What does a “good” cyber-security programme look like? How can we, in our role as Chief Information Security Officer (CISO), work to improve the effectiveness of the policies and practices implemented in our organisations?
Measuring activity does not necessarily have a tangible relationship to robust cyber-security practices, nor does that activity provide any measurable benchmark for executives to understand how you are managing organisational risk – which is ultimately what your job is to do. And the way to be effective is to improve the focus on outcomes which reduce organisational risk. The only Key Performance Indicator (KPI) that matters is whether or not you have been breached.
What executives need to know then, is “What does better look like?” And what strategy can deliver “better” or contribute to “better”, as defined by a steady improvement in security posture to reduce risk? Reporting the number of spam emails caught by an anti-spam system is boring and filed under “no one cares”. Analysing the number of spam emails reported by users which were legitimate spam or false positives is far more interesting, as contrasting that data against the number of users who clicked attachments or malicious links will likely reveal a lot about the effectiveness of the user security awareness. Improvement of the user awareness training at your organisation is of the highest importance, and has the largest Return on Investment (ROI) for security or Governance Risk & Compliance (GRC) spending.
There are four ways to report to executives on security progress in a way which highlights the business value of the security programme.
1. Inspire your team to deliver “better” every day and work towards “best”
Security progress is not measured by endlessly reporting Business As Usual (BAU) – number of tickets opened, number of tickets closed. Again, this reporting is filed under “no one cares”. It is “business unusual” which needs to be reported in terms the organisation can understand. What caused the event/issue which could not be handled as BAU? What was done about the event/issue? And critically, how are we going to proactively make sure the event/issue is mitigated in the future (if possible)? This leads to one of the best quotes in cyber security I have ever heard, by Chris Robert: “If you don’t know what assets you have, physical, virtual and data, you have no business trying to do security anything.” He is 100% on target with that analysis.
How the anomalies, the unusual and the exceptional are detected and responded to is the business value of the security team. And the adage “if you don’t know about it, you can’t secure it” is very applicable. The bonus here is that the unusual stories about your organisation will capture your executive audience and help you build the business case for resources or technology to detect and respond better. Show an executive a bar chart of month-to-month number of anomalies, unusual, exceptional, and extraordinary security events, and that is a KPI worth reporting and understanding, especially if you can describe those events in risk or cost terms.
2. Appreciate the value of the security team’s experience and capabilities
CISO leadership is about taking responsibility for security success or failure, trusting your team to execute best practices day-to-day and having faith your service partners are doing their best to support you. Critically, CISO leadership is about having the faith and fortitude to delegate responsibility to team leaders, department heads or vendors. This does not mean you don’t hold folks accountable: it means you should not be micromanaging your colleagues.
Great things can be achieved by the collective success of many small things and if you think your security plan is the answer to reducing risk in your organisation, you’re dead wrong. Delivery and execution are what you get paid for, so focus on that. If you think “success” is delivering your planned objectives over building important relationships within your organisation, you are failing in the CISO job. Leadership is not about doom-saying and nagging, it is about empowering, uplifting and holding your team accountable.
3. Become a customer service-focused security team.
Seriously qualified business guru people will tell you that customer service is how loyalty is built and business is grown. The security team must focus on being exceptional at delivering great customer security experiences for internal, external and third-party vendors/suppliers. Institute a policy that all emails must be answered or acknowledged; all tickets must be updated daily. It can be hard to do this in practice but this is how the CISO can lead by example. If you’re ignoring someone’s request, you’re not leading your team effectively.
“Your call to the security team is important and we will get back to you as soon as we can.” Try and treat the statement with respect and make it a measurable KPI or a Service Level Agreement (SLA) for your organisation. Train your security people to take delivery of an exceptional security experience seriously; encourage, mentor and reward those who resolve events/issues in the most positive way. Net-promoter scores for the security team’s relationship to the business can be a great KPI to report to the executive team.
Providing an exceptional security experience builds trust within the organisation of you and your team. When – not if – chaos descends on your organisation due to a security event/issue, you’re going to need the support. In the words of Mike Thompson: “You develop the trust; you develop the everything.”
4. Become an intelligence-led security team when addressing audit, pen test results and third-party risk assessments.
If you are not intelligence-led in your approach to managing risk, your obliviousness will lead to your own security team’s demise and potentially the organisation as well. There are really three things that matter, and they are all critical when the team gets called on the carpet: acceptance of the findings, responsiveness to the findings and excellence in remediation of the findings.
The reality of most security teams is other teams will remediate the reported findings, or the detected vulnerabilities those teams find are likely outside your direct control. Those other teams may be development, business application owners supported by third party vendors, desktop teams, server teams or cloud services management teams. Many security teams are only bystanders and open a plethora of service tickets to address the issues which have been discovered, be it audit findings, pen test results or in-house/third party risk assessments. Here are a few common scenarios which in all cases require the cyber threat intelligence team to take the lead on:
a) Third party hosted/supplied service which has a vulnerability or a security incident that may impact confidentiality, integrity or availability of services.
Comprehensive Configuration Management Data Base (CMDB) and Information Technology Asset Management (ITAM) are critical in being able to respond to these near weekly occurrences as an understanding of the organisational risk needs to be priority number one. “Do we have the system or service in our organisation? What is the nature of the connection we have, what is it used for?” All these questions need to be answered by the cyber threat intelligence team before a course of action can be recommended to the business aligned with the third party’s recommendation(s) for mitigation, work arounds or patches. The level of disruption needs to be understood: an SaaS application may have far less impact than a heavily integrated application which has several APIs linked to other systems. A careful analysis and comprehensive understanding should be developed so subject matter experts and business application owners can be aligned and a timeline for the third party remediations can be determined. Be prepared to explain how the third-party issue impacts the business, what risk(s) may be realised over short and long-term and any costs which may be incurred.
b) Vendor advisory of vulnerabilities or out-of-band, emergency patch
This is generally the case when your vendor’s own product security team issues details of vulnerabilities under a support contract or notification scheme. The Cyber Threat Intelligence Team (CTI) needs to research and develop an understanding of the circumstances under which the vulnerability can potentially be exploited or is under active exploitation by a threat actor. Sometimes the notification can be very broad: a full family of operating systems such as Microsoft or Apple, or it can be for a very specific application executing a very specific workflow function. The CTI team should be able to understand the impact, prioritise the remediation activity and adjust the effort as new information may come to light. It is critically important to understand the context – specifically the level of exposure to the internet and presence or absence of mitigating controls. A very high Common Vulnerability and Exposure (CVE) critical vulnerability in an application, with no exposure to the internet, protected by an internal Web Application Firewall (WAF), with Access Control Lists (ACLs) in place and monitored by the Security Information and Event Management (SIEM) may not be nearly as urgent on the priority list and could be mitigated by applying a patch during the next change window instead of forcing through an emergency change. Be prepared to explain why or (why not) the organisation may be impacted by this, what the level of effort may be to remediate it, potential disruptions and when the organisation’s resources may be able to deploy the fix. The best news which CTI can offer is to be able to say “You may have heard that Oracle issued an emergency patch for a zero-day vulnerability today. We have done an assessment and are happy to report we are not impacted.” Executives have access to social media and all the Fear Uncertainty and Doubt (FUD) from infosec personalities and vendors hawking products. The CTI’s team is to sort fact from fiction with accurate, timely and actionable intelligence.
c) Insecure configuration, application or a vulnerability detected by scan or pen test
This is generally the routine activity of most vulnerability management programs; I prefer the term “attack surface reduction program” and it should include some cyber threat analysis to understand the nature of the vulnerability and what risk it poses to the organisation, as well as a firm understanding of the existing mitigations in place. It is always worthwhile to be in communication and focus on reporting the unusual, exceptional, or critical vulnerabilities which have impact on the organisation’s tempo. The week before a quarter closes is not an optimal time to be rebooting servers and workstations in sales, marketing and financial departments. Perhaps the most value CTI can provide here for routine activities is to closely and carefully monitor for signs that a bad patch has been released. This is critical intelligence which needs to be passed on the teams which do the patching: a bad patch for a critical system like Outlook clients could potentially do more damage than a cyber-attack in terms of downtime. Coordination and communication are vital to make the attack surface reduction program run as effectively as possible. Assuring executives that all the little patches are reducing the risk of disruption (or worse) is an important way of demonstrating the business value. The best cyber defence against an attack which exploits a vulnerability is to be already patched against it.
d) Security researcher engagement over an alleged vulnerability
Not all security researchers are out to get you or are scammers. Unfortunately, the ones that have behaved in an unethical way have made it hard for legitimate security researchers – who are acting altruistically to try and make the internet a safer place – to be taken seriously. The CTI team is a great resource to investigate the claims being made by the person(s) who are suggesting the organisation has a security problem. Allegations by a third party under these circumstances should be taken cautiously but seriously. A vetting process such as ranking the source making the allegation against credibility (1-5) and reliability (1-5) scale is a great place to start and an excellent Open Source Intelligence exercise. I believe the best owner of an organisation bug bounty program is the CTI team. In most cases interaction like this will never rise to the level of executive interest; however, the existence of a professional bug bounty program is a high-profile opportunity to celebrate engagement with the security research community: you never know when you need information security community support and having positive relationships can’t hurt.
e) An issue or audit finding which identifies a requirement to update a policy, procedure or standard
CTI teams can play a valuable role in researching new compliance requirements, best practice recommendations and the implications of organisational implementation of new technologies such as AI and ML (ChatGPT). Even existing policies and procedures require annual review as reflected by third party risk assessments and compliance requirements. This is an excellent task which CTI teams can engage with and provide real “editorial” value due to (we hope) excellent written communication skills. Various policies speak directly to the threat landscape which is dynamic, and trend driven. Strong policies and procedures are required to defeat Business Email Compromise (BEC) attacks, as are policies defining the appropriate use of communications tools (WhatsApp) and social media applications in work-related activity (Tik Tok). Fraud is an ever-present threat in the form of BEC attacks, and according to the latest IC3 report[i] it is increasing at a phenomenal rate as ransomware events; yet according to some reports[ii] it is also decreasing. Executives need to know about these trends in criminality and new technology, especially how organisations like your own are dealing with them or even suffering losses or embarrassment from them. Ultimately, your executives will want to know how prepared the organisation is from the risk of these new criminal trends and new technologies, and the steps that are needed to meet growth and security objectives.
f) Anything else?
As confidence and trust in the CISO and security team increases, executives will ask more strategic questions which may impact the longer-term resiliency of the organisation; these requests are the opportunity for CTI to draft “position papers” supporting organisational-wide policy on geopolitical events, global climate changes, remote working (from a security perspective) and a host of myriad topics which move beyond the “traditional view” of security team operations. The CISO should embrace these opportunities and even consider allocating more resources to business support activities in marketing, sales, finance, and IT. Security teams need to realise they are the tip of the spear when it comes to managing organisational risk; however, once a major issue is identified, goodwill, trust and collective action will be required. The effort put into business relationships, being open and honest, making reasonable demands of other’s resources, all increase the possibility of wide support when the situation is critical.
Sure, things will go wrong, and re-prioritisations will happen, but as CISO, your goal is to keep the organisation’s risk at a reasonable level and articulate impacts on security aspects of dynamic organisational changes. The ability to negotiate compromise and support the organisation is the critical factor in your team’s success or failure always be aware of the impact dynamic change is going to have on members of staff in all ranks. It is never fun to be called out in front of the class, but this is the time for the CISO to commit to do “better” and inspire the team to focus on effectiveness and delivery of the “many little security things” which will slowly grow into a “big security achievement”. The most effective leadership mantra for the CISO is this: “Observe good faith and justice toward all nations. Cultivate peace and harmony with all.”