Operations

11/10/2016
10:00 AM
Vincent Liu
Vincent Liu
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

How Security Scorecards Advance Security, Reduce Risk

CISO Josh Koplik offers practical advice about bridging the gap between security and business goals in a consumer-facing media and Internet company.

Bishop Fox’s Vincent Liu sat down recently with Josh Koplik, IAC chief information security officer, in a wide-ranging conversation about the all-too-common schism between business and security objectives, his innovative security scorecard, and why strong security will never be a strategic marketing asset for business. We excerpt highlights below. You can read the full text here.

Fourth in a series of interviews with cybersecurity experts by cybersecurity experts.

Vincent Liu: Why do business and security people think differently about risk?

Josh Koplik: Understanding what makes a system secure is easy because it’s a technical problem. Deciding whether or not that’s worth doing from a business standpoint is more complicated. A lot of security people assume that security initiatives are always worth pursuing. If it takes zero resources – no time, no money, no anything – of course you’d do it. Every security improvement comes with a cost, and those costs are not always apparent or worth bearing. 

VL: What do you, as a security professional, wish business people understood?

JK: I don’t think a lot of business people consider the cost of security events. The impression is that these breaches cost outrageous amounts of money, but I don’t think that’s the case. Even in the most high-profile examples, if you look at the breach costs as percentage of annual revenue or some metric that takes into account the size of the target to begin with, it’s not that bad. I also think breaches, in terms of real impact, get overstated as far as reputational impact is concerned.

VL: Are there times when you as a security executive would consciously accept risk?

JK: Security people would do well to accept risk, have a process for accepting risk, and make their business colleagues comfortable with accepting risk or paying for mitigation.

If we have this business that is under-performing, it’s easy to look at the balance sheet of that business and know whether spending $100,000 on a pentest is worth doing. This is one place where CISOs can run into trouble.

Once you get to the point where you are no longer under a CIO, you’re no longer part of a technology organization, and you’re having regular conversations with your CFO, your CIO, with your heads of your business lines, those conversations become easier. Your CFO may not understand stack overflows and intrusion prevention systems, but he knows numbers. So you can say, “Here’s a thing. On a scale of 1 to 10 in terms of importance, I give it a 7. And it costs $150,000.”

VL: Tell us about your security scorecard? Do you actually give out grades?

JK: I use people’s inherent competitive nature in this situation. I issue grades, which makes people work harder so they can beat the other guy.

VL: What does it look like and how does it work?

Source: IAC
Source: IAC

JK: Basically, businesses are listed down the left side. Then, security domains are listed at the top. In each little box, there is a letter grade and corresponding color code. Bs are green, Cs are yellow, Ds are red, and that’s it! That’s the scorecard.

Behind the scenes, there’s criteria; in other words, it’s descriptive. To earn an A in vulnerability management, you have to do this series of things. It’s not long, you can read the criteria for the entire seven domains in fifteen minutes. The grade levels are slightly different-worded versions of the same thing. Whereas a B might state “most,” a C will state “some.” There is enough room for interpretation that you can wiggle between grade levels, but not enough room that things look fake. It’s an A, B, C, D scale; there is no such thing as an A-. I have enough trouble differentiating between B and C as is. ABCD I can describe well. 

Because it’s simple, people at the executive level can understand it at a glance. You can easily present this to a CEO. If a business wants to grow, they will want to do something about poor grades. However, if you go to a struggling business with a bunch of Ds, they’ll shrug and say, “That is the least of our problems. We don’t have any revenue.”

VL: When I spoke to Rich Seiersen at GE Healthcare he said that some things are unnecessary because they don’t progress the conversation. Instead, they end up wasting time and detracting value. What you’re really doing with these scorecards is trying to drive change or to start a conversation, isn’t it? 

JK: Grades don’t make you more secure; they need to reflect practices that you are doing that actually make you more secure. They define what those things are and whether or not they are being done. You need to trace anything you are measuring back to on-the-ground activities that improve security. If you can’t, I question what you are measuring. 

VL: Are there downsides to your scorecard? (Continues on page 2.)

Vincent Liu (CISSP) is a Partner at Bishop Fox, a cyber security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he oversees firm management, client matters, and strategy consulting. Vincent is a ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mervyn Chapman
50%
50%
Mervyn Chapman,
User Rank: Apprentice
12/26/2016 | 10:59:07 PM
Good article!
The Security field has always suffered from a shortage of effective ways to measure progress.  This is by no means perfect (as they both state), but it's a good defensible start for an organizational measurement effort.

 
Benefiter
50%
50%
Benefiter,
User Rank: Apprentice
11/12/2016 | 10:05:35 AM
Re:
Nice article, thanks a lot for your kind sharing!
Lily652
50%
50%
Lily652,
User Rank: Moderator
11/12/2016 | 5:18:04 AM
prayer times

Fine post. Thanks, I ll follow the next one. Useful and interesting information.  

Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.