Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/21/2018
10:30 AM
Jo-Ann Smith
Jo-Ann Smith
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Proving ROI: How a Security Road Map Can Sway the C-Suite

When executives are constantly trying to cut the fat, CISOs need to develop a flexible structure to improve baseline assessments and target goals, tactics, and capabilities. Here's how.

It's no secret that cybersecurity is top of mind for most modern enterprises. But a recent survey from Marsh, a risk management company, reveals that only one in five organizations has the tools in place to manage the risk of a cyberattack, despite high-ranking executives claiming it is a top risk management priority. Why the disconnect? It often stems from the fact that security products and tools don't seem to have a return on investment (ROI) that directly affects business results, which makes advocating for them a tough task for security practitioners.

As organizations struggle to quantify the value of cybersecurity investments, it's important to note that true ROI comes from defending the organization against material impact. A study from Juniper Research shows data breaches will cost businesses more than $2 trillion dollars by 2019. As such, smart security spend pays for itself in cost savings, reputation protection, and more, given the direct connection between loss prevention and a company's bottom line. We're facing a reality in which organizations understand they need to care about security, but to really get executive buy-in, the security team needs to prove ROI — the right kind of ROI — and provide a clear plan for implementation. 

Meanwhile, traditional infosec roles are expanding beyond just security operations. Security professionals now wear multiple hats and need to justify the need for implementing certain tools, instead of just making sure they function correctly.

Faced with this new test of leadership, how can security teams get senior leaders to understand that security should be built into the products and the process at the outset, so companies aren't adding it after they're faced with a major security incident? Putting a security road map in place can help plan the tactical actions necessary to sway the C-suite to commit and spend.

An effective road map creates a flexible security structure under the CIO that runs under four distinct towers:  

1. Security oversight: Encompassing enterprise governance and KPI tracking.

2. Information risk: The design and sustainability of an internal risk management program that tracks general enterprise risks and exceptions where higher risk levels are acknowledged.

3. Security architecture and engineering: That which relates to the proactive and progressive deployment of security controls and tools that help to track and mitigate risk.

4. Security operations: The operational model that leverages all three of the previous towers to monitor and report on issues and incidents.

From here, the following four steps are designed to help infosec professionals put their road map into practice.

Practice 1: Assess Your Risks, Assets and Resources
You should first identify and document the assets you need to protect most. What's important to your business, and what are the main threats to your systems and data? Then you need to understand the probability of cyber threats to these assets. If your security team isn't adequately staffed, feel free to leverage other teams or hire a contractor, if needed. Once you're done assessing, you should also select a security framework to follow — such as the National Institute of Standards in Technology's — one that covers any relevant regulatory requirements, to keep the program on track.

Practice 2: Update Your Information Security Policy
To get buy-in at the C-level, you'll have to start at the manager level and work your way up. Updating your existing policies and creating security standards for general use will allow you to give them guidance on high risk areas. Managers will also benefit from translating risk assessments into business terms and using metrics that resonate with the C-suite.

Practice 3: Identify New Controls Required and Deploy Them
Make sure to log all access to data by a unique identifier, which will require a log management tool or security information and event management system. Limiting access to specific data to specific individuals is typically a good rule of thumb. You should also require unique system usernames and passwords and eliminate the sharing of group-based accounts. Protecting against data leaks is vital to make sure no sensitive data is emailed outside of the organization. Once you're ready to test these controls, you should use a phased approach to ensure that they're incorporated into the software development life cycle for new infrastructure and application deployment. During the testing process, you should not only note if the solution works technically but also that it doesn't impose too much of a burden on your employees or processes.

Practice 4: Educate Your Employees, Executives, Vendors & Customers
Once you're ready to roll out your new policies, you'll need to focus on internal and external education. Internally, you should explain what employees should do to comply and the consequences they face if they fail to do so. Holding regular security trainings will also help boost awareness and hold everyone accountable. Externally, you should let vendors and customers know about your new policies and what they need to do to comply.

When enterprises are constantly trying to cut the fat, an effective road map is the fastest way to bootstrap cohesive action. It will allow you to improve your baseline assessments, target goals, tactics, and capabilities. By effectively calculating risk, laying out security products' worth in terms of managing this risk, and justifying their place in the budget, infosec professionals will be able to sway the C-suite.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Jo-Ann Smith is an IT security professional who has worked in information technology as both an employee and a consultant for more than 20 years. She currently serves as the Director of Technology Risk Management and Data Privacy at Absolute. Jo-Ann is responsible for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
12/22/2018 | 1:36:32 AM
Protect yourself
I reckon that last point about proper education of people and stakeholders is one of the most important points in this whole article. I remember the old days when security just wasn't something that you had to think about because we didn't expect that there would be people who would try and steal information.  But alas, we have moved past that and there are opportunists everywhere that are out to get you. So we have to do something about it, right?
MelBrandle
50%
50%
MelBrandle,
User Rank: Apprentice
12/17/2018 | 1:25:36 AM
Teamwork cooperation
In every organization, teamwork is key to ensure that a specific set of goals can be met at the end of the day. It is not just about making sure that everyone can work together to get tasks done but it is ultimately to strive in reaching their main aim. Moving forward each day would be made much easier when everyone knows where to move towards.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10855
PUBLISHED: 2019-05-23
Computrols CBAS 18.0.0 mishandles password hashes. The approach is MD5 with a pw prefix, e.g., if the password is admin, it will calculate the MD5 hash of pwadmin and store it in a MySQL database.
CVE-2019-10866
PUBLISHED: 2019-05-23
In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter.
CVE-2016-7550
PUBLISHED: 2019-05-23
asterisk 13.10.0 is affected by: denial of service issues in asterisk. The impact is: cause a denial of service (remote).
CVE-2016-8897
PUBLISHED: 2019-05-23
Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php.
CVE-2016-8899
PUBLISHED: 2019-05-23
Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats.