Security Leaders Grapple with Understanding Their Own Cybersecurity Risk – Part 1
Risk Management Comes Back into Focus
Less than 50% of IT Security leaders are able to measure or quantitatively understand their organization’s level of risk. According to a study published by Forrester, just 51% of the security pro’s that were surveyed last month were able to identify their organization’s level of risk from a business perspective.
When I read this study by Forrester, I wanted to really understand what they meant by risk management, measuring risk, and reducing risk. A significant number of organizations and security leaders see risk management as theoretical rather than something measurable that their organization should strive to identify and set goals to reduce. Most professionals in the IT security or cybersecurity industry understand it is difficult to set a value to systems, litigation costs, brand damage costs, ransomware costs, data loss costs, compliance penalties and so many other difficult to estimate variables. However, just as security analysts try and predict the expected outcome of an investment using among other variables, the level of risk of that investment, IT security professionals need to work with the business side of the organization to try to estimate the value of the company assets and the risk to those assets of a cyber-attack.
Travelers, which offers cybersecurity insurance coverage for cyber-attack losses, conducted a survey that asked business leaders about their security best practices. Several of the questions asked in the survey that drew our attention included the following year over year comparison data:
- Updated their computer passwords (74%, up from 71%).
- Purchased a cyber insurance policy (51% of survey participants, up from 39% last year).
- Created a business continuity or disaster recovery plan in the event of a cyber-attack (47%, up from 38%).
- Executed a risk assessment across their IT infrastructure (49%, up from 45%) and their vendors (41%, up from 37%).
In addition, research released last month by Forrester and Tenable found that just four out of ten security leaders can answer with a high level of confidence the question: “How secure, or at risk, are we?”
Heather Vallis, a principal consultant at Forrester who led the project, says only 66% of business leaders say they were, at best only somewhat confident in their security teams’ ability to answer that question.
“The core issue is that business and cybersecurity strategies are seldom on the same page,” Vallis says. “Strategies are created in a vacuum, security leaders have an incomplete view into enterprise assets, benchmarking is limited, and cybersecurity metrics often lack business-risk context.”
Aligning Security and Business Goals is a Significant Challenge
As a Managed Security Service Provider, SecureOps understands that security responsibilities in and of themselves are time-consuming and difficult: Constant patching, conducting vulnerability assessments, executing penetration tests, tuning SIEMs and Firewalls, and going through almost endless system logs does not leave too much time to meet with other organizational leaders to calculate risk.
Forrester suggested fewer than 50% of security leaders frame the impact of cybersecurity threats within the context of specific business risk. Further, just over half (51%) say their security organizations work with business stakeholders to align cost, performance, and risk reduction objectives with business needs. And just four out of 10 (43%) say they regularly review the security organization’s performance metrics with business stakeholders.
Vallis says security respondents answered a series of questions assessing their practices across oversight, technology, process, and people. Respondents scoring in the top 25% were categorized as “business-aligned,” while those falling in the bottom 25% were “reactive and siloed.” She says security leaders who take a proactive approach to risk that’s aligned to the business are eight times as likely as their more reactive and siloed peers to be highly confident in their ability to quantify their organization’s level of risk or security (72% vs. just 9%, respectively).
We found the Forrester findings to be aligned with what we see across businesses and from industry to industry. What we mean is that if an organization has put themselves through a security posture assessment like CIS, ISO, or NIST, that exercise will force them to evaluate high-value systems, their security hygiene processes, and their path to more effective security defense…at a minimum.
What seems to be evident in their survey is that the majority of organizations still have not put themselves through a valid assessment.
Forrester Introduces “The BISO” or Business Information Security Officer
Vallis says more companies need to consider putting in place a business information security officer (BISO). Business-aligned security leaders are more than twice as likely to have a BISO or someone with similar responsibilities who ensures each line of business works to minimize risk, maximize protection, and increase the value of the organization’s business information assets.
“These executives collaborate with line-of-business leaders to develop strategies, goals, and metrics to maximize the protection of business information assets,” Vallis says. “They help bridge the ‘language barrier’ between security and business,” she adds.
Risk management is critical to SecureOps and the organizations that we serve so we wanted to understand more about the role and responsibilities of the BISO. First, let us take a step back and define the roles and responsibilities of the CISO. The CISO is an executive position charged with executing the information security and risk management goals as defined by senior officers. CISOs develop and oversee the enterprise’s cybersecurity strategy, including cybersecurity policies and controls.
So CISO’s have traditionally had the responsibility of risk management and based on what we have seen in the evolving threat-ridden IT security environment, these folks were overwhelmed. CISO’s have seen threats to their organizations rise exponentially over the past several years, the technology in their organizations change dramatically, and now with Covid-19, their workplaces and how employees connect to systems change significantly. Frankly, from our perspective, CISO’s neither had the time or the mandate to measure risk in all but the largest and most sophisticated organizations.
Implementing Risk Management Has Now Become Critical
In the Forrester survey, 94% of security and business executives found that their organizations have experienced a “business-impacting” cyberattack or compromise in the past year. Business-impacting according to the survey is defined as an attack that resulted in the loss of customers, employees, or confidential data (PII). Further, any interruption of day-to-day operations, a ransomware payout, or other financial loss or theft of intellectual property would be included.
“That’s a very powerful number, especially when talking to the executives in the C-suite,” says Wenzler. “Security pros can now go to top management and offer proof that cyberattacks will impact their businesses and that they have to do something about it.”
Conclusion & Introduction to Part 2
In part 2 we’ll start with defining cybersecurity risk management and work through all of the variables and challenges that organizations must face in order to implement a viable risk management program. We are talking about a risk management program that aligns the goals of the IT security team or the goals of the business and measures the effectiveness of security investments and the potential monetary damage from various cyber-attacks that the organization is likely to face in the future. We’ll circle back and discuss the role of the BISO as well.
Let us leave you with the definition that most business leaders are using for cybersecurity risk management: Cybersecurity risk management takes the idea of real-world risk management and applies it to the cyber world. It involves identifying your risks and vulnerabilities and applying administrative actions and comprehensive solutions to make sure your organization is adequately protected.
This definition has evolved as we stated earlier to involve calculating the expected monetary damage from attacks, ROI of security investments, and critically, the diminishing marginal returns from each incremental security investment. One of the most difficult issues we will address and one that is facing every CISO or BISO is the understanding that no matter what they spend on IT security, they cannot stop every attack. To put it as plainly as possible, effective risk management is finding that level of security investment that protects organizations without bankrupting it.
To Learn More About How to Assess and Manage Risk Contact Us – as Always, We Are Happy to Help – 1 (888) 982-0678.
You Can Also Fill Out Our Contact Us Form Here to Talk with a Security Specialist – https://www.secureops.com/contact-us/