Most of the organizations I speak with are talking about cyber-risk these days, and for good reason. Unfortunately, many of them are doing a lot more talking than actually doing. Some of this is human nature – threats are “somebody else’s” problem until they hit close to home, and it’s no different in cybersecurity. Often, the risk only starts to feel real once it’s too late.
Assume you have a problem & act accordingly
We can no longer afford to wait and see. Organizations and executives should assume they’ve been compromised and focus on the capabilities and processes to detect, diagnose and remediate breaches.
Consider the data:
- The average time to detect compromise is 205 days (Mandiant, 2015)
- The detection gap (time it takes to detect) is growing (Verizon DBIR, 2016)
- It takes 4 months to remediate once detected, and detection and investigation is the most costly internal activity (Ponemon Institute, 2016)
What can we do differently to get ahead of this?
First, we need to get better at having a cyber risk conversation in the context of the entire business. The “NACD Director's Handbook on Cyber-Risk Oversight”provides a great resource to acknowledge and manage risk not in an IT-centric way, but at a business level, from the company up through the board.
I always say, “the shape of your security investment should match the shape of your risk.” To inform this, I recommend creating a cross-functional “Risk & Security Oversight Board” internally to drive conversation about overall business risk and how to mitigate it, which will include the aspects of your risk that involve cyber defenses. This group can maintain a risk registry, prioritize risks and resources, and track progress at a programmatic level.
Second, we need to align our efforts around a trusted framework for security controls implementation and evaluation. There no GAAP for cyber risk, but the Center for Internet (CIS) Critical Security Controls framework is emerging as a “standard of care” for the adjudication of financial responsibility and liability. One advantage of this framework is that it provides a normalized way to talk about security risk and controls, and aligns well with other control frameworks like the NIST Cyber Security Framework, COBIT, ISO/IEC 27001, and other standards like PCI, FFIEC, and HIPAA requirements.
Third, we need to acknowledge that policy alone is not sufficient and we need to think about the entire organization and its relationships. This means implementing processes and controls that provide an adaptive approach to cyber security defenses. Our controls should provide visibility across the entire business tapestry, not just a few silos in the business – after all, attackers will exploit weakness anywhere they can find them in your organization.
Think 'cyber supply chain'
Furthermore, don’t forget about services and providers – you rely on them, but don’t control them. This is effectively a “supply chain” model, and you ignore the security of your third-party suppliers and contractors at your peril.
Finally, we should recognize that we’re not alone – there is power in working together. Tap into the experience of the broader community of professionals so we can learn from each other. Leverage organizations like Information Sharing and Analysis Centers (ISACs) for your industry, as they share information on threats, attacks, and countermeasures that are germane to your business (the Financial Services ISAC does a great job of this). You can also lean on organizations like ISACA, the IIA, and other professional organizations in this sharing (and you might even gather a few CPE credits in the process).
The risk is real
The bottom line is that the risk is real. As we’re seeing with recent ransomware and business email compromise attacks, even mature organizations are getting slammed by cyber attacks
To quote an auditor friend of mine, “hope is not a strategy, and trust is not a control.” It’s time to engage the organization, drive those business risk conversations, and anchor our countermeasures to a known and trusted set of cyber security standards. As a current or aspiring leader in your organization, you can help make that happen – and make a real difference.
This article was originally posted on CSO US on July 19 2017.