March 14, 2016
Trilogy-Cybersecurity and investments: in which kind of solutions should companies board invest? Part Three!
In our previous posts, we explored why companies board should invest in cybersecurity and to what extent. The top online casinos also worry about their security, as well as the security of their users' data.
When they decided to unleash whatever cybersecurity budgets, the reality remains that organizations have great difficulties to apply and fix the basics (e.g. good password quality, secure machines, vulnerability management) and to automate their security processes to a large scale.
Attackers on the other hand have a field advantage as they have automated their attacks tools and need only to identify one vulnerability to penetrate corporate defenses.
This explains why we now see in the press so many data breaches disclosures and the CEO’s have now another worrying question on their mind. And this question is “have we already been breached and are we going to discover it in the press?”. In another words, security has become a problem of scale. How to deal with millions of assets residing in multiple geographies? (e.g. consumers’ web browsers)
As a knee jerk reaction to these all too frequent and highly publicized data breaches, organizations are reacting by tightening their security policies and regulators are flexing their muscles publishing an ever increasing set of new regulations that present an additional burden for Chief Security Information Officers.
Throwing people at the problem and installing more enterprise technology solutions is clearly not the solution. Advanced security threats are increasing, but simply adding more layers of defense does not necessarily increase security against targeted threats; security controls need to evolve.
For sure, technology can help mitigate dramatically and efficiently (because of automation) cybersecurity risks. However, technology can not resolve ALL cybersecurity issues and tech selection shall be based upon various criteria such as the business requirements, the corporation’s maturity level, or its threat landscape…
Thus, corporations shall consider very carefully technologies to avoid bad “gadget” projects and the increasing proliferation of technologies, , which could undermine the cybersecurity organization’s reputation across the corporation, such as:
- Install a costly and heavy SIEM or GRC platform if you do not have fix the basics!
- Deploy the latest DLP tool if you did not identify and know well your Crown Jewels
Cybersecurity is still broadly perceived as an IT discipline, built around technical solutions and projects – you only have to open any industry magazine or publication to see it, or go to any professional show.
The current cybersecurity situation in many large organisations is still dominated by significant blockers:
1/ Lack of interest in the topic by the Executive Management
2/ Obsession with compliance and audit issues
3/ Focus on technical details and short term actions
The geographical, operational and technical complexity of large organisations requires a well-designed strategy and proper governance framework, that is rarely in place, to enable the true delivery of cybersecurity solutions on a global scale.
Every CIO/CISO should establish a long-term, clear and shared strategic roadmap – and be prepared to stay in charge for the time it will take to deliver it. Such a strategy is the right mix of governance, organization, processes, technology and culture, engaging representative business stakeholders.
Part of such as a strategy, we can mention four main categories of cybersecurity solutions which are composed of preparation, prevention/protection, detection and reaction.
Because the data breach or high impact cyber attack will occur one day or another (it is a question of chance or not), greater emphasis has to be placed on early (continuous) monitoring, detection and reaction instead of prevention or protection controls.
Moreover, having accurate and timely information on emerging threats and vulnerabilities through threat intelligence capabilities will allow corporations to enrich their early detection capability and their vision of “known unknowns”, and to quickly prioritize and begin their remediation and threat prevention and protection efforts.
Corporations recognize that, regardless of their current security controls, cybersecurity can never be 100% guaranteed. That’s why the overall cyber insurance market is growing at great pace. The growth of cyber insurance is related to the need to mitigate the damage from cyber security incidents. Cyber insurance, the transfer of financial risk associated with network and computer-incidents to a third party, has captured the imagination of professionals and researchers for many years. Cyber insurance will bring in a near future many benefits for the cybersecurity posture of firms.
The last but not the least, because the weakest part is the human, organizations shall engage ALL their employees in the fight against breaches.
Raising awareness and education around cybersecurity is critical. Indeed, corporations shall provide easy-to-use solutions (e.g. encrypted e-mails, secure storage on removable media..) so that their employees can handle and protect information accordingly to their level of sensitivity (confidential, secret…).
March 9, 2016
Trilogy-Cybersecurity and investments: To what extent should companies board invest? Part Two!
Most corporations operate under very tight budget constraints. At the same time, cyber incidents are becoming so popular that some of the associated costs shall be fairly well anticipated, and shall be increasingly accepted as part of the risk of doing business.
Recognizing the growing cyber threat landscape, many finance and risk officers are responding by increasing budget allocations for cybersecurity programs and investing in cyber insurance. While these commitments may be necessary to improve protection against certain kinds of losses, if made in the absence of a more comprehensive cyber risk program, they can leave an organization unwittingly exposed to far more consequential financial damage.
In our previous post, we explored why companies board should invest in cybersecurity.
In addition, board are mainly concerned with the following issues:
- Is our current cybersecurity budget sufficient?
- Can we do more with our current cybersecurity budget?
- Do we need to invest in new cybersecurity projects and capabilities?
- How to measure paybacks of new cybersecurity investments?
These issues are complex to answer, we will try to provide a first set of ideas and areas to explore.
The challenge is now to find the right balance between overspending and underspending. Shaping and handling the right cybersecurity budget is not an easy task.
At the very moment, regarding cybersecurity, we need to recognize that it is highly difficult to measure quantitatively paybacks of new investments (projects) and current operations (BAU).
When an organization considers investment in a traditional business project, its shareholders and board look for financial value creation. When budgeting capital, they will compute the Net Present Value (NPV) (which is the difference between the present value of cash inflows and the present value of cash outflows) to analyze the profitability of a projected investment or project.
The same approach can be applied to determining the financial feasibility of a large cybersecurity programme. The big difference is that cybersecurity projects never generate income (exception will be if cybersecurity is the value proposition it self or tightly embedded into a digital value proposition); rather, they save costs, or prevent the loss of funds that the organization would otherwise devote to its business operations. The value of the project is expressed in the amount of money it “saved” the organization in terms of prevented losses (or in operational processes optimization). Just as with income-generating projects, however, the cost of the cybersecurity project should be less than the value it provides. Intuitively, an organization would not spend $50,000 to protect $10,000 in assets.
According to the Gordon-Loeb rule, an organization should never spend more on a cybersecurity measure than 37 percent of the expected reduction of the risk value through implementation of the measure. Expected loss is based on the value at risk and the probability of the risk materializing. While theoretically possible, this approach assumes a very precise calculation of expected losses, and arriving at such a value is far from straightforward.
To measure paybacks of cybersecurity and answer the board question “to what extent do we need to invest in cybersecurity?”, it requires organizations to adopt a true cyber risk management approach, assessing costs, rewards and risks. For that, board shall set up the cybersecurity risk appetite (i.e. the kind and level of risk a corporation is willing to accept).
However, can we assess direct and indirect impacts and costs following a massive data breach or a cyber incident? Yes, probably in a first approach but … How can we value the financial impacts of a reputation loss? Highly difficult.
In order not to waste time and resources, and develop relevant cyber risk scenarios, the right approach will be to understand and identify firstly what the Crown Jewels (e.g. business and information assets) of your organisation are, where they are in the business value chain, and then protect them accordingly to the value at risk. Similar to the Crown Jewels of royalty, companies pay close attention to these divisions or products because they often are responsible for a sizeable portion of the company’s earnings. Indeed, protecting every asset or piece of data is totally inefficient. In order to estimate a business value to assets and identify so far the “Crown Jewels”, it will worth using ranges for business impacts (e.g. between 500,000€ and 1,000,000€).
Around this robust set of Crown Jewels, leaders need to think more broadly about cyber risk and consider the true intent behind a potential cyber incident, and understand that theft of data may not be the most damaging impact. Operational destruction and organizational disruption may be significantly more impactful than data theft alone.
When developing further cyber risk scenarios (e.g. using ISO 27005), four options will appear: accept risk, avoid risk, mitigate risk and transfer / share risk.
Sharing risk (e.g. cyber insurance carriers) should be seen as part of a holistic approach to cyber risk management. Cyber insurance will probably bring in a near future many benefits for the cybersecurity posture of firms and support corporations in cybersecurity investments decisions rationale. Corporations realize that, regardless of their current security controls, cybersecurity can never be 100% guaranteed.
Nevertheless, in what kind of solutions should board invest in cybersecurity? Do they need to consider insurance solutions to transfer cyber risks? Read our post next soon …
February 29, 2016
Trilogy-Cybersecurity and investments: why should companies board invest? Part One !
Cybersecurity is perceived as costly. However, many organizations claim to spend in excess of 3% of their total IT spend on cybersecurity, but according to the World Economic Forum, in spite of the amounts invested over the years – 79% have not yet achieved an acceptable level of cybersecurity maturity (“Risk and Responsibility in a Hyper-Connected World” – January 2014).
Why should board of directors make sound cybersecurity investments? We have wrapped up major concerns to be considered. (Lack of) Cybersecurity may even jeopardize member of the board of directors.
1/ Organisations remain still vulnerable. Those large organisations have become increasingly dependent on a larger and larger number of third parties, with cybersecurity problems often global and complex in nature. Vulnerabilities come in many flavors starting from poor code, outdated software, misconfigurations, incomplete inventory, weak or too broadly distributed access controls and lastly a new type of vulnerabilities is emerging in social media, cloud services and the rapid expansion of un-managed devices.
- According to the OWASP (Open Web Application Security Project) in 2013, 97% of web applications were vulnerable, and the main risks associated with Web applications remain the same, including SQL injections that allow a malicious party to recover, steal or destroy sensitive information in a database. Correcting a flaw in a Web application can still take several months.
- The DBIR study (Data Breach Investigations Report) made in 2014 by Verizon revealed following the “autopsy” of 855 incidents, 92% of attacks were less complex, 79% were opportunistic targets and that 97% of successful offenses would been prevented if the victim had implemented basic controls.
2/ The cyber threats organisations face continue to evolve at a faster and faster pace. We can say that attacks are more and more combined and complex. In parallel, the digital backbone of corporations is growing at high speed, e.g. web applications are developed to achieve time to market business objectives, and create new generations of useful and immersive web experiences for customers.
However, the digital backbone of our organisations is really at risk!Indeed, according to the ENISA Threat Landscape 2015 report (see the chart below), one of the top threats is the injection of malicious code in HTML code of websites that exploits vulnerabilities in user web browsers (known as drive-by download attacks). Web applications and browsers are becoming critical points and attack vectors, and need to be inventoried, risk assessed and protected. The current trend for this threat is even increasing.
ENISA Threat Landscape 2015
Regarding web presence, are business owners of your corporation able to answer quickly the following questions:
- How many web applications do they own on the Internet?
- How many are really critical for their business?
- What are the top five most vulnerable web applications?
For instance, can business owners provide the following KPIs?
- What is the number of web applications ? How many apps have been securely coded ?
- What is the number of uniquely pentested web applications out of all web applications per year?
- What is the number of remediated critical vulnerabilities out of all identified critical vulnerabilities for web applications within one year?
3/ Cyber threats are not only theoretical risks drawn and fancied by cybersecurity professionals. They are now cyber incidents in the field.
Have a look back to the Sony Pictures massive hack which has leaked tons of documents and data — passwords, full-length films and the social security numbers of 47,000 people, including Sony Executives, celebrities… What was unique with the Sony Pictures case is the desire to humiliate an organization.
The Sony Pictures cyber attack timeline
“Guardians of Peace” leaked among other items internal documents from a consulting firm, including salary information for more than 30,000 employees. Sony Pictures issued a data breach notification letter to current and former employees, confirming that various personal details including medical information may have been compromised. Cybersecurity investment wasn’t always a major concern up to the top. Remember the CISO statement in 2007: “I will not invest $10 million to avoid a possible $1 million loss.”
4/ Your customers are becoming more and more demanding regarding data protection matter when buying online goods or services. Customers must trust the company with whom they have entrusted their financial and personal details throughout the course of a purchase. Without this trust from the consumer, a digital business will fail. The prominence of smartphones and tablets has seen consumers’ awareness rising as individuals are increasingly taking charge over their own security on personal devices. Pressures from an increasingly knowledgeable consumer base should act as incentive for digital players to get their own products and premises in order. Business lines shall integrate data security and privacy topics when shaping business model and customer value proposition.
5/ External pressure from regulators is increasing (e.g. EU data protection regulation, NIS Directive, LPM in France, etc.). Strong regulatory fines will come with the EU Data Protection regulation. Current fines are quite low across European Union, e.g. 150,000 Euros for France, 300,000 euros for Spain. EU regulation is one of the most binding regulations. After the period of two years, in case of proven violation of the rules, companies will face a risk of financial penalties, up to 5% of their annual turnover or 100 million euros according to their size.
Even there are strong ongoing regulatory requirements, companies should be proactive, and not reactive, and invest in “genuine cybersecurity” and not have only a “tick in the box” strategy.
Withal, to what extent should board of directors invest in cybersecurity? How can we measure paybacks of cyber risk mitigation? Read our post next week …
Picture source: http://www.bankinfosecurity.com/
February 11, 2016
Data protection will secure the adoption of the Internet of Things
Demystifying Internet of Things
The Internet of Things is no longer an emerging but an emerged domain! But how to define it?The “Internet of Things” refers to physical objects that have embedded network and computing elements and communicate with other objects over a network. Definitions of IoT vary about the pathway of communication. Some definitions state that IoT devices communicate over the Internet; others state that IoT devices communicate via a network, which may or may not be the Internet.
For example, an IEEE special report states the following: “The Internet of Things, or IoT, which you probably have heard about with increasing frequency, is not a second Internet. Rather, it is a network of items— each embedded with sensors—which are connected to the Internet.”
This is a phenomenon whose main challenge is to connect reliably and in real time billions of people, often through mobile terminals, but also billions of objects of any kind.
The main principle is that each object is able to connect to the Internet to exchange information and to increase its intrinsic value.The traffic generated by the Internet of Things will generate exponential volumes of information in a variety of formats and with rich content. Data deposits are likely to transform the management of our daily lives.
The Internet of Things will increasingly become Machine to Machine, and will be an Internet of Services, characterized by two key pillars – Cloud Computing & Big Data.
The Internet of Things leads to a combination of three essential components of any kind of architecture: the network (for access and connectivity), the access terminal (with capacity for processing, storage and communication) and data centers (for storage and processing).
But why is the Internet of Things considered as a phenomenon? Gartner estimates that IoT product and service suppliers will generate incremental revenue exceeding $300 billion in 2020. IDC forecasts that the worldwide market for IoT solutions will grow from $1.9 trillion in 2013 to $7.1 trillion in 2020.
In addition, as mentioned by the French investment public bank called BPI, connected objects are everywhere (cities, houses, cars, health, etc.) and areas of application are huge (waste management, urban planning, gadgets, emergency services, mobile shopping, counters smart, health, automobile, insurance, etc.)
Understanding the universe of business risks
However, beyond these opportunities, the Internet of Things generate cybersecurity, privacy and legal risks.
For example, (and there are many others), researchers of Fortinet corporation were able to take remote control of a “connected home” from their offices in California by exploiting a very basic vulnerability (default password), browsing first on Shodan.io website, which is called the “search engine of the Internet of Things.”
In addition, connected objects can be used to bounce cyber attacks on third parties, which raises the question of legal responsibility. These objects represent an abundant resource for cyber criminals who want to shift their use to make them attack tools.
Who could imagine in a near future an attack launched by a coalition of cyber refrigerators or houses??!!
The problem is compounded by the fact that industrial network protocols in question have little or no protection (like ICS), and that these objects exist in very large numbers.These objects need to be secure and monitored to avoid such a takeover.
Indeed, the Internet of Things collects an ever increasing amount of data (e.g. personally identifiable information, personal health information, and payment card information). Regarding privacy, personal data leakage is obviously a real business risk but the danger comes even more from the correlation of multiple data sources to get rich and usable by sales and marketing organisations.
There is an awareness of the legislator to the need to modernize the data protection system reconciling consumer protection and the very promising market development of connected objects. It seems unrealistic to achieve and offer full guarantees to consumers. However, they must have a sufficiently clear and comprehensive information to understand the risks. The issue of consent is essential, but should not be exaggerated.
The consumer must trust the company with whom they bought Internet of Things related services and apps. Therefore, corporations engineering or (re)selling Internet of Things solutions must provide transparency, and it’s essential that data security and privacy be integrated into their value proposition design and product development phases. As a business advisor, the CISO can make the difference, showing both opportunities business risks to senior executives so that they can make informed decisions.
It is in the best interests of online Internet of Things providers or operators to make themselves as secure as is possible. Compliance may tick boxes, but in a competitive market, businesses must look beyond this to engender the loyalty of their customers.
Unleashing the full potential of Internet of Things
The Internet of Things clearly introduces into our digital economy a new fragility driven by multiple aggravating factors:
- an enormous and exponential volume of hyper connected objects of any kind, which are not really secure by default, and are collecting huge amount of data;
- an increased surface for cyber attacks;
- a tsunami and a potential aggregation of personal data;
- a potential complexity in terms of stakeholders and responsibility;
- a strong challenge of privacy and the right to oblivion.
To thwart these threats, the following first best practices are strongly recommended:
- integrate data protection and privacy into the value proposition design
- involve CISO or cybersecurity experts at early stage
- promote and systematize the “secure by design” when shaping new disruptive product or solution
- clarify the roles and accountabilities (customers, suppliers, subcontractors), and for that understand your value chain
- watch the regulatory and legal environment
- develop partnerships with cybersecurity companies to address vulnerabilities and cyber threats
To take advantage of the many opportunities of Internet of Things, we must take seriously data protection and privacy to keep a competitive advantage!
Data security and privacy was the main stream of the 8th International Cybersecurity Forum in Lille 25th & 26th of January 2016. This paper is a wrap up of the discussion of the roundtable “Internet of Things: a new weakness?” Business Digital Security SAS had the chance to drive. This roundtable was sponsored by the Cyber Excellence center and composed of a pluridisciplinary panel (legal, R&D, information security, business).
November 26, 2015
Board and cybersecurity, a story of dangerous liaisons !
Have you heard that?
- Ryanair has been stolen nearly $5m
- Dropbox left 6.9 million accounts possibly compromised
- TV5 Monde has been hacked and taken down
- Target corporation was stolen around 40 million credit and debit cards data
- …
Probably. Because cyber attacks are unfortunately becoming popular in terms of frequency, business impacts and visibility. When reading the headlines, citizens, end consumers, senior executives and shareholders are more and more aware of serious data breaches.
Cybersecurity is hopefully considered as a growing business concern for most corporations.
(Lack of) Cybersecurity may even jeopardize member of the board of directors. Thus, in the US, in the five recent years, shareholders have initiated litigation against the directors of the Target, Wyndham Worldwide, TJX Companies, and Heartland Payment Systems. We can probably assume that this phenomenon will amplify and entry European markets.
Another risk that board of directors face is “activist” shareholders. They can make alliance to challenge re-elections of directors when it’s perceived that they didn’t do enough to prevent a cyber attack. Indeed, on behalf of shareholders, role of the board of directors is all about governance, i.e. to control and oversight business strategy related decisions and to manage efficiently risks.
For example, the data breach has cost the Target corporation a significant drop in its profit, which was estimated around 40% in the 4th quarter of the year. As a consequence, the Target CEO was also dismissed. Then after, shareholders of Target urged to oust seven of Target’s ten directors for “not doing enough to ensure Target’s systems were fortified against security threats” and for “failure to provide sufficient risk oversight” over cybersecurity.
In which area did board of directors “fail”?
According to the New York Stock Exchange’s definitive cybersecurity guide (October 2015), board of directors mainly fails:
- To implement and monitor an effective cybersecurity program;
- To identity and protect company assets and business by recklessly disregarding cyber attack risks and ignoring red flags;
- To implement and maintain internal controls to protect customers’ or employees’ personal or financial information;
- To take reasonable steps to notify individuals in a timely fashion that the corporation’s information security system had been breached.
What do the board of directors need to ask?
Cybersecurity is becoming a strategic issue and needs to be addressed with a strong and professional risk management approach, like any other business risks (strategic, financial, operational, etc.).
Even if cybersecurity is now to be considered as a business risk by the board, it’s strongly recommended that board of directors ask the following questions:
- What are the most valuable business assets to protect? Are both external and internal threats considered when planning cybersecurity program activities? Does the organization understand the origin of the threats (e.g. cybercriminals, competitors, governments, rogue employees, etc.)?
- Does the organization have a sound and consistent cybersecurity strategy and program? Does the organization use an ISMS framework such as ISO 27001?
- How is cybersecurity governance managed within the organization? Is it well integrated into the corporate governance? Are the roles and responsibilities well defined among directors, business, IT and cybersecurity stakeholders?
- What are the top five-cybersecurity risks the organization faces? How does the organization manage uncertainty? Are cyber risks related to strategic partners considered? Is it addressing new business cases like mobile devices, the bring-your-own-device trend, big data, or cloud computing?
- How are employees made aware of their role related to cybersecurity? Does every employee receive some basic cybersecurity awareness training?
- In the event of a serious breach, has management developed a robust response protocol? What incident response and crisis management approaches are in place?
Thus, every CISO should shape and implement a long-term, clear and shared cybersecurity strategy and governance framework, both aligned with the corporation business strategy and governance. ISMS will help to support gathering various stakeholders’ expectations.
The increase in data breaches will force the CISO to climb the agenda in board meetings.
As a result, board members, business executives, IT and cybersecurity will better understand their respective roles and accountabilities regarding cybersecurity.
This strategic roadmap should be regularly updated and tailored to the business environment and provide accounting perspectives with powerful KSIs. It will bring more attention from the board and the business lines executives.
It will also enable directors of the board to stay involved in the corporation’s cybersecurity program and to involve themselves in a higher level of engagement with the risks associated.
To strengthen their involvement, board members should receive from the CISO periodic cyber risks updates and have also access to external cyber experts whose expertise and experience board members can rely on in making decisions about what to do (or not) to manage cyber risks.
Because board members will be more involved, it will promote cybersecurity, and engage senior management, middle management and finally ALL employees. The employees of the corporation will become the first line of defense in the event of cyber attacks.
As a whole, it will improve the overall resilience of the corporation business lines and its IT infrastructures, and we can expect that it will bring more value to shareholders, which will better protect board members from « activists » shareholders.
Stay tuned with: https://business-digital-security.com
October 13, 2015
Master the art of powerful KSIs: Start small, but think big !
“If you can not measure it, you can not manage it.” The old adage of management goes also for information security department.
CFOs have had the monopoly on interesting metrics to present that demonstrate the financial progress of the business. Like a CFO, CISOs should also master the figures and present KSI (Key Information Security Indicators).
Even if there exist plenty of standards and approaches on the market for information security metrics (e.g. ETSI ISI, NIST, SANS Institute, ISO 27004), CISOs shall design and implement their own sustainable metrics and KSIs tailored to their organization and culture.
In order to avoid flooding the board with new and gadget indicators, it will worth developing a comprehensive yet concise list of KSIs, which speaks to the board and businesses.
Corporations shall start with easy to measure and understand KSIs on a limited but representative scope or topics (branches, projects, processes, etc.).
For examples:
- rate of number of employees trained with awareness sessions
- number of risk assessments / number of new critical projects
- rate of non-patched systems
- average number of vulnerability tests a month / number of websites, etc.
The set of KSIs could sweep multiple dimensions, for instance the five dimensions of the AT Kearney Temple Model for information security: strategy, organization & governance, processes, technology and culture.
These KSIs, integrated in an actionable balanced scorecard, will help the CISO to drive the cultural change, the execution of the information security strategy, and highlight misalignment with defined goals and objectives. The KSIs will be regularly measured and monitored on an annual basis.
The KSIs shall be fully aligned and linked with business KPIs. For example, for an online banking, we could map the KSI “Percentage of incidents where customer data is put at risk” with the business KPI “Customer churn rate”.
It will reinforce the partnership between the information security department and the business lines.
Then after, with a first set of robust KSIs, the corporation will be able to address effectiveness and even some first efficiency issues.
September 10, 2015
A long journey from cybersecurity to cyber resilience
We explore the three stages involved in reaching Cyber Resilience, from examining the current situation to breaking the dynamics of failure and reaching and maintaining the end goal.
- The current cybersecurity situation in many large organisations is dominated by significant blockers.
Cybersecurity is still broadly perceived as an IT discipline, built around technical solutions and projects – you only have to open any industry magazine or publication to see it, or go to any professional show.
The “three lines of defence” models promoted in some form or another by various standards, such as COSO or ISO 31000, are poorly understood and poorly applied. Cybersecurity is often arbitrarily kept in a technical first line, in spite of its complex nature, requiring a true implementation across the three lines of defence – and across many corporate silos.
In practice, this excessive technical focus – which spans the entire industry history – is failing for most large organisations. In fact, many of these organisations claim to spend in excess of 3% of their total IT spend on cybersecurity, but in spite of the amounts invested over the years – 79% have not yet achieved an acceptable level of cybersecurity maturity (‘Risk and Responsibility in a Hyper-connected World’ – World Economic Forum, January 2014). These results are echoed by the RSA Cyber Poverty Index published in June 2015.
This failing situation is rooted in the lack of cultural fit between cybersecurity and IT mindsets. Technologists are essentially trained and incentivised to deliver functionality and features – not risks and controls – and this leads to a tactical and technical security focus that rarely delivers true results in large organisations.
Those large organisations have become increasingly dependent on a larger and larger number of third parties, with cybersecurity problems often global and complex in nature, and the threats they face continue to evolve at a faster and faster pace. The geographical, operational and technical complexity of large organisations requires a well-designed strategy and proper governance framework, that is rarely in place, to enable the true delivery of cybersecurity solutions on a global scale.
This lack of results can drive middle-management frustration and budgetary tensions around cybersecurity internally, which in turn brews demotivation and further talent alienation away from cybersecurity functions. It is often also the lack of results (or insufficient or slow progress), which attracts the attention of auditors and regulators on these matters; those are often ‘low hanging fruits’ in absence of any strategic vision around cybersecurity.
This, in turn, is effective at drawing the attention of Executive Management towards the topic – but for all the wrong reasons. And when coupled with the increasing media and political attention around cybersecurity, it simply aggravates the tactical dynamics around cybersecurity. Driven by endemic fears of negligence claims and short-termism compliance obsessions, money – which wasn’t there yesterday – suddenly appears out of nowhere just to fix audit or compliance issues. Senior Executives can go to the media or claim with their peers that “cyber is on our agenda and money is there”, but in practice, the lines haven’t really moved at all – and the same old mistakes and habits are being perpetuated.
Over time, cybersecurity becomes an overhead and a problem – instead of a necessary barrier against real and active threats to the business. And, in practice, money is often simply wasted to put ticks in boxes. A large number of technology companies make a good living in that compliance space, but this eco-system is inherently unhealthy. This results in stagnating protection levels and low cybersecurity maturity, which is what the World Economic Forum report highlighted last year.
- Large organisations, which find themselves in such a situation – and want to break these dynamics of failure – must rethink their approach and rewire their cybersecurity practice by acting at three levels.
- The profile of the CISO needs to be right in order to drive change.
Look without complacency at the cybersecurity history across the firm, and at the barriers that have prevented progress. The CISO needs to have the right amount of business and management experience, personal gravitas and political acumen to be credible with all stakeholders across corporate silos (not just technologists) – these are attributes of seniority. Cybersecurity is not just a technical discipline.
Cybersecurity is all about protecting information, which is at the heart of the organisation value chain and business processes. Therefore, only with the right attitude and experience will the CISO be able to reach out of IT to all stakeholders and drive success. Of course, the reporting line of the CISO is of paramount importance in that context. It should be to the CIO or the COO in most cases and delegating down must be avoided at all costs – as it would simply confuse objectives and create opportunities for political tensions with stakeholders. This would destroy any credibility around the real desire of Executive Management to drive change.
Raising the profile of the CISO (and their reporting line where necessary) will break the dynamics of talent alienation around cybersecurity. Sound governance, coupled with a better management and political acumen at senior level within cybersecurity, will break the dynamics of failure around delivery. Pinning success against a long-term backdrop and ensuring that the CISO and key personnel remain in place throughout will help Executive Management develop a true sense of purpose around cybersecurity, beyond short-termism or audit and compliance obsessions.
- The CISO needs to structure their relationship with all stakeholders as part of a strong Cybersecurity Governance Framework, positioning roles, responsibilities and accountabilities across the cybersecurity space and across the whole organisation from the top down.
The CISO must also define a proper Target Operating Model for the cybersecurity team itself – which would give it a strong backbone, a clear structure and an unambiguous sense of purpose internally.
All of this is key to driving success. For example, you cannot imagine delivering a successful Identity & Access Management programme of work without the involvement of HR – and the business units if they are allowed to hire & fire directly. There needs to be clear demarcation lines around what gets done within the cybersecurity team and what remains outside of it.
The whole governance model should also address, without complacency, the full geographical spectrum of the business – and its true nature in terms of dependencies on third parties.
- The cybersecurity department should be seen as a true Business Unit, and therefore, every CISO should establish a long-term, clear and shared strategic roadmap – and be prepared to stay in charge for the time it will take to deliver it.
Real and long-lasting change in the cybersecurity space will involve a cultural shift for most large organisations – and the embedding of a structured practice and a controls mindset in the way the organisation works. It will not happen quickly. It could typically involve an initial transformation cycle of several years, followed by a consolidation cycle of several years.
The CISO and key team members may have to consider their tenure over a 5 to 7 year horizon to genuinely drive change through. During the period, all actions (technical or not) must be pinned against a consistent long-term backdrop – including any unavoidable short-term tactical initiatives (typically driven by incidents, audit observations or compliance requirements). Inconsistencies and a constant reshuffling of priorities would simply kill the change momentum, as would the untimely removal of key personnel.
- The resulting outcome should be a cyber resilient organisation, where cybersecurity is embedded in the business environment.
A long-term strategic roadmap for cybersecurity that is regularly updated, tailored to the business’s environment and provides financial perspectives – will bring multiple benefits:
- Traceability up to the organisation strategy and business lines’ requirements
- Improved overall resilience of business lines and cyber infrastructures
- Improved visibility and control over costs (where that’s a concern)
This should bring more attention from the Board and the business lines, and improve their engagement with the cybersecurity concepts – leading to more constructive discussions around cybersecurity budgets and costs.
Over time, focus on information risk should drive meaningful intelligent actions, and cybersecurity should become a valuable business function at the heart of the organisation – not just an IT department that deals with audit and compliance issues.
This article is based on an earlier article by Corix Partners, which Corix Partners () and Business Digital Security () have revisited jointly to reformulate its content as the foundations of a road to cyber resilience.
June 22, 2015
Big Data: how can the CISO make a difference ?
Which value can Big Data provide?
Big Data is a broad term for data sets so large or complex that traditional data processing applications are inadequate. Challenges include analysis, capture, data curation, search, sharing, storage, transfer, visualization, and data privacy. The term often refers simply to the use of predictive analytics or other certain advanced methods to extract value from data, and seldom to a particular size of data set.
It’s widely recognized that Big Data can bring a corporation many powerful benefits: better targeted advertising, better knowledge of customers, reinforcement of customers’ relationship, tailored pricing to customer’s profile, identification of competitive advantages, monitoring of fraud risks and many others.
70% of IT decision-makers consider their organization’s ability to exploit value from Big Data as critical to their future success. And 65% say they risk becoming irrelevant and/or uncompetitive if they do not embrace Big Data (source: Forbes).
Accuracy in Big Data may lead to more confident decision-making. And better decisions can mean greater operational efficiency, cost reductions and reduced risk.
What are the risks that Big Data brings?
Big Data extends the scope of existing information security challenges and introduces new challenges and business risks for corporations. By nature, Big Data inherits the Cloud risks (see the white paper co written with CEIS and ATIPIC Avocat).
However, how to manage the multi-tenancy of Big Data environment? When data sets are gathered from multiple sources, how to establish data origin and ownership? (see the paper “Cloud and the false sense of ownership”). In addition, by allowing users or customers to assemble very large data sets, new opportunities for big data breaches may be introduced.
Because future uses of Big Data and regulatory landscape remain uncertain, the risks landscape is growing.
Consumer data mining introduces privacy risks and societal concerns. And these issues are not adequately addressed by existing corporate policies or guidelines. Data classification will become even more critical.
Besides corporations, Big Data may generate fears of manipulation and discrimination for consumers and citizens. The risk of manipulation is all the more important as the Cloud, social media and the Internet of Things amplify technical capabilities of Big Data. For instance, which trust can we have in Big Data algorithms?
We can expect the arrival of legal and regulatory requirements to drive the adoption of policies and controls. Beyond security and privacy risks, enterprises and governments should also aim at adopting an ethical approach to the development and use of Big Data (Kord Davis, Ethics of Big data: balancing risk and innovation, September 2012).
How to address these “big challenges”?
For any organization, the starting point is to set up a clear data protection strategy and include Big Data into the scope.
The advent of Big Data (with Cloud and the Internet of Objects) is an opportunity for firms to review their data protection approach and to close the gap among business, IT and information security population.
Therefore, it will worth bringing around the table a broad panel of various stakeholders and shaping clear accountabilities among business, digital marketing, data scientists, risk management, information security, data privacy and IT. Consider third parties (such as Cloud Service Providers and Big Data tech vendors) as your employees will be paramount to succeed in this new journey.
Can the CISO make a difference?
With the right mindset and business skills, the CISO in partnership with the CIO and the business must take the leadership to become a real business advisor and enabler force in supporting the adoption of Big Data and enhancing the data protection posture of his company. The CISO will help unlocking the full potential of Big Data.
For instance, by giving data scientists global access to large databases, CISOs will challenge traditional security principles such as “need to know” and “least privilege”.
CISOs need an holistic approach to identify in a 360° way the major business risks and develop the general guidance for business executives, managers, IT and employees.
Detailed security controls and access policies for Big Data platforms and systems cannot be established in the absence of a framework of general risks and principles.
All security professionals and technologists will need to become familiar with the opportunities, risks and necessary controls surrounding the use of Big Data for security purposes.
Finally, education of business stakeholders is paramount, because at the end of the day, business remains accountable of Big Data protection.
June 3, 2015
Economics of cyber security: the key role of insurance
Cyber insurance and risk management are key aspects of the economics of cybersecurity. Cyber insurance will bring in a near future many benefits for the cyber security posture of firms and will probably play a central role in the economics of cyber security.
Cyber insurance, a niche market still immature
Cyber-insurance, the transfer of financial risk associated with network and computer-incidents to a third party, has captured the imagination of professionals and researchers for many years.
The growth of cyber insurance is related to the need to mitigate the damage from cyber security incidents. The overall cyber insurance market is growing at great pace, with corporations realizing that, regardless of their current security controls, security can never be 100% guaranteed.
Yet reality continues to disappoint the proponents of cyber-insurance, particularly in Europe. For instance, in France, in 2014, the level of premiums paid each year is estimated to be around this time €100 million.
Gartner Group states “many companies are hesitant to buy cyber coverage. Through 2016, less than 40% of corporations will have purchased cyber insurance”.
What are the cyber insurance market barriers?
By its nature, cyber risk is quite unpredictable related to technology rapid evolution, which brings new threats and vulnerabilities.
In addition, there is uncertainty about the regulations landscape, and what type of cyber risk is being insured. Moreover, cyber risk characteristics are variety and heterogeneity: risks can be symptomatic (due to poor security measures) or systemic (due to state sponsored cyber attacks).
From the buyer’s perspective, premium costs are still perceived high; there is confusion about the insurer’s terms and conditions, the prescreening process is considered to be difficult and intrusive.
From the seller’s perspective, because of the information asymmetry regarding the insured’s lack of robust actuarial data (e.g. vulnerabilities and cyber security incidents), rating the cyber risk and pricing is still complex. There is a flood of survey and information, however not reliable because conducted by non-neutral third parties such as vendors. Unless required by law, most firms choose not to disclose when they have suffered cybersecurity incidents.
Consequences of this asymmetric information are:
1/Adverse selection: potential difficulty of discriminating between firms with good or bad operational security practices has hampered the development of the cyber insurance market
2/Moral hazard: the insured may act in a more insecure manner by investing in less security after the acquisition of insurance because they now know that the insurer will bear some of the negative consequences
Because markets are not perfect and fail, main driver of the cyber insurance market (and indirectly cyber security market) will be probably the on going EU regulations, which strongly focuses to protect customer confidential information.
What could be the cyber insurance market incentives?
Increase of transparency between insured and insurer will be key. For example, use of an independent third party needed to provide neutral security scoring in a continuous way will constitute a strong incentive. Having IT security standards for underwriting and certified IT security and services will also simplify the pre screening process, and will help to increase trust.
The cyber insurance market may act a mechanism for the broader promulgation of best practices.
It will bring incentives for firms to increase IT security in order to reduce premiums – assuming that it is possible to determine a causal link between certain information security measures and reduction in risk and that this information was readily available to the market and that such a link was taken into consideration by insurers when pricing premiums, then the prospective insured might be more inclined to evaluate their cost benefit trade-offs in favor of spending on security since the consequent likely reduction in premiums might offer greater cost savings.
Risk management, information security and cyber insurance must go hand in hand
Cyber insurance does not, of course, remove the need for businesses to manage their risk from cyber attack. It should be seen as part of a holistic approach to cyber risk management including business controls, investment in security and education of staff and customers.
For organizations to fully equip themselves in the face of a cyber security tsunami, it is critical that cyber insurance to be recognized and included as a key component of their risk management and global security strategies.
As cyber attacks continue to intensify and regulations will come soon into play in European (e.g. the EU Data Protection regulation and the NIS Directive), the cyber insurance market will probably continue to grow and will benefit the overall market of cyber security.
April 30, 2015
CISOs and budget: how to manage uncertainty?
Handling an information security (InfoSec) budget is not an easy task. Most InfoSec departments operate under very tight budget constraints.
The challenge is to find the right balance between overspending and underspending.
InfoSec budget is a highly difficult exercise:
- A broad range of stakeholders may be involved, not only IT and information security people but also business lines, data privacy, legal, communication, HR departments.
- Various topics are to be embraced, from Governance Risk Compliance to operational core capabilities
- To complicate matters, future needs are uncertain: every year or less there are new threats, new technologies and often, new regulations requirements
Unexpected surprises can derail even the most well thought out budget.
Forecasting and security budget is all the more difficult that unexpected expenses due to evolving security threats and compliance requirements are common within InfoSec, but also due to increasing unexpected data breaches or information security incidents.
When will your next data breach happen? It’s not a question of if but when!
The strategies for dealing with these unexpected expenses or emergencies (e.g. new threats, new technologies, new regulations or data breaches) may vary widely across enterprises:
- Some CISOs enjoy padding the budget for worst case scenarii and shift funds based on the needs of the business
- Others CISOs create an entirely separate and dedicated budget for emergencies
- One alternative and innovative approach to funding emergencies is to get the department or the business line that caused the emergency to pay for it
- If they have subscribed a cyber insurance solution, CISOs and their firms may claim compensation for damages
Otherwise, if you are lucky, money just seems to appear whenever it is really needed.
Emergencies may be really interesting because if a true emergency occurs, money and resources appear out of nowhere. In day-to-day activity, CISOs are being told there are no resources or money. But if it’s an emergency, it just kind of comes about. It’s not a funding process; it’s more of getting it done and correcting whatever needs to be corrected.
Whatever the approach, InfoSec department should be seen as a Business Unit, and therefore, every CISO should establish a clear and shared strategic plan.
Such a s strategic plan has to cover three main objectives:
- Answer to the Corporation strategy and business lines’ requirements
- Improve the overall resilience of business lines and IT infrastructures
- Control the costs
This strategic plan should be regularly updated, provides a P&L and balance sheet views.
It will bring more attention from the Board and the business owners, with more InfoSec budgets.