In an industry plagued with FUD, how can boards decide what’s really important?
Rarely a week goes by without hearing another war story about a hacked company and how their cyber security failed them. Board members and senior executives are struggling to understand what’s really important amongst all the vendor messaging, hype and plethora of bad advice. It would seem everyone is a security expert, while none answers the most basic questions as to how to keep the business safe. Let’s explore this conundrum and look at the crux of what boards and executives need to understand about this complex, yet very real issue.
Defining the Problem
It’s easy to blame the media, since the worldview on hacking and cybercrime is plagued with messaging of fear, uncertainty and doubt. Anyone reading the news would think that cyber Armageddon is all but upon us, yet the wheels of commerce are still turning and very few of us are actually suffering in our day to day lives. The answer lies in understanding proportionality and, more importantly, understanding what’s at stake. Firstly, the number of successful cyberattacks being recorded, year-on-year, is growing and it’s not all targeting the US and EU. In fact, the global rise of cybercrime is significant and in 2018 alone, reports have come in from countries like Israel, Hawaii, Luxembourg, and Holland, alongside the big breaches, such as those affecting Equifax, Carphone Warehouse and the US Department of Homeland Security. From an executive and board point of view, each one of these breaches have a commonality that should raise concerns. They all have invested many millions of dollars in cyber security controls. Yet, somehow, they still get hacked.
Further to the threat of hacking and data breaches, regulatory trends, both globally with GDPR and here at home in Australia with our notifiable data breach legislation, indicate an increasing responsibility for boards and executives in their organisations having to proactively prevent cyber-attacks and ensure they can properly report a breach to the regulator and their clients.
All that said, security arrived on the executive agenda a few years back and has remained a board concern since, yet today many executives have become fatigued by the barrage of media and vendor hype and they have other things to think about – so we are again losing interest. Many executives also assume that all their previous investment in security has fixed the problem, so it’s time to start focusing on digital transformation. And this latter argument may be true, as long as there is an assurance that the people, processes and technology used to deliver security control throughout the organisation are run properly and they are holistically managing the risks.
Finally, the issue of whether to invest in cyber insurance has also raised its head over the past few years. Cyber insurance is a relatively new product for insurers and underwriters, so there is a lot of miscommunication, misunderstanding and misleading information out there. However, the cyber insurance market is consolidating, and the global underwriters are rapidly seeing the value their new products bring to end customers, so if nothing else makes it on to the board agenda in 2018, cyber insurance should as it could be the existential difference between the business surviving a targeted cyber-attack.
What Can Boards Do?
Good security advice arriving at board level is rare, since information security managers often don’t know how to communicate with the business. We’ve been saying this for years, but with cyber security being such a technology focused industry, conversations rapidly descend into discussions of IP packets, protocols and even lines of code, which immediately offsides the manager with executives. Information security managers quickly get labelled as opportunists who are furthering their own agenda to build an empire, with self-serving investment requests for more people and technology.
Boards should change the conversation and demand that the conversation is always about risks and residual risks, and even remove cyber security as a standing agenda item, rather relegating it to a risk discussion when the overall business risk register is discussed. At that stage, the information security manager can be brought in as a subject matter expert to answer questions, but he should not have a position on the board or steer the dialogue.
Boards need to be laser focused on the context of cyber security within their organisation – it is a function of business risk management and its efficacy is measured using the same kinds of metrics used to monitor other risk-related functions, such as health and safety reporting.
In these days of increased regulation and legislation, the other consideration is transferring some of that risk to an insurer. Boards are used to dealing with insurers and understand the potential liabilities carried by the company and themselves. Tabling a discussion on cyber insurance and seeking some quotes and cover should be the next board initiative in the security space. The Information Security Manager’s plea for investment should be countered with an evaluation of managed security service providers (MSSPs) since the ongoing operational costs of keeping a team and managing the technology inhouse ends up being a lot more than outsourcing. Boards should look to engage the very best MSSP who can monitor their environment 24x7x365, using highly trained expert staff (the ones that are unaffordable for the business to hire as permanent employees) and work with the MSSP and their insurance company to come up with an operational security capability that keeps the threats at bay. The MSSP should cover day-to-day monitoring and alerting, incident response and even automation of remediation activities, which allows the board to focus on more strategic considerations. Even the information security manager should step back from operational security and focus on tactical plans that support the overall business strategy.
Picking an MSSP
The question is, how do you select an MSSP when the market seems so crowded these days? The answer is straightforward – look for track record, interview their staff (the managers and the analysts) and seek references from other customers.
Have the information security manager document the security monitoring use cases (or include a request for this in your approach to the market) before going to contract with an MSSP. It’s important to see how they detect and respond to specific kinds of threats. Also, get focused on security outcomes and performance metrics, and define KPIs for them to monitor and react to service deficiencies. Look for a focus on continual service improvement, since the security landscape is always changing, so the MSSP’s service should never stand still.
If you can find an MSSP that already has a relationship with an insurer, then this takes away some of the risks of engaging the MSSP. You can rest assured that the insurer will pay up should an incident occur, which should cover the costs of the investigation and restoration of normal service.
Finally, get multiple quotes. In your request for pricing, ask as many hard questions about staff pedigree and their service pedigree as you can. Challenge them and also challenge the norm in terms of how you engage them. Demand depth of monitoring from within all your networks and ensure they have the ability to integrate with your IT service management framework as well as your technical systems. If they understand this and have a good record in IT service management, then the chances are they will provide a reasonable service.