On many occasions over the past months I have been asked what should a CISO really be doing to answer the inevitable “How safe is the company today?” question from their top management.
Given that several of these occasions were festive year end parties and all participants to these conversations, myself included had partaken, I felt that some of our initial conclusions were perhaps a little too honest to repeat. On reflection though as we now enter another new year the depths of emotion expressed in vino veritas revealed some very strongly felt cyber risk concerns that gave me some food for thought.
Common subjects of discussion that perhaps gives better perspective to the reasons behind this article include “What should a CISO really be doing to keep a company safe?”, and the much more troubling “What does a CISO actually do anyway?”.
Fortunately the participants in these conversations came from many different business environments and disciplines, and all have an understanding of business, technology, and most definitely a business level grasp of managing cyber risk.
At the root of all of our discussions on this topic we eventually agreed that understanding what “Safe” actually means to a business is crucial to any attempt to answer the question. Moreover, the lack of understanding around this starting point appears to be a critical factor in many of the sad stories we heard last year where organisations empirically turned out not to be as safe as their management had reported.
We all use, indeed we depend on, reliable, efficient IT systems to conduct every level of our businesses today. Indeed in all sizes of business there is someone with a role of IT manager, or Chief Information Officer tasked with making sure that IT happens. Usually (Inevitably?) they are the most technically trained and experienced IT person in the organisation tasked with making all of the IT in the business work to support the profit generation strategy that the business has.
It is also well recognised that practically no business, anywhere, ever said to a CIO “Give me the best security you can before you implement the systems that start making a profit for us”. For that we often appoint an equally technically aware and experienced IT security person to become our IT security manager, or our Chief of Information Security.
A common assumption behind many of the high-profile cyber breaches was that expensively acquired security technology had failed, or that the cyber attackers had simply been smarter and more technologically capable than the organisations they attacked.
We believe that it is much more likely to have been a failure to recognise which critical business capabilities needed to be kept most safe within the business that allowed adoption of generic solutions to cyber security threats. Solutions that by default did not measurably reduce the most significant risks to the most critical value creating components of that business.
It is not that the technology solutions acquired are incapable of providing a proper defense against cyber threats, far from it in fact. The issue is that when a business adopts new solutions based on current perceived threats, they will be deployed and exist within a spectrum of existing solutions.
Our issue here is not an inability to identify or detect cyber incident events, it becomes one of data management. Our available data is now so rich in detail around incoming threats that defend our business becomes much more difficult. To make effective use of this data we need to be able to identify the threats that matter, and focus our priorities on these.
So, with so much extra data on hand it is no surprise to hear the many sad tales of breaches and ransomware whose data rich post-mortems are giving us the omnipotent power of perfect hindsight, what should a new head of security, or CISO do in his first hundred days to answer our original question?
Understanding what Cyber safe really means.
It is common when talking about the appointment or promotion of a new business hero, in this case our CISO, for observers to hype up the issues that they need to face. Almost as if by making these tasks into a series of ordeals as part of some herculean quest we can derive some satisfaction through observation of the odyssey they must endure to prove their worthiness for the job.
The most commonly spoken of these ordeals is creation of the proverbial 100 day plan. Whether a real or imaginary task, many CISOs do accept this as a right of passage into their new domain. So rather than fight against years of tradition and legend we shall here offer some advice to our hero as they start on their quest.
A hundred days is a long journey to start without a map, so to help a new CISO, or indeed even a new CIO, we suggest that they make use of their first 100 hours in that new role to determine exactly what the business does to deliver profit, value, and benefit to its shareholders, and customers.
Those of you who have undertaken this journey will point out that this 100 hours of research into why things are being done could be done at any time prior to taking up the job, and this knowledge may even have proven of benefit when being interviewed for the post. But this is my story, so lets begin on Day 1.
With your new and fresh perspective on what doing business means in your new context you must rapidly use that determination to quantify the how of this business, the critical information and application systems and processes that deliver the greatest value and opportunities to success and profit, and to begin the prioritisation of cost effective cyber risk reduction and monitoring of threats against those systems. We can simplify this to four words: Develop a cyber resilience strategy.
Some of the foundation for cyber risk will certainly be technical, and fortunately be readily addressable at an IT availability level, but most threats will damage both daily business function and prevent future delivery of planned business objectives and strategies specific to that organisation.
Cyber threats to those critical business objectives need to be recognised and prioritised against impact and managed for resilience at the business level. Cyber risks are fundamentally business threats that manifest through adversarial attacks using technology – their impacts are rarely due to IT issues alone.
Once a CISO has delivered a cyber risk posture assessment to their senior management it becomes much easier to report progress and actions against those risks in a manner that conveys that “we are getting safer” in respect of cyber risk exposure. The CISO can then explain and measure the benefits of investing in cyber risk reduction in business case terms that support the investment in technology, upgrades, process, or maintenance.
This does however require that a CISO not only understand and be able to explain the technical aspect of the control processes necessary to manage such threats to the CIO; but to be effective our CISO must equally be able to explain the value affecting impact of those threats in the non-technical language of the primary business function of the organisation itself
So, when you find yourself as the CISO being asked this question your ability to truthfully answer that question, and indeed the quality of your answer in terms of actionable value for the questioner, depends on whether you yourself have previously asked your own questions to understand what safe looks like within the context of your own organisation. And here’s a hint, it is very unlikely to be the exact same safe that everyone else is talking about.
Be safe in 2023!