Information security's roots in IT have traditionally left CIOs and CISOs wrestling to contain the business risks it creates, but growing board and C-level involvement in cybersecurity is reshaping that tradition as business guidance holds cybersecurity practitioners to new standards of governance and risk management.
This significant change in philosophy is being driven by growing recognition that lack of attention to information-security governance now, is likely to translate to major problems down the track when security is breached and fingers are pointed. For those that believe board-level involvement in cybersecurity isn't crucial, just consider the dismissal of high-level executives of US retail giant Target – or the recent dismissal of FACC's CEO after a fake email scam costed the company $65m – showed after that company's large-scale compromise, those fingers are inevitably pointed at business leaders.
Many organisations are still in the transition between CIO-driven security practices and those with board involvement, with a recent CSO survey finding that 1 in 4 CISOs only present a security update to their board once per year and 30 percent do so quarterly.
Increasing that frequency is a key outcome for CISOs whose struggle to boost visibility at the executive level remains a key part of their everyday activities. But gaining that visibility, as many find out, can be difficult in its own right – particularly as businesses expand their network complexity and attack surfaces by integrating their networks with cloud-based applications and services.
As if it weren't already hard enough for CISOs to evaluate and convey the risk status of their internal networks, the shift towards cloud-based business has broken conventional network perimeters and obscured visibility of the processes inside the cloud – creating blind spots that could represent potential new risks if left improperly secured.
“A sensible cloud infrastructure would have multiple perimeters,” explains Ian Farquhar, security virtual field team lead for ANZ with Gigamon, whose network visualisation tools help surface the activities of on-premises and cloud-based applications so that CISOs can more accurately assess current risk profiles.
“Businesses need to extend their visibility capability into the cloud so they can see what's happening there,” Farquhar continues. “Intruders always play around the margins: they are looking for the way in that you are not looking at. Yet they might not be coming anywhere near your organisation, where all your detection tools are – and if they stay in the cloud, how do you capture that?”
This question will be front of mind for many at the Gartner Security & Risk Management Summit 2016 (GSRMS), where business experts will share their thinking around how cloud and on-premises environments can be managed within the sights of monitoring tools that have become crucial to applying business-level discipline over the risk that cloud presents.
Those tools are a natural fit for evolving risk-management frameworks such as the US government's Cybersecurity Framework (CSF) and Risk Management Framework (RMF), which have been established to help US government agencies better quantify and manage their risk from cybersecurity and other forms of operational risk.
The CSF, for example, is among the processes to be discussed at GSRMS and outlines a seven-step process by which organisations can develop and iteratively improve a cybersecurity framework. By helping organisations create a Current Profile and a Target Profile, the policy says, comparing the gaps between the two “enables the organization to make informed decisions about cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements” that are encompassed within formal Action Plans.
Visibility of those activities is crucial to delivering on CSF-driven Action Plans, with continuous monitoring capabilities positioned as a core enabler of the Detect element of CSF's five Framework Core Functions – which include Identify, Protect, Detect, Respond, and Recover.
The Detect function, the standard says, “enables timely discovery of cybersecurity events” – and this is where board-level involvement with cybersecurity is truly put to the test. After all, if security practitioners lack the visibility to meet requirements around timely discovery of cybersecurity events, they also lack the ability to keep high-level business executives apprised of the organisation's real risk profile – and it's only a matter of time until this omission comes back to bite all concerned.
While surveys show greater executive recognition of the security of cloud platforms, the workloads they carry each have their own vulnerabilities that must be managed by the organisations running those workloads. And this, says Farquhar, underscores the need for a comprehensive visibility framework that supports CSF and other risk-management processes.
“Workloads need to be deployed with proper attention to privacy and compliance,” he explains. “By moving workloads to the cloud service provider you haven't lost responsibility for that workload. What you have lost, if you leave it, is the visibility you need to properly deal with that responsibility. And if a business requires this visibility, it needs to be selecting the CSPs that offer what they need.”
Armed with the right visibility and the right tools for evaluating overall information-security risk, CISOs are better equipped than ever to communicate the changing risk profile of the organisation to an ever more-receptive executive audience.
Better visibility and metrics will also allow the creation of key risk indicators (KRIs) – dashboard-style measures of risk exposure that, as Gartner vice president and distinguished analyst Paul Proctor will outline at the GRSMS, allow the establishment of frameworks for building “business-aligned security and technology risk metrics”.
These metrics – which will span operational networks, cloud environments, industrial control systems, legacy networks, and other environments – will support structured reporting of security risk to board members and business executives. This, in turn, will help them plan a pragmatic business strategy with a better sense of the real risks that their IT-security platform poses.
As organisations increasingly adopt bimodal architectures combining cloud and on-premise infrastructure, maintaining that enabling visibility capability will become the difference between success and failure. And that, says Farquhar, is why CISOs need to engage the board now to avoid difficult conversations later.
“The cloud makes our perimeters disappear and reduces our visibility,” he explains. “But it shouldn't matter where the network traffic is; you should be able to see it. Organisations are now saying that visibility is a key attribute of any network that they're building: they need situational awareness in the cloud, and the first step to get that is visibility.”