When was the last time that cybersecurity and data breaches were topics in your company’s Board or Audit Committee meetings? Almost every meeting? Well, your company is not alone. It is now mainstream for executives or board members to raise cybersecurity issues in high-level meetings as a measure of managing risk. In addition, Board members need to understand how current trends affect any organization where they have fiduciary responsibilities. These technical topics continue to proliferate, necessitating complex discussions between the Board and senior management.
“There is no doubt that using Big Data as a SEIM tool has improved the security incident management process”
If this is the norm in your organization, are you, as a CIO or CISO, getting the visibility needed to reduce risk? Like me, you were probably not hired to sugar coat anything. Your job is to address the negatives, tackling tough issues headon, with a tenacity that can protect the organization. So, how are you using this airtime effectively to communicate and quantify your organization’s risk posture?
The following scenario plays out all too often: a Board Director says, “Can you assure the Board that we will not have a breach?” As difficult as it is to answer this question, your innate desire is to appease Board members and respond with an absolute. But pragmatically, you can never ensure that staff won’t click a malicious link, or that your organization won’t become a direct target in a hacking campaign. You can only respond to the Board with reasonable assurances that the organization hasn’t had a breach and that you will diligently monitor and apply the right controls to any security event activity. Likely, this is not the response the Board wishes to hear and the uncomfortable silence awaiting acknowledgement from Board members is difficult.
So how can you tell if you are Secure?
It is interesting to me, that internal and external auditors have all the definitive answers to their point-in-time audits within these meetings. Even further, Board members seem to be more receptive to auditors when addressing risk and cybersecurity questions. The auditors swoop in for the audit, compile a list of vulnerabilities and infractions, and then leave with a clear conscience. They go home and sleep well knowing they covered their structured audit framework and all was accepted by the Board.
The problem is that a compliancefocused audit approach is not comprehensive enough to address today’s real threats, and it often falls short of tackling ongoing cybersecurity risks. It is the knowledge of security risks beyond the audit that cause CIOs and CISOs to toss and turn every night. They understand that an audit is only a point in time, with a controlled scope, and therefore the risk is easier to quantify given this limited scope. Even if items from CIO$ Insight Thomas Hill 26December 2015 an auditor’s list are small or minor, it is what is not included in the audit that causes nightmares.
Commonly, real-time security concerns are left unaddressed within a typical security-focused internal audit, given that an audit is point-in-time. When you meet with the Board to discuss real-time cybersecurity concerns, efforts to communicate the risk often fall short. This is a result of using tools that may not quantify the real-time technical risks adequately enough to reassure senior executives and Board members. What is needed is a governance tool that allows for risk to be quantified on a continuous basis, as opposed to individual point-in-time audits.
You don’t sleep well at night because you know an attack can occur any time, and your cyber adversaries aren’t using a spreadsheet or audit framework to hack your environment. The miscreants are using all means necessary to find potential cracks in your network.
So, with all this uncertainty, how do you know your company is secure and how do you provide top executives with reasonable assurances that risks do or do not exist? In the past, you had Security Incident and Event Management (or SIEM) tools that consolidated event data into a seemingly easy single-view portal intended for quick identification, quick action of security events, and risk quantification. However, companies that deployed SIEM tools actually received large budgeted and unbudgeted projects with high customizations that resulted in too much data. Early SIEM technology produced large volumes of event data, but failed to truly represent the data correlation companies needed to proactively conduct security incident response and communicate the risk. With the data volumes pouring in, the search and action capabilities that early SIEM promised never really materialized.
Big Data becomes De Rigueur
Using the analogy of a needle in a haystack the needle being the miscreant traffic the important event traffic that SIEM technology identified was buried deeper in the haystack the more you moved the hay. Because of this flaw, companies looking to be more proactive adopted Big Data analysis tools to correlate their event data in more flexible ways. Big Data analysis tools have now become a prerequisite for proactive analysis of cybersecurity threats. Although many Big Data engines exist, unfortunately, few are customized specifically for cybersecurity purposes.
If you have Big Data analysis within your security process, how do you report on the data in a way that is meaningful to top leadership? There is no doubt that using Big Data as a SEIM tool has improved the security incident management process. The upside is if enough data is captured from the right controls with the right visibility, it is likely your security response will be proactive. With this technology and extended visibility, you should be more comfortable reporting to the Board that controls are operating effectively to identify and ultimately mitigate cybersecurity risk. But, the reality is that security analysis is still very technical, which is difficult to explain and communicate at the Board level.
Clearly, we need to bridge the gap between the technical and administrative controls in the world of cybersecurity. The only way forward is to evolve from a compliance-focused approach to a more risk-based, continuous-audit approach with governance reporting. This is an important progression of the security technical controls into an administrative reporting tool.
Governance Risk and Compliance is the Missing Puzzle Piece
Internal and external auditors are using Governance Risk and Compliance (GRC) platforms everyday to educate and communicate to executive management. I believe that the evolution of Big Data analysis for cybersecurity must include similar components found in GRC tools. Bridging the gap between technical and administrative reporting will allow CIOs and CISOs to proactively address current threats, while at the same time, provide valuable reporting to the Board.
The evolution of reporting on cybersecurity, the technical component within Big Data analysis and the administrative component within GRC, is becoming even more important, especially for financial institutions. In the U.S., the Federal Financial Institutions Examination Council (FFIEC) has provided required guidance via examination handbooks that will specialize in cybersecurity. Financial institutions could be audited based on this framework, which will include formal and effective Board reporting on cybersecurity. It will be important to answer that question, “How do you know your organization is secure?” but also be able to provide that critical detail to Board members and ultimately pass an examination by Federal regulators. As for me, I may never sleep well, as I know that evolution is an ongoing component of any security strategy that addresses an ever-changing threat.