Published in Information Security Buzz
Scrutiny over data protection and privacy, and the reporting and analysis behind a powerful threat defense, is moving to the boardroom as organizations are seeing the need to take a closer look at just how effective their security posture is. In a report, Gartner labels it ‘A New Era of Risk Reporting to the Board,’ noting that “Board members are increasingly aware and concerned about the importance of information security.” Gartner also notes that discussions have evolved from standard security metrics to understanding the enterprise-wide ramifications of information security risks.
Boards are now expecting analysis and reporting of the organization’s cyber resilience at the same level as other formal mandatory reporting and company controls. However, executing a cyber resilience strategy is easier said than done, particularly for small or mid-sized businesses that do not have the skills or expertise in house, or large organizations that are dealing with legacy or complex, interconnected business models.
Aligning Controls with the Threat Landscape
Historically, security controls used to monitor the output and efficiency of a company have been traditionally based around the areas of policy, process procedures and management, along with technical, physical and personnel metrics. In today’s world of constant cyber threats, although these areas are still valid, they must be reinforced with the ability to consider the context of the controls in relation to threats to which the organisation is exposed. This context is provided by the results of cyber incident responses, the exchange of cyber-attack information via information exchanges, CERTS (Computer Emergency Response Teams) and the fast-emerging threat intelligence industry.
The additional information provides the ability to review and consider all the controls in the context of the current threat landscape. Then, it is possible to justify new spend to deploy appropriate controls to further mitigate risk. For the first time, the availability of this almost real-time threat information allows security teams to react to a change in threat and prevent a breach. This is a better response strategy rather than waiting for a successful attack or simply trying to contain a threat once the network flags anomalous behavior.
Although an abundance of information is becoming available on how to protect a business, the issue is: what is considered as effective and can demonstrate that the business has taken the appropriate action to protect itself and any personal data? Analyzing security options from this perspective of corporate governance will form the basis for building a cyber security resilient operation.
An example of why this is important has been the growth of controls covering health and safety. Mandatory compliance regulations and reporting are now standard practice. Should there be a serious health and safety issue the mandatory reports are used to provide evidence of best practices and help demonstrate compliance. This has not only helped to protect people but has also become part of the corporate culture.
Taking Corporate Responsibility for Cyber Resilience
Assessing the business value of cyber resilience comes in several forms. A privacy breach, for example, can damage customer goodwill for the long term. Compliance violations and fines can damage the confidence of stakeholders and even impact board tenure. Gartner notes that organizations need to create their own value chain, looking at the continuum of security/risk dependencies, IT dependencies, business process and business outcomes and determining the causal relationships connected to each dependency. The message is, reporting tied to business value needs this level of analysis to support board evaluation of risk and to determine risk tolerance.
In parallel, the cyber security industry is now working with regulators and businesses alike to develop the concept of a set of formal statements around cyber resilience to provide evidence of best practices and proportionality, backed up by standards, technical assessments, maturity models and a number of other relevant metrics. These documents will then be signed off by suitably credentialed professionals from within the cyber security industry and combined to provide an overall opinion on the company’s cyber security resilience.
By more extensive risk reporting and analysis and standardizing on cyber resilience criteria within the security industry, boardrooms will be able to make better informed assessments of their company’s risk posture and plan more carefully for investments for a more secure future.
What are your thoughts on the topic?