of illicit Auth 2.0 grants to compromise accounts. In general, organizations have created better phishing awareness programs, increased multifactor authentication, and created rules to detect anomalous logons; however, attackers have shifted to trick users into Illicit Oauth 2.0 grants. To prepare, companies should limit which applications can request OAuth 2.0 grants from end users or disallow specific OAuth 2.0 scopes from ever being granted.
Utilization of Artificial Intelligence
We will see an increased utilization of AI particularly within the IoT and OT industries, given the technology’s ability to help automate many tasks to reduce costs and improve productivity. However, as security leaders decide to adopt AI, they will need to prioritize the integrity of the data and make sure basic cyber hygiene protocols are in place.
Utilizing AI without the basics – from asset and patch management to user awareness – will only exacerbate the number of breaches we will see, as simpler exploits will be able to leverage any weak spots.
Looking ahead to 2021 and beyond, organizations need to be prepared to secure their resources no matter where they are accessed from. Leaders will need to make sure they add security-based policies to their business continuity plans as well as understand all the threats’ shifts and how to adopt new technologies to mitigate potential risks.
This blog was originally featured in VMblog.com