Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

8/21/2018
10:30 AM
Jo-Ann Smith
Jo-Ann Smith
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Proving ROI: How a Security Road Map Can Sway the C-Suite

When executives are constantly trying to cut the fat, CISOs need to develop a flexible structure to improve baseline assessments and target goals, tactics, and capabilities. Here's how.

It's no secret that cybersecurity is top of mind for most modern enterprises. But a recent survey from Marsh, a risk management company, reveals that only one in five organizations has the tools in place to manage the risk of a cyberattack, despite high-ranking executives claiming it is a top risk management priority. Why the disconnect? It often stems from the fact that security products and tools don't seem to have a return on investment (ROI) that directly affects business results, which makes advocating for them a tough task for security practitioners.

As organizations struggle to quantify the value of cybersecurity investments, it's important to note that true ROI comes from defending the organization against material impact. A study from Juniper Research shows data breaches will cost businesses more than $2 trillion dollars by 2019. As such, smart security spend pays for itself in cost savings, reputation protection, and more, given the direct connection between loss prevention and a company's bottom line. We're facing a reality in which organizations understand they need to care about security, but to really get executive buy-in, the security team needs to prove ROI — the right kind of ROI — and provide a clear plan for implementation. 

Meanwhile, traditional infosec roles are expanding beyond just security operations. Security professionals now wear multiple hats and need to justify the need for implementing certain tools, instead of just making sure they function correctly.

Faced with this new test of leadership, how can security teams get senior leaders to understand that security should be built into the products and the process at the outset, so companies aren't adding it after they're faced with a major security incident? Putting a security road map in place can help plan the tactical actions necessary to sway the C-suite to commit and spend.

An effective road map creates a flexible security structure under the CIO that runs under four distinct towers:  

1. Security oversight: Encompassing enterprise governance and KPI tracking.

2. Information risk: The design and sustainability of an internal risk management program that tracks general enterprise risks and exceptions where higher risk levels are acknowledged.

3. Security architecture and engineering: That which relates to the proactive and progressive deployment of security controls and tools that help to track and mitigate risk.

4. Security operations: The operational model that leverages all three of the previous towers to monitor and report on issues and incidents.

From here, the following four steps are designed to help infosec professionals put their road map into practice.

Practice 1: Assess Your Risks, Assets and Resources
You should first identify and document the assets you need to protect most. What's important to your business, and what are the main threats to your systems and data? Then you need to understand the probability of cyber threats to these assets. If your security team isn't adequately staffed, feel free to leverage other teams or hire a contractor, if needed. Once you're done assessing, you should also select a security framework to follow — such as the National Institute of Standards in Technology's — one that covers any relevant regulatory requirements, to keep the program on track.

Practice 2: Update Your Information Security Policy
To get buy-in at the C-level, you'll have to start at the manager level and work your way up. Updating your existing policies and creating security standards for general use will allow you to give them guidance on high risk areas. Managers will also benefit from translating risk assessments into business terms and using metrics that resonate with the C-suite.

Practice 3: Identify New Controls Required and Deploy Them
Make sure to log all access to data by a unique identifier, which will require a log management tool or security information and event management system. Limiting access to specific data to specific individuals is typically a good rule of thumb. You should also require unique system usernames and passwords and eliminate the sharing of group-based accounts. Protecting against data leaks is vital to make sure no sensitive data is emailed outside of the organization. Once you're ready to test these controls, you should use a phased approach to ensure that they're incorporated into the software development life cycle for new infrastructure and application deployment. During the testing process, you should not only note if the solution works technically but also that it doesn't impose too much of a burden on your employees or processes.

Practice 4: Educate Your Employees, Executives, Vendors & Customers
Once you're ready to roll out your new policies, you'll need to focus on internal and external education. Internally, you should explain what employees should do to comply and the consequences they face if they fail to do so. Holding regular security trainings will also help boost awareness and hold everyone accountable. Externally, you should let vendors and customers know about your new policies and what they need to do to comply.

When enterprises are constantly trying to cut the fat, an effective road map is the fastest way to bootstrap cohesive action. It will allow you to improve your baseline assessments, target goals, tactics, and capabilities. By effectively calculating risk, laying out security products' worth in terms of managing this risk, and justifying their place in the budget, infosec professionals will be able to sway the C-suite.

Related Content:

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

Jo-Ann Smith is an IT security professional who has worked in information technology as both an employee and a consultant for more than 20 years. She currently serves as the Director of Technology Risk Management and Data Privacy at Absolute. Jo-Ann is responsible for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
MelBrandle
50%
50%
MelBrandle,
User Rank: Moderator
12/17/2018 | 1:25:36 AM
Teamwork cooperation
In every organization, teamwork is key to ensure that a specific set of goals can be met at the end of the day. It is not just about making sure that everyone can work together to get tasks done but it is ultimately to strive in reaching their main aim. Moving forward each day would be made much easier when everyone knows where to move towards.
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Moderator
12/22/2018 | 1:36:32 AM
Protect yourself
I reckon that last point about proper education of people and stakeholders is one of the most important points in this whole article. I remember the old days when security just wasn't something that you had to think about because we didn't expect that there would be people who would try and steal information.  But alas, we have moved past that and there are opportunists everywhere that are out to get you. So we have to do something about it, right?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13386
PUBLISHED: 2020-05-27
In SmartDraw 2020 27.0.0.0, the installer gives inherited write permissions to the Authenticated Users group on the SmartDraw 2020 installation folder. Additionally, when the product is installed, two scheduled tasks are created on the machine, SDMsgUpdate (Local) and SDMsgUpdate (TE). The scheduled...
CVE-2019-20806
PUBLISHED: 2020-05-27
An issue was discovered in the Linux kernel before 5.2. There is a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service, aka CID-2e7682ebfc75.
CVE-2020-10737
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
CVE-2020-13622
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
CVE-2020-13623
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.