Partner Perspectives  Connecting marketers to our tech communities.
6/25/2015
09:00 AM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

Breach Defense Playbook: Cybersecurity Governance

Time to leave the island: Integrate cybersecurity into your risk management strategy.

A fundamental shift in thinking is underway within the risk management and cybersecurity fields. A convergence is happening in that cybersecurity cannot be relegated to the IT department. Instead, cybersecurity must be thought of as a component of risk. The same level of diligence (at a minimum) that organizations focus towards business continuity, insurance risk, workplace safety, loss prevention, and disaster recovery must be offered to cybersecurity.

Adding Cybersecurity To The Risk Management Equation

From a risk management perspective, let’s look at insurance as an example for understanding cybersecurity’s role within the organization. Each year, organizations renew or review their property, general liability, and workers compensation insurance policies with their brokers or directly with insurance carriers. As cybersecurity insurance has become popular, risk managers need to follow the same process for their cybersecurity insurance policies.

When reviewing traditional insurance policies, risk managers use industry-accepted methods. For example, when preparing updates to property policies, risk managers will receive and review reports of company vehicles, property locations, square footages, building contents, safety upgrades, and many other items. When preparing updates to workers compensation policies, risk managers will have access to complete lists of personnel and biographical data.

When risk managers prepare for the first time or review their existing cybersecurity insurance policies, do they have inventories of their computer systems? Do they understand the location of their critical data? Do they know if data moving into and out of the network is encrypted? Do they understand what it would take to recover in the event of a breach?

The answer is simply no. Risk managers do not know the answers to these questions because historically cybersecurity has been an IT issue, and the thinking has been “that’s an IT function, let them handle it.” Businesses need to change this thinking, and the different players need to come together to make sure they are properly protected against advanced threats and the risks that come with them.

Bringing Together Cybersecurity And Other Key Players

Those in charge of cybersecurity for an organization are responsible for 1) defending and deterring the network against attacks; 2) continuously monitoring and ensuring the safety of data in motion and at rest; 3) responding to events that may indicate malicious activity on the network or involving company data; and 4) plan and prepare for future potential cyberthreats.

While the mechanisms in which cybersecurity personnel perform their duties are heavily within the IT realm, their oversight should be outside of the IT silo. In order to defend, monitor, respond, and prepare, other groups within businesses have an obvious stake in the success or failure of their cybersecurity. For example, HR data is heavily regulated (e.g., PII and HIPAA), and so is financial data (e.g., SOX and GLBA). Just as with the risk management of property and workers compensation, HR and finance leadership must be listed as prime stakeholders on the cybersecurity risk management board.

Giving Cybersecurity A New Home And A Seat At The Table

To solve the current disconnect, there are two options. The cybersecurity team can be moved out of IT and placed under risk management. This does not mean that cybersecurity should be taken out of the hands of CISOs and the well-versed teams under them, but rather that CROs and CISOs need to become peers in discussing risks associated with cyber infrastructures.

Alternatively, the second option is to place cybersecurity parallel to risk management, but not within the IT chain. It’s important that cybersecurity should have a leader that is equal to or higher in the management chain than the Director of IT Operations, so they can have a seat at the table with other key decision makers. If cybersecurity is not within risk management, then an equal weight dotted-line of peer relationship should exist between a) cybersecurity and IT; and b) cybersecurity and risk management.

Removing Audit And Assessment Bias

The benefits of treating cybersecurity not as a function of IT can be seen in the use of audits and assessments. Cybersecurity should have cordial and collaborative relationships with all IT teams by virtue of their need to respond quickly during breach response or in preparation for a potential threat. However, when performing an audit or assessment of an IT area, cybersecurity should not have the conflict of interest of being within the same organization in which it is assessing.

For example, budgetary requirements could taint recommended actions included in an assessment. The cybersecurity team may need $10K for a new edge security device. If the team prepares an assessment recommending that a piece of software is vulnerable and should be upgraded immediately, their $10K request could be denied and given to the team managing the vulnerable software.

Ultimately, the person in charge of making decisions for the areas that cybersecurity assesses should not have decision-making responsibility for the cybersecurity team’s budget. This obvious conflict of interest can be addressed by moving cybersecurity out of IT.

Solidifying Cybersecurity As A Board-Level Issue

Lastly, there is a significant benefit to boards of directors pulling cybersecurity out of IT. In today’s cyberage, cybersecurity should be given dedicated line items on BOD agendas -- independent from IT. However, this is currently at the discretion of IT leadership, which is juggling many other areas and may not see cybersecurity as a priority. Cybersecurity would be more guaranteed its needed seat at the table if it was separate from IT.

CISOs Are Here, But There is Still A Ways To Go

For the past 20 years, leaders within the cybersecurity field, including myself, have pushed and clawed the business world to understand that as we become more cyber-connected, the role of a CISO is paramount to business success. We succeeded.

Many organizations now have a CISO role, and that role is tied in some way to the IT organization. Unfortunately, our perspective of the CISO role as being directly tied to IT was not implemented perfectly. The role of a CISO is to establish and maintain adequate protection of information. However, information is not necessarily controlled by the IT department. The IT department obviously controls the infrastructure on which information resides, but groups such as HR, risk management, finance, and business operation departments may control the collection, movement, and organization of information. In essence, non-IT departments will understand the requirements around information. While it is necessary that IT and non-IT departments work together, the protection of information requires collaboration and coordination  -- this is the role of the CISO’s office.

The protection of information is a core tenet of cybersecurity, and so CISOs play the largest role in maintaining a sound cybersecurity program. We have to convince business leadership and boards of directors to modify, however small, their thinking of the placement of cybersecurity within their organizations.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:00:03 PM
Hear, hear!
Great piece.  The notion of treating cybersecurity as a non-IT function has been a hot topic -- and I hope it continues to heat up.  At the MIT Sloan CIO Symposium recently, panelists in a cybersecurity session debated this very thing -- arguing that the CISO should not answer to the CIO but rather should answer to the CFO or the Board, because of the conflict of interest the CIO (and his budget) often has with the office of the CISO.

Bookmarked this piece for future reference.  Cheers.
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Fidelis Cybersecurity provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services – delivered by an elite team of security professionals with decades of hands-on experience – and our award-winning Fidelis XPS™ Advanced Threat Defense Products, which provide visibility and control over the entire threat life cycle.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.