Engaging the leadership team on the topic of security
Recent events that we have attended with Chief Information Security Officer (CISO) and conversations that we have had with clients are leading us to believe that there is a current issue in some companies, with effective communication between the leadership team and the security function
We are firm believers that the security strategy should effectively underpin the business strategy of the company, enabling the business to go faster, be more agile in its delivery and of course be more secure.
The key issues appear to centre around the lack of meaningful metrics that enable the CISO to effectively communicate to the leadership of the company what the current cyber security posture of the organisation is, factoring in the current capabilities and the internal / external threat level in a language that the board can understand and therefore enabling the executive team to provide the appropriate support and/or challenge.
Time and time again we see technical metrics and raw security event data moving from the CISO department, up the reporting line with the expectation that senior management can distil that into a clear picture on the security posture of the company, this is not the case. Technical metrics quickly lose their impact and value when they leave the table of a technical person…. Obviously… security teams need to learn to speak another language.
This isn’t new thinking and has been discussed for a long time, but it doesn’t seem to be being embedded and followed even in the larger and more mature organisations.
At the same time boards are becoming tuned into the potential impacts that cyber can have on their organisation but are struggling to get their heads round what the current status is, what needs to happen, in which order to maximise the risk reduction. Boards have a role to play in improving this situation as well, recent studies in the US showed that boards find cyber risk, the most complex risk to manage within their organisation, which is largely down to a lack of understanding of the subject matter.
The CISO has a responsibility to ensure that the wider business clearly understands the cyber risk that the business is exposed too, in a language they understand, by factoring in the current capabilities of the team and the people, processes and technology they have at their disposal today. In parallel the board needs to invest time to enable this to happen. Using the common universal language of Risk that both areas understand well, there needs to be clarity on what is under effective and evidenced control, what residual risk remains and what are the requirements to close the gap.
In our experience the best way to evidence this to the board is through the effective use of red teaming. Red teaming involves emulating the skills and capabilities of potential attackers and proactively trying to compromise your organisation, at the same time evaluating the effectiveness of your security capability. In some instances, in organisations that take a pure compliance led approach, false comfort can be taken from compliance to policy and controls assessments, and organisations that claim they are fully compliant with their own policy and have a clean bill of health on their controls assessment can still be breached, many companies are still not taking a threat or intelligence led approach to their security posture. A simple example to bring this to life is the companies password policy, most will enforce password length, a mixture of cases and complexity. There will be associated IT control statements to validate that this is enforced on the systems which will be validated as design and operationally effective. But red teaming shows time and time again that simple passwords containing the company name or common easy to guess words are rife in the active directory. From a control perspective this may not be picked up, through effective security testing it will, giving a more accurate threat led insights. There are numerous other examples where taking a threat led approach would highlight issues that may previously go undetected.
Red Teaming will give both the CISO and the companies leadership very clear insights on how effective their current security capability is, CISO’s stating that they have refreshed their policies, done numerous rounds of awareness training, they are on plan with the delivery of the technical strategy…. All good news for the leadership… but when the red team testers get into the organisation potentially undetected and are able to laterally move around the organisation and achieve their objectives of accessing sensitive data, all of those security capabilities need to be revisited, as something is not working as it should
CISO’s should embrace this approach as the knowledge gained from these exercises is invaluable in improving security defences, boards should embrace it as they are getting a clear understanding on how protected their organisation currently is. Both now share a common level of understanding and can support each other on driving improvement.
The NIST (US Based National Institution of Science and Technology) framework provides useful guidance in this space, and the following metrics based on the framework really resonate with the company’s leadership and can be used to show improvement between testing cycles.
- Mean Time to Compromise (MTTC) – from the start of the exercise, how quickly were the attackers able to get a foothold within the company
- Mean Time to Detect (MTTD) – How quickly were the actions of the red team detected by the security function…. If at all
- Mean Time to Respond (MTTRes) – How quickly could the internal team mobilise an effective response.
- Mean Time to Recover (MTTRec) – How quickly were normal business operations restored
Four simple metrics that explain the capability of the internal team against an internal/external attacker. By taking on board the learning from each cycle, using the technical data from how the attack was carried out, amending internal processes and monitoring and correlation as well as adding additional resource and technology where appropriate then repeating the exercise, both the CISO and the board can start to get some much-needed assurance over the cyber capabilities and posture of the organisation.
Of course, I am not implying that this is the only data that needs to flow from the security function up to the leadership team, this is largely driven from the type of industry you are working in and current in-flight initiatives. But if you need to effectively engage with the executive team and get support for your security initiatives, experience shows there is no better way.
Cambridge cyber advisers specialise in supporting the full end-end process for companies of all sizes, from planning the exercise, performing the testing and assisting with remediation activities we offer a full solution. Please contact us today to discuss your requirements