In the wake of a number of recent high-profile, damaging cyberattacks—including the recent breach of the Office of Personnel Management, which compromised the sensitive information of millions of federal employees—executives and board members are gradually becoming aware of today’s cyber threats and the potentially devastating impact these can have on their organizations.
However, most executives are limited in their knowledge of security.
In response, software provider Tripwire recently asked 22 prominent experts in the cyber field how security teams can improve their executives’ cybersecurity literacy. The consensus?
Use recent major events to connect to executives.
One of the key ways security professionals can help boards/executives improve their cybersecurity literacy is to connect recent major security incidents with the tools that can be used to prevent, mitigate, and respond to them, according to David Meltzer, Chief Research Officer at Tripwire.
Using recent security incidents as a jumping off point can help educate executives on how these incidents relate to them.
“The latest major breaches all make it to the Wall Street Journal, so you can assume you don’t need to convince these people that security is a real problem and they should worry about it,” said Meltzer. “They know it is a problem, and they are worried. But they probably do not know what they can actually do about it.”
Putting cybersecurity in terms executives understand is crucial. According to Larry Clinton, President and CEO of the Internet Security Alliance, “Board members are not comfortable talking about technical standards and NIST Frameworks, so we need to contextualize cyber security in terms they understand—growth, profitability and innovation.”
Similarly, Thom Langford, an award-winning security blogger, said cyber risk needs to be put in terms executives can understand.
“One approach is to try to convey cyber security risks to executives in terms that they readily understand, e.g. financial, personnel, or legal,” said Langford. “Even so, getting members of the information security team to be represented at the executive level of an organization is a far more effective first step in helping board members understand cyber security as much as they understand other business functions.”
Overall, communication is key. In fact, Sarah Clarke, a security Governance, Risk and Compliance specialist with 14 years hands-on experience in IT, says, “Effective communication isn’t just nice to have; it’s the hub around which all security value cycles.”
Security incidents are not a matter of “if” but of “when.”
Theresa Payton, who served as White House CIO from 2006 to 2008, emphasized that organizations often put off cyber planning until it is too late, falling victim to the mentality that “it’s not going to happen to me.” Consequently, it is crucial that organizations start planning for a breach before it happens.
Executives need to understand that a cyber-attack on the organization is not a matter of “if” but of “when.” Payton believes prevention is key, saying, “The best way to assess the impact of security incidents is before the breach happens.”
Similarly, Lee Munson, recognized by Tripwire as an InfoSec educator said, “The effective assessment of a security incident begins long before any such event ever occurs.”
Security professionals can help executives understand the impact of a breach on their organization by framing the incident in terms of cash flow and reputation loss. Alex Hutton, Director of Operational Risk at Zions Bancorporation, says that what makes breaches so catastrophic is often the damage to reputation.
However, Hutton notes, “it remains to be seen if a series of breaches may devastate a brand, not unlike how a series of low quality products might devastate an automobile brand.”
There is no perfect framework for assessing risk.
In assessing whether an organization is acting prudently over security matters, a “cookie cutter” approach should be avoided, since every organization is unique. Rather than comparing themselves to other organizations, executives should be determining whether what they are doing is what their shareholders expect them to be doing.
“The simple answer is that there is no perfect framework,” said James Arlen, Director of Risk and Advisory Services at Leviathan Security Group. “Every organization actually is a unique and special snowflake.”
In addition to there being no perfect framework, executives should also avoid relying on just one. Frameworks often vary based on the size of the organization and the specific industry.
“Over the years, I’ve found that you cannot depend upon just one framework,” said Rebecca Harold, CEO of Privacy Professor and partner for the Compliance Helper and BA Tracker. “You need to use a variety of frameworks in order to help fill in the gaps that separate them.”
Overall, the key to an effective framework is adoption. If the framework is not honesty adopted by the organization, it loses its value. According to James J. DeLuccia IV, a Senior Manager in the Advisory Services practice of Ernst & Young LLP, “To prudently assess an organization’s security matters, a frank review of the function of security is required. A framework is only as valuable as honest adoption; here it is the principal requirement for senior leadership.”
There is no single threat landscape.
Today, security teams need to be aware that there is no longer a single threat landscape; rather, it is layered, according to Martin Fisher leads the security team at Northside Hospital in Atlanta, Georgia. These layers include automated attacks, smarter attacks against any target of opportunity, and targeted attacks.
“Security needs to realize that there is no single threat landscape anymore,” Fisher said. “The threat landscapes are stratified, and each one requires different perspectives and responses. At the lowest layer, we have to defend against the automated scans and attacks that happen everywhere all the time. In the middle, we have to protect against smarter attacks against any target of opportunity. Finally, at the top layer, we have to deal with the targeted attack. We have to evaluate our specific risk from each layer and act (and spend) wisely.”
The threat landscape is constantly evolving.
While the threat landscape is constantly evolving, the development of new technologies to combat these evolving cyber threats is struggling to keep up. According to Tony Bradley, a respected authority on technology and founder of Bradley Strategy Group, “Threats continue to evolve and mature as fast or even faster than the technologies they target."
As threats evolve, Bradley states it is imperative that security professionals operate from the assumption that they have already been compromised. Organizations should continuously monitor for malicious behavior. In turn, Bradley says, “That will shorten the time it takes to detect and identify attacks and minimize the scope of the damage to data and network assets.”
Furthermore, the evolving state of cybersecurity demands security professionals with the knowledge and technical understanding of these new breeds of cyber threats.
“The future Threat Landscape is now dictating the need for a new breed of security professional who is willing to evolve and immerse themselves into the world of cyber security with less emphasis on understanding the conventions and soft niceties of standards and guidelines,” said John Walker, an established & experienced provider of CSIRT, cybersecurity, and cyber forensics training courses to both public & private sectors.
Security professionals also need to be innovative in their approach to preventing and mitigating attacks. Morever, these professionals also need to be able to communicate with executives and board members and advise them on risks, says Nikk Gilbert, an expert with 18 years of executive-level experience in cyber security and information technology.
“It’s quite clear that threat actors are always looking for the shortest path to the most reward,” said Gilbert. “Security professionals need to be innovative thought leaders who share a common vernacular with Boards and Executives to advise them on these risks. It is only then that the business, information security, enterprise risk and other organizational players can build an effective program to protect our future.”