High-profile incidents have changed boards’ views of cyber risk. Should the focus now be on resilience?
High-profile cyber incidents are forcing boards to take security more seriously. But CISOs still need to balance the business strategy with basic defensive measures, and demands for resilience.
CISOs need to balance the needs of the business with an ever more complex threat landscape, regulatory pressures, and still keep on top of the basics of cybersecurity.
According to Jonathan Trull, CISO at security vendor Qualys, and Martin Smith, founder and chairman of the Security Awareness Special Interest Group (SASIG), understanding threats, and managing risks, are now a CISO’s core tasks.
But organisations are also paying more attention to business resilience, not least in the wake of a series of high-profile cyber attacks, in the UK and elsewhere.
Lessons learned
This, in turn, will force organisations to take a hard look at their operations, and prioritise their most critical systems for protection. Cybersecurity is not immune to wider pressures on technology budgets, and resilience measures are not cheap.
“Oftentimes we have short memories of major events,” says Qualys’ Trull. “Over the 20-plus years that I've been doing this, a lot of it was in response to major incidents. Things like, ransomware that would suddenly hit a well-known vulnerability and impact many, many, many customers.
“And then we do our thing, react to it, and you don't see as many. Then we have something like Notpetya, that was delivered by a nation state actor, and hit large companies, operating out of the UK, the US, globally, with billions of dollars in damages. We do a lot of work, respond very tactically. But then we forget. We just go on to the next risk,” he says.
But this is changing. “We've definitely learned some hard lessons from that over the last year,” he concedes.
This, in turn, has changed the way boards see cyber risk. In the past, business leaders might have paid lip service to information security, or left it to the IT department. That is no longer an option.
Boards, says SASIG’s Smith, now have no choice but to pay attention to cybersecurity.
“In the many decades that I've been in this business, cyber security has emerged from a specialist topic to something which is at the centre of operations,” he says. “We all rely on so much now on technology, information technology, but regulations come in, we've had the high-profile cases that have been in all the press. Boards have no choice now. They must take this matter seriously.”
But this, Smith suggests, is not new territory for boards, or at least should not be.
“Boards are no strangers to risk. Remember, this is just a new form of risk, and if you had a finance director saying, I don't really understand finance risk, I'm going to leave that to my accountants or the head of HR saying I don't really understand people. I'm going to leave that to my HR department…”
“A board can no longer say I don't really understand cyber, I'm going to leave that to my IT people. It's no longer acceptable. You can't hide behind ignorance anymore,” he warns. “That perception has changed because it had to change.”
Visibility
Changing board perceptions around cybersecurity, though, demands an accurate picture of the threats facing the organisation. This includes the risks posed by vulnerabilities in applications or devices, through to industry-wide or even geopolitical risks. These influence whether or why an organisation comes under attack, if not how.
At the same time, cybersecurity teams need to understand how the business operates, and which systems are the “crown jewels”. Security risk and threat analysis needs to work together with accurate inventories of the business’ technology, locally, in the field, and in the cloud.
“I think CISOs need to have more than a technical conversation,” says Smith. “We talked about it this at the ROCon conference: about identifying your crown jewels, identifying what it is you are protecting. Because if you don't look after the important things, anything else you're doing is a waste of effort.
“We're protecting things that don't really matter… You do need to understand what the business is, and you need to be looking at risks from over the horizon, which is threat intelligence, all the way through to protection. And then when it does go wrong, ensuring that operations can continue,” says Smith.
“In the past, this focused on technical security. It now needs to sit within a business case and the CISO needs to be a communicator as much as a technical expert.”
Here, vendors such as Qualys play an important, and expanded role. Best known for its vulnerability detection and management, Qualys now provides a wider view of risk and threats through its Risk Operations Centre technology.
The ROC integrates vulnerability reports and CVEs with data from an enterprise’s end points and infrastructure, threat intelligence feeds and the wider business context, including regulations and geopolitical risk.
As Qualys’ Trull points out, this is a complex task, not least because enterprises depend on a widening range of in-house, cloud, open source and SaaS tools for their day-to-day operations.
“An application that you're building yourself is a conglomeration of open source libraries,” he says. “It's extremely complex just to say, what do I have and what would be the business impact… What would happen if they all went offline?”
Even as CISOs have to grapple with the bigger business and strategic picture, failing to patch “one server out of 20,000” could still bring down the organisation, he says.
“If our operations truly stop, everything's down. How long would it take us to recover? What if we had a rebuild from scratch? What is the amount of time that would take?”
CISOs, and boards, need to prepare for the worst, and be ready to recover the business when an attack does happen. And that depends on a clear view of vulnerabilities, threats and risks.
