The need to see eye to eye with board members and business executives about information security has been background noise during the tenure of many a CISO. Yet even as a growing compliance burden and an intensifying threat climate would seem to make increased security investment a no-brainer, selling information security remains a hit or miss proposition in many companies.
Some executives may demand a clearer business case for security investments, particularly in the wake of growing scepticism that, in one recent AMR-Rackspace survey, saw 97 percent of Australian C-level executives admitting they would have made different strategic decisions during their cloud adoption.
One of the areas glossed over during those migrations has been risk, with 71 percent of executives saying that business risks were not seriously enough. Many of these risks arise within the context of data security, with cloud migrations putting critical data at arm’s length and many data-security specialists readily admitting that the migrations were reducing their visibility into what happens with that data.
That reduced visibility is of particular concern given the continuing explosion in malicious attacks – including a growing climate of insider attacks. “The majority of data breaches that we have seen… involve some form of ‘insider’ component,” Mishcon de Reya cyber security lead Joe Hancock and partner Hugo Plowman wrote in the recently released Verizon Data Breach Investigations Report (DBIR) 2018.
“As a result of the level of access often afforded to insiders and with the luxury of the time that they have to extract data, the average volume of data taken per breach still remains unacceptably high…. Businesses could do more to protect against the insider threat and to ensure that one breach does not lead to the loss or corruption of all data.”
Outing the insider threat
Insider attacks, in particular, should concern executives because they represent a failure of human resources and other anti-fraud policies, many of which predate the Internet. They may also be occurring despite otherwise-effective technological controls – reinforcing the point that effective information security is the responsibility of the entire business.
This responsibility may help CISOs engage with other parts of the business to frame information security within the context of broader business objectives. In so doing, it may be possible to frame the entire discussion within the context of risk – and that’s always a good way to get the attention of the executive.
“Controls are a friction coefficient that slow down people and processes, and chew up unnecessary compute cycles,” Cylance CISO Malcolm Harkins recently told CSO Australia.
“When you put a control in place, you’re trying to control for risk, then manage it in the best way as possible. And if you’re the chairman, you want to see a lowering of the total cost of your controls over time. Better risk reduction should allow for better cost management, and we haven’t seen that.”
Harkins recommends that CISOs work to “change the framing of the dialogue around risks” by looking at them through three lenses: the risk to the business, the risk to the customer, and the risk to society. Creation of an ‘innovation cycle’, which applies these three lenses to the process of automation and risk reduction, will help CISOs and executives work together to design controls that won’t “impede the business velocity”.
The importance of appropriate controls cannot be overstated: DBIR analysis of 2216 breaches confirmed that the healthcare, public-sector, and accommodation sectors were being hit particularly hard. And while most sectors were predominantly targeted by external actors, 56 percent of healthcare breaches were due to internal threats while public sector (34 percent) and professional services (31 percent) targets also had notable problems with internal controls.
Risk-centred transformation
Effective digital transformation should embed security and data controls at every level. Yet with nearly every business undergoing dramatic digital transformation at the moment, CISOs may struggle to be heard above the noise.
Successfully maintaining security’s profile, the recent Solarwinds IT Trends Report 2018 noted, requires “deeper strategic collaboration with business leaders” to remedy the inadequate organisational strategies that, respondents said, were the number-one barrier to achieving optimisation. Inadequate investment in user training and an inadequate applications strategy weren’t far behind.
That analysis highlighted a “dissonance” between Australian IT professionals and business managers about the priorities for IT investment over the next 3 to 5 years – with direct impact on the efficacy of efforts to better align security, compliance, and strategic investments.
Success in resolving that dissonance will come when CISOs can both quantify the extent of the gap, and can translate security imperatives into the risk-based language that can spur boards and business executives into action.
They may find the audience more receptive than they think – especially with Australia’s National Data Breach (NDB) scheme and the EU general data protection regulation (GDPR) threatening daunting financial penalties for non-compliance.
A recent Fox Rothschild survey of C-level executives found that more than half of the C-level executives reported that their companies are at a high or very high risk for a breach.
Despite this encouraging perception, however, the gap persists. More than a quarter of surveyed companies do not provide any cybersecurity and data privacy reports to their boards of directors; nearly a third said they don’t provide any cybersecurity training to their employees; and most said their budgets were inadequate to manage a breach response.
With 63 Australian companies needing to coordinate a breach response in the first five weeks of the new NDB scheme alone, crying poor will only go so far in explaining why executives are still not prioritising an adequate security response.
Even where funding is available, other issues can perpetuate the risk. “Many companies think it’s sufficient to have a well-funded information technology department, or even someone considered an expert in charge of cybersecurity,” says Fox Rothschild chief privacy officer Mark McCreary.
“But not every IT department, regardless of the size of its budget, is equipped to manage table-top risk exercises, sophisticated software and other aspects of breach prevention and response. Likewise, not every alleged expert is a veteran IT executive with a comprehensive understanding of how to truly safeguard the company’s data and systems.”
Time is running out for executives to get with the program: with just 44 percent of Fox Rothschild respondents claiming GDPR compliance, the activation of that policy is likely to see large fines handed down to European companies – and, potentially, Australian, US and other operators.
These fines will be directly attributable to the ongoing failure to bridge C-level and IT-security concerns, and to execute a common strategy built on the language of risk. To stay abreast of their obligations in the future, executives of all stripes will need to elevate data risk, and its practitioners, to become integral to the company’s future.