Risk

8/21/2018
10:30 AM
Jo-Ann Smith
Jo-Ann Smith
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Proving ROI: How a Security Road Map Can Sway the C-Suite

When executives are constantly trying to cut the fat, CISOs need to develop a flexible structure to improve baseline assessments and target goals, tactics, and capabilities. Here's how.

It's no secret that cybersecurity is top of mind for most modern enterprises. But a recent survey from Marsh, a risk management company, reveals that only one in five organizations has the tools in place to manage the risk of a cyberattack, despite high-ranking executives claiming it is a top risk management priority. Why the disconnect? It often stems from the fact that security products and tools don't seem to have a return on investment (ROI) that directly affects business results, which makes advocating for them a tough task for security practitioners.

As organizations struggle to quantify the value of cybersecurity investments, it's important to note that true ROI comes from defending the organization against material impact. A study from Juniper Research shows data breaches will cost businesses more than $2 trillion dollars by 2019. As such, smart security spend pays for itself in cost savings, reputation protection, and more, given the direct connection between loss prevention and a company's bottom line. We're facing a reality in which organizations understand they need to care about security, but to really get executive buy-in, the security team needs to prove ROI — the right kind of ROI — and provide a clear plan for implementation. 

Meanwhile, traditional infosec roles are expanding beyond just security operations. Security professionals now wear multiple hats and need to justify the need for implementing certain tools, instead of just making sure they function correctly.

Faced with this new test of leadership, how can security teams get senior leaders to understand that security should be built into the products and the process at the outset, so companies aren't adding it after they're faced with a major security incident? Putting a security road map in place can help plan the tactical actions necessary to sway the C-suite to commit and spend.

An effective road map creates a flexible security structure under the CIO that runs under four distinct towers:  

1. Security oversight: Encompassing enterprise governance and KPI tracking.

2. Information risk: The design and sustainability of an internal risk management program that tracks general enterprise risks and exceptions where higher risk levels are acknowledged.

3. Security architecture and engineering: That which relates to the proactive and progressive deployment of security controls and tools that help to track and mitigate risk.

4. Security operations: The operational model that leverages all three of the previous towers to monitor and report on issues and incidents.

From here, the following four steps are designed to help infosec professionals put their road map into practice.

Practice 1: Assess Your Risks, Assets and Resources
You should first identify and document the assets you need to protect most. What's important to your business, and what are the main threats to your systems and data? Then you need to understand the probability of cyber threats to these assets. If your security team isn't adequately staffed, feel free to leverage other teams or hire a contractor, if needed. Once you're done assessing, you should also select a security framework to follow — such as the National Institute of Standards in Technology's — one that covers any relevant regulatory requirements, to keep the program on track.

Practice 2: Update Your Information Security Policy
To get buy-in at the C-level, you'll have to start at the manager level and work your way up. Updating your existing policies and creating security standards for general use will allow you to give them guidance on high risk areas. Managers will also benefit from translating risk assessments into business terms and using metrics that resonate with the C-suite.

Practice 3: Identify New Controls Required and Deploy Them
Make sure to log all access to data by a unique identifier, which will require a log management tool or security information and event management system. Limiting access to specific data to specific individuals is typically a good rule of thumb. You should also require unique system usernames and passwords and eliminate the sharing of group-based accounts. Protecting against data leaks is vital to make sure no sensitive data is emailed outside of the organization. Once you're ready to test these controls, you should use a phased approach to ensure that they're incorporated into the software development life cycle for new infrastructure and application deployment. During the testing process, you should not only note if the solution works technically but also that it doesn't impose too much of a burden on your employees or processes.

Practice 4: Educate Your Employees, Executives, Vendors & Customers
Once you're ready to roll out your new policies, you'll need to focus on internal and external education. Internally, you should explain what employees should do to comply and the consequences they face if they fail to do so. Holding regular security trainings will also help boost awareness and hold everyone accountable. Externally, you should let vendors and customers know about your new policies and what they need to do to comply.

When enterprises are constantly trying to cut the fat, an effective road map is the fastest way to bootstrap cohesive action. It will allow you to improve your baseline assessments, target goals, tactics, and capabilities. By effectively calculating risk, laying out security products' worth in terms of managing this risk, and justifying their place in the budget, infosec professionals will be able to sway the C-suite.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Jo-Ann Smith is an IT security professional who has worked in information technology as both an employee and a consultant for more than 20 years. She currently serves as the Director of Technology Risk Management and Data Privacy at Absolute. Jo-Ann is responsible for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
12/22/2018 | 1:36:32 AM
Protect yourself
I reckon that last point about proper education of people and stakeholders is one of the most important points in this whole article. I remember the old days when security just wasn't something that you had to think about because we didn't expect that there would be people who would try and steal information.  But alas, we have moved past that and there are opportunists everywhere that are out to get you. So we have to do something about it, right?
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
12/17/2018 | 1:25:36 AM
Teamwork cooperation
In every organization, teamwork is key to ensure that a specific set of goals can be met at the end of the day. It is not just about making sure that everyone can work together to get tasks done but it is ultimately to strive in reaching their main aim. Moving forward each day would be made much easier when everyone knows where to move towards.
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...