Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/11/2019
10:00 AM
By Brian Contos, CISO, Verodin
By Brian Contos, CISO, Verodin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Close the Gap Between Cyber-Risk and Business Risk

Four steps outlining how security teams can better understand their company's cyber-risk and demonstrate to company leadership what's being done to mitigate the resulting business risk.

In my role as CISO of a security company, I travel around the US and abroad quite a bit and have the opportunity to meet with security practitioners from many industry sectors. I also give talks and present to people on the front lines about the importance of treating cybersecurity like any other business operation.

With the number and types of cyberattacks on the rise, and the growing numbers of companies that experience some sort of breach, cyber-risk has become equivalent to business risk. As such, a company's vulnerability to cyber threats is now a top-of-mind issue for C-level executives, which puts increased pressure on CISOs I talk with to ensure their security controls work as they should. Yet there seems to be a large gap between how companies should address cyber-risk and what they're actually doing.

How do I know this? Aside from conversations and interactions with security leaders that point to this trend, I also collect security statistics from hundreds of audience members via real-time polling software when I'm making a presentation. My audiences generally include red and blue security teams, auditors, security executives, and individuals representing various non-technical, non-security leadership roles across government organizations, financial services, transportation, telecom, retail, healthcare, and oil and gas, just to name a few — providing an interesting cross-section of perspectives.

Recently, I posed this question: "Does your leadership leverage security metrics for business decisions?" Surprisingly, 49% voted that they "rarely or never" use security metrics for business decisions, while 51% said "half the time," "usually," or "always." While just over half of the respondents said they use security metrics for business decisions at least half the time — which is a positive statistic — just under half said that they rarely or never use security metrics, which shows there is a lot of room for improvement in helping business leaders understand the impact of cyber-risk on the financial, operational, and brand risk — and how it can be measured.

Another polling question — "How good is your organization's security team at mapping cybersecurity risks to business risks?" — revealed that 77% of respondents felt that their security teams did a poor to fair job of mapping cybersecurity risks to business risks. This number shows that while security is maturing and playing a greater role in critical business functions, as an industry, we're not far enough along. Most people likely know that it's a good idea to map cyber-risk to business risk, and want supporting evidence-based data so cybersecurity can be measured like other business units. But there clearly is a disconnect when it comes to how to do this.

While companies are beginning to understand all that's at stake when a breach occurs — loss of brand trust, compromised customer data, millions of dollars stemming from lawsuits to name a few — there is little understanding of how to measure and understand an organization's cyber-risk and what actionable steps to take to improve the company's security posture.

Here are my recommendations for how security teams can better understand their company's cyber-risk and demonstrate to company leadership what's being done to mitigate the resulting business risk.

1. Stop assuming and start measuring.
It used to be enough for security teams to think only of performance and speed when evaluating security solutions. But that's no longer true because there is increasing complexity in the environment to manage while also measuring and reporting on security effectiveness to the rest of the organization (including sales, marketing, human resources, and finance). This reporting must be based on quantitative, data-driven measurements, not assumption-based metrics, to provide the evidence needed that validates that security controls are working as they should.

2. Conduct and automate tests on an ongoing basis.
Given point No. 1 above, evidence is needed on an ongoing basis to demonstrate what is working or not working. Companies tend to look to audits and penetration tests for this, but these approaches are limited — they provide only a one-time snapshot of security controls rather than an end-to-end picture. Testing options exist that will not only identify vulnerabilities but also prescriptively fix them and validate that the fix is successful — and then automate the process for continued validation, particularly as environmental drift occurs, to ensure that what's working stays working. In other words, fix it the right way, make sure it's fixed, and keep it fixed.

3. Be sure you're evaluating and implementing the right security solutions.
When considering any security solution, it's important to know if you're evaluating the right products for your environment and to enable the business. Think of it this way: You only create internal processes, build apps, or hire people if doing these things will improve the overall effectiveness of the company. Security has been excluded from this type of evaluation for too long, simply because there haven't been the right tools to rationalize investments. These tools now exist and give security leaders insights into how security components both enable and improve business.

4. Report actionable information to the executive team.
If you're a security professional, you likely know that key stakeholders in the company — the audit committee, the C-suite, and the board — want assurance that the security controls that are in place are effectively protecting the company and its digital assets. Look for systems and platforms that provide the kind of evidence-based, practical reporting your executive team requires, and convey with confidence that the security infrastructure is continually monitored and optimized to minimize business risk.

If you're like the nearly half of respondents who said they "rarely or never" use security metrics for business decisions, or if you're in the 77% bucket of people who say their security teams do a poor to fair job of mapping cybersecurity risks to business risks, the above steps can help you better manage your organization's cyber-risk and business risk, and ultimately protect the company and preserve its brand, operations, and financial position.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Works of Art: Cybersecurity Inspires 6 Winning Ideas"

Brian Contos is the CISO & VP of Technology Innovation at Verodin. With over 20 years of security industry experience, working across more than 50 countries and six continents, he is a seasoned executive, board adviser, security company entrepreneur, and author. After getting ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.