Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/21/2018
10:30 AM
Jo-Ann Smith
Jo-Ann Smith
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Proving ROI: How a Security Road Map Can Sway the C-Suite

When executives are constantly trying to cut the fat, CISOs need to develop a flexible structure to improve baseline assessments and target goals, tactics, and capabilities. Here's how.

It's no secret that cybersecurity is top of mind for most modern enterprises. But a recent survey from Marsh, a risk management company, reveals that only one in five organizations has the tools in place to manage the risk of a cyberattack, despite high-ranking executives claiming it is a top risk management priority. Why the disconnect? It often stems from the fact that security products and tools don't seem to have a return on investment (ROI) that directly affects business results, which makes advocating for them a tough task for security practitioners.

As organizations struggle to quantify the value of cybersecurity investments, it's important to note that true ROI comes from defending the organization against material impact. A study from Juniper Research shows data breaches will cost businesses more than $2 trillion dollars by 2019. As such, smart security spend pays for itself in cost savings, reputation protection, and more, given the direct connection between loss prevention and a company's bottom line. We're facing a reality in which organizations understand they need to care about security, but to really get executive buy-in, the security team needs to prove ROI — the right kind of ROI — and provide a clear plan for implementation. 

Meanwhile, traditional infosec roles are expanding beyond just security operations. Security professionals now wear multiple hats and need to justify the need for implementing certain tools, instead of just making sure they function correctly.

Faced with this new test of leadership, how can security teams get senior leaders to understand that security should be built into the products and the process at the outset, so companies aren't adding it after they're faced with a major security incident? Putting a security road map in place can help plan the tactical actions necessary to sway the C-suite to commit and spend.

An effective road map creates a flexible security structure under the CIO that runs under four distinct towers:  

1. Security oversight: Encompassing enterprise governance and KPI tracking.

2. Information risk: The design and sustainability of an internal risk management program that tracks general enterprise risks and exceptions where higher risk levels are acknowledged.

3. Security architecture and engineering: That which relates to the proactive and progressive deployment of security controls and tools that help to track and mitigate risk.

4. Security operations: The operational model that leverages all three of the previous towers to monitor and report on issues and incidents.

From here, the following four steps are designed to help infosec professionals put their road map into practice.

Practice 1: Assess Your Risks, Assets and Resources
You should first identify and document the assets you need to protect most. What's important to your business, and what are the main threats to your systems and data? Then you need to understand the probability of cyber threats to these assets. If your security team isn't adequately staffed, feel free to leverage other teams or hire a contractor, if needed. Once you're done assessing, you should also select a security framework to follow — such as the National Institute of Standards in Technology's — one that covers any relevant regulatory requirements, to keep the program on track.

Practice 2: Update Your Information Security Policy
To get buy-in at the C-level, you'll have to start at the manager level and work your way up. Updating your existing policies and creating security standards for general use will allow you to give them guidance on high risk areas. Managers will also benefit from translating risk assessments into business terms and using metrics that resonate with the C-suite.

Practice 3: Identify New Controls Required and Deploy Them
Make sure to log all access to data by a unique identifier, which will require a log management tool or security information and event management system. Limiting access to specific data to specific individuals is typically a good rule of thumb. You should also require unique system usernames and passwords and eliminate the sharing of group-based accounts. Protecting against data leaks is vital to make sure no sensitive data is emailed outside of the organization. Once you're ready to test these controls, you should use a phased approach to ensure that they're incorporated into the software development life cycle for new infrastructure and application deployment. During the testing process, you should not only note if the solution works technically but also that it doesn't impose too much of a burden on your employees or processes.

Practice 4: Educate Your Employees, Executives, Vendors & Customers
Once you're ready to roll out your new policies, you'll need to focus on internal and external education. Internally, you should explain what employees should do to comply and the consequences they face if they fail to do so. Holding regular security trainings will also help boost awareness and hold everyone accountable. Externally, you should let vendors and customers know about your new policies and what they need to do to comply.

When enterprises are constantly trying to cut the fat, an effective road map is the fastest way to bootstrap cohesive action. It will allow you to improve your baseline assessments, target goals, tactics, and capabilities. By effectively calculating risk, laying out security products' worth in terms of managing this risk, and justifying their place in the budget, infosec professionals will be able to sway the C-suite.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Jo-Ann Smith is an IT security professional who has worked in information technology as both an employee and a consultant for more than 20 years. She currently serves as the Director of Technology Risk Management and Data Privacy at Absolute. Jo-Ann is responsible for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Moderator
12/22/2018 | 1:36:32 AM
Protect yourself
I reckon that last point about proper education of people and stakeholders is one of the most important points in this whole article. I remember the old days when security just wasn't something that you had to think about because we didn't expect that there would be people who would try and steal information.  But alas, we have moved past that and there are opportunists everywhere that are out to get you. So we have to do something about it, right?
MelBrandle
50%
50%
MelBrandle,
User Rank: Moderator
12/17/2018 | 1:25:36 AM
Teamwork cooperation
In every organization, teamwork is key to ensure that a specific set of goals can be met at the end of the day. It is not just about making sure that everyone can work together to get tasks done but it is ultimately to strive in reaching their main aim. Moving forward each day would be made much easier when everyone knows where to move towards.
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27886
PUBLISHED: 2021-03-02
rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.
CVE-2016-8153
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8154
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8155
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
CVE-2016-8156
PUBLISHED: 2021-03-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.