[BreachExchange] In uncertain times, CISOs have a golden opportunity

Tue Sep 15 10:22:49 EDT 2020

https://www.helpnetsecurity.com/2020/09/14/in-uncertain-times-cisos-have-a-golden-opportunity/

Hackers are targeting everyone and taking advantage of fear,
uncertainty, and a 24/7 news cycle that can dwell on a single theme
for weeks on end. The victim pool includes everyone from the global
remote workforce (some working in industries that didn’t know remote
work was even feasible), to essential workers in labs working on
vaccines or treatment plans for COVID-19.

According to Microsoft, phishing and social engineering attacks have
jumped to 30,000 a day, and extremely sophisticated levels of
ransomware attacks are up 800%. Ransomware’s latest tactic is a
conversion to doxware. Attackers steal company data before encrypting
it and threaten to reveal that your organization has been hacked and
that sensitive customer data has been compromised. So even if you have
backups and don’t pay the hackers, your reputation is still at risk.

As ransomware attacks become more frequent, IT and information
security leaders often end up pointing fingers at each other after a
cyber-attack. And there are many fingers in the room, adding to the
chaos, trying to avoid responsibility, and deflecting ownership of the
problem to other stakeholders.

The CISO has the biggest finger, but should point carefully

A recent WSJ article talked about how CISOs are now being elevated to
corporate leadership roles. We are currently witnessing a growing
epidemic of cyber risk. Today more than ever, CISOs can use their
influence to do more than just drive technological change by piercing
the silos across the enterprise.

But it’s going to take a completely different method of communicating.
The outcome must be seen much faster and it must clearly demonstrate
greater cyber maturity and resilience in such a way that it can’t be
disputed. In a nutshell, this means that cybersecurity must be spoken
about in business terms, in dollars and cents, not bits and bytes.

This has often not been the case. Before the pandemic, it wasn’t
unusual for a CISO to walk into a CFO’s office and have a budget
conversation with a color quadrant of red, yellow, and green. Security
vulnerabilities in red needed the most attention and would require
immediate investment. Success would mean having less red and yellow on
the chart. Vying for this type of security progress through vague risk
reduction was enough to get approval for the latest technology and
address control deficiencies and alleviate other impending threats.

The days of vague cyber plans and investments are over

In June, the International Monetary Fund forecasted that the global
GDP will suffer a 4.9 percent contraction this year.

American credit rating agency Fitch Ratings announced that the number
of defaults in the first five months exceeded the total for 2019 and
that the pandemic fallout will erase $5 trillion more. There is no
doubt that budgets will be more closely scrutinized in this global
contraction. In 2020 and beyond, an entire cybersecurity program must
answer the critical question: “Can you put a number on this technology
investment?”

Choose the right tools

In order to validate cyber investment with a cyber budget holder, one
must first understand cyber event types the organization may face and
the range of business assets and operations in question.

Conversations around cyber risk management are often centered around
estimating both the probability and impact of a risk event. Using
cyber risk analysis centered around probability is alluring because we
all want to know the future. When you can predict your cyber future,
it becomes very easy to prioritize what risks require more attention.
So, considering that most organizations have limited resources, one
magic number can give leaders confidence in how their cybersecurity
programs are optimized and make them look good to leadership across
the enterprise. It seems like a good approach now with shrinking
budgets.

However, it’s not enough.

A focus on probability can be misleading and even perilous for
analyzing high-impact low-frequency events, such as a large data
breach or data destruction event. The tools a leader chooses should
look at the big picture in a collaborative and flexible manner that
includes input from the entire enterprise. This will allow decisions
to be made faster and more accurately.

I’d recommend an approach to cyber risk investment grounded in
financial impact analysis, that allows leaders from every business
unit to weigh in on what operations and outcomes the company needs to
prioritize and determine plausible cyber incidents that could disrupt
business operations and their assets.

These financial impacts help inform business decisions such as
insurance purchases, investing in controls and more. These costs
should be categorized depending on who is affected (and what type of
impact it is). And the company should be able to optimize the entire
portfolio of controls by playing out how changing one or more controls
will impact their exposure. With this kind of methodology, a CISO can
quickly determine if it’s cheaper to implement a control or buy
insurance or put a number on impact (and sleep better at night if it’s
relatively low).

CISOs now have a golden opportunity to take advantage of their
publicity and show the organization (and the world) that even in times
of uncertainty, cybersecurity investment can be managed quickly and
bring a much-needed structure in these times.