Whenever there is change, there will be risk. However, change also creates an opportunity to improve and make things better.
For example, I worked with one CISO at a company where the phrase "digital transformation" was being used frequently — as is the case at many companies. The IT security team had to keep up with all the changes taking place while also supporting existing systems and processes.
This company was able to improve by involving the whole business in the security process. First, the board of directors issued an edict to the CEO around reducing risk across the entire organization. Rather than treating this as solely a technology process, involving the CEO meant it became a business process issue instead. Between them, the CEO and CISO decided to implement a key performance indicator (KPI) based on the number of vulnerabilities on each machine in their business. They knew if they could drive this number down, it would greatly reduce the risk from ransomware and other attacks.
The CEO put the responsibility for this KPI on each business unit's managing director, rather than onto the IT department. This forced the business to integrate better with IT across all operations, as well as ensuring the change process and sign-off procedures were slick from the start. As each department lead was responsible for their results, they were more involved in decisions to get things done. There was also a second benefit: Changes on the business side were flagged earlier in the process, allowing security to get involved at the beginning rather than the end.
Linking Security Processes to Business Results
Like all security projects, the ability to improve KPIs starts with how to prioritize. According to the SANS Vulnerability Management Survey for 2020, almost 82% of respondents' organizations now prioritize vulnerabilities to help them cope with the huge volume of new issues coming in. Most importantly, there is no "one size fits all" approach to managing risk suitable for every organization, so CISOs must design their approach to best fit the needs of the business. For example, while nearly 78% of those surveyed by SANS are using CVSS severity as a vulnerability prioritization technique, more than 66% are including asset value, and 73% consider exploitability.
Every organization should have an accurate list of all its assets and be able to rank those in order of importance. By understanding which assets, applications, or sets of data are most critical to protect, CISOs can set out rules and processes for stopping vulnerabilities. However, many organizations don't have an accurate list in the first place, so that needs to be solved first.
It's also important to look at who is responsible for applying those fixes to assets. Ideally, you'd look at how wider business units can be assigned responsibility, but this isn't always possible. In many large enterprises, these tasks are split across departments: While the IT security team will provide alerts on issues that have to be fixed, they will have to turn to the IT operations or services team to carry those patches out, or to teams in a business unit or department. These areas may also be outsourced, leading to further potential problems or delays in getting fixes applied. In the most complex environments, there may be multiple teams involved in the process. Where possible, the number of people involved should be kept to a minimum because the more people involved, the more complexity and slower progress.
This can affect change control processes and getting sign-off on updates being rolled out. It can also lead to problems around what is covered by KPIs. At one company, their dashboard had all green lights for patching status, but security issues kept coming up. After investigating further, the reason was that their outsourcing firm was contracted to handle and report on desktop operating system updates, rather than application patches. When the security team looked at the bigger picture around applications on those assets, the situation was different and there were multiple issues to resolve. Once the KPI and the contract were updated to cover all software assets, security improved.
Not every CISO will have the opportunity to use the CEO's clout to get what they need in place. For other CISOs, the challenge is more around how to provide the right information to the management team and the board to demonstrate how their approach works. Thinking about business responsibilities around risk management can help. By linking security processes to business results, CISOs can get the support they need and deliver better outcomes.