[BreachExchange] 4 Questions the Board Must Ask Its CISO

[Audrey McNeil]

http://www.databreachtoday.com/blogs/4-questions-board-
must-ask-its-ciso-p-2218

As CISOs, the most common question we get asked by the board is, "Are we
secure?" But there is a fundamental problem with this question.

In order to explain the problem, I encourage you to ask yourself a similar
question - "Are you healthy?" - and see how you respond. Some of you
probably started explaining how often you exercise, see a doctor, what you
eat and so on.

Others of you would have tried to answer in terms of your family medical
history, smoking/drinking habits or medicines/vitamins you take.

For others, the answer may have been "I guess I'm healthy." But no matter
how you responded, I doubt the answer was a mere "yes" or "no."

The same problem exists with the "Are we secure?" question for the board.
It may elicit information, such as the number of vulnerabilities, intrusion
attempts, amount of spam received, devices encrypted, etc. Some of these
numbers are in millions and sound impressive, but the answers do not help
the board with their responsibility of "making an informed decision."

So, let's take a look at what the board must ask instead.

Question # 1: Is There an Information Security Framework in Place?

The purpose of this question is to ensure that an information security
program is based on an industry recognized standard. Use of a framework
ensures adequacy of controls, which is more valuable than trying to
understand all technical controls, which is just not possible.

A framework helps the board with ensuring effectiveness of controls as
well, through the process of internal/external audit. Thus, use of a
framework ensures "due diligence" on part of the board while insulating the
board from changes in CISOs (personalities), companies or technologies.

In my current role, I am using the NIST Cybersecurity Framework. HIPAA
regulations refer to NIST for guidance, so we generally use NIST where
applicable. Also, NIST CSF's core security functions - identify, protect,
detect, respond and recover - make intuitive sense to non-technical
audiences as well. Some other common security frameworks are COBIT and ISO
27K. They all map to one another, so you can use any one and still be able
to map to other frameworks.

Question # 2: What is the Scope and Methodology of Risk Assessment?

All security frameworks require a risk assessment to be in place. However,
common problems with risk assessments are that they either lack a holistic
scope or do not follow a standard methodology. For example, the scope of
risk assessment may not include vendors, suppliers or biomedical devices.
Results from such a risk assessment cannot offer a 360-degree risk view and
may constitute as "willful neglect" on part of the board.

So, the board has to make sure that the scope is holistic. Ensuring a
standard risk assessment methodology allows the board to see how the risk
is trending on an ongoing basis. And together with a well-defined scope,
this will allow the board to properly execute their "advisory and risk
oversight" responsibility.

For our purpose, we use the NIST 800-30 Risk Management Guide, which has a
nine-step risk assessment methodology. Other security frameworks such as
ISO 27K also have corresponding risk assessment methodologies, and I would
recommend picking a risk assessment methodology tied to the same framework.

Question # 3: How Do You Measure the Maturity of Processes That Make Up the
InfoSec Program?

A CISO is a subject matter expert and should be expected to understand
cyber risk better than anyone else in the organization. This question
allows a CISO flexibility to highlight key security processes, which may be
more relevant to the business, from his or her perspective. It also
encourages a CISO to explain an information security program in terms of
business-aligned security processes, rather than technology, which can get
complex and cause the board to shy away from discussing cybersecurity.

The question also gives CISOs an opportunity to leverage existing business
process improvement methodologies, such as Six Sigma and Lean, for process
maturity. And there is a good chance that the board is already familiar
with such methodologies. CISOs should also be encouraged to include
investments made or needed to improve process maturity. This permits the
board to see return on security investment, in line with their "fiduciary
responsibility."

I have carved my information security program into six high-level security
processes: threat management, which includes security monitoring, incident
response, vulnerability management and patch management; security
operations; security architecture; risk management, which includes risk
assessment; policy lifecycle; and security awareness. I also use COBIT 5
for process modelling and maturity assessments.

Question # 4: What Are We Doing to Respond to a Particular Threat That's
Making Headlines?

This is an open-ended question that provides an opportunity for both the
board and the CISO to discuss threats trending in the media or threats that
were previously unknown. For example, this question can facilitate a
discussion on advanced persistent threats, including some of the
cyberattacks we've been seeing.

The focus on "response" in the question is also an acknowledgement from the
board that anyone can be compromised by a determined adversary, and the
CISO needs to focus on response and recovery, as much as detection and
prevention.

I have used this question to facilitate a discussion on advanced persistent
threats, and our company's ability to handle breaches such as those that
hit Sony, Target, Anthem and others, or the ransomware attacks that are
causing havoc in the healthcare industry.

Ultimately, these four questions are designed to allow a board to actually
understand if the organization is secure and also compare their
cybersecurity posture with other companies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160817/3641e0e6/attachment.html>