Tenable's Adam Palmer, Chief Cybersecurity Strategist, and John Salomon, FS-ISAC Director, Continental EU, Middle East, & Africa, explain the benefits of CFOs and other executives involving cybersecurity in their roles.
A commissioned study conducted by Forrester Consulting, on behalf of Tenable, found that currently only four in ten UK business leaders can confidently answer the question, “How secure are we?” There is a disconnect between business leaders, financial teams and security leaders in how they manage and communicate cyber risk. As such, cybersecurity needs to evolve as a part of the business strategy.
Most mature businesses understand how to perform a basic assessment of the wide range of risks that impact their organisation. Cyber risk is often the exception. Cyber risk management is well established. However, business leaders, such as CFOs, don’t usually “speak” security, and techies don’t often know how to quantitatively measure, or explain, the degree of exposure to cybersecurity threats in a business context. As a result, the link between cybersecurity and the business can be lost in translation. Security is often seen solely as a cost to the business, rather than a means of preventing losses, or even a driver for increased revenue and overall success. Aligning the security programme to financial objectives improves understanding of value and drives support for corporate policies that support effective cyber risk management.
Responsibility for ensuring effective cybersecurity risk management does not belong entirely to the CISO. Success depends on the rest of the organisation making an effort to also understand cybersecurity risk. This is not to say that a CFO must be a cybersecurity expert, as the onus is on the CISO to “speak the language of business.” Rather that financial leaders should at least have a fundamental grasp of cybersecurity. Using car ownership as an analogy, a driver does not have to know how to assemble an internal combustion engine. It is reasonable, though, to expect a competent driver to understand how to change a flat tire, check the oil level, and most crucially, when to listen to a professional mechanic.
Responsibility for ensuring effective cybersecurity risk management does not belong entirely to the CISO.
Most importantly, the infosec organisation must not be seen as a necessary evil. Rather than treating the CISO and their team as expensive alarmists, a CFO must make an effort to comprehend some of the basic concepts of cybersecurity, and the ramifications to the organisation’s finances of not having a capable, empowered security organisation. Furthermore, the cybersecurity organisation can only do its job effectively if their security risk assessment activities are backed by unambiguous, strong policies.
The CISO must distil the highly complex topic of cybersecurity into concise, relevant messages without “dumbing it down” for business and finance leaders. While the CISO should present a measurable view of the organisation’s cyber risk exposure using internal and external comparative benchmarks, the CFO should ensure they understand the basics around:
Describing the target state of the security programme should be based on an understanding of risk, not blindly applying capability maturity levels. Organisations need the ability to identify and quantify their level of risk and exposure. This should be done in collaboration with the C-Suite. Cross-functional collaboration will turn the organisation’s security strategy into a “living” strategy, and ensures business alignment on priorities, costs, and needs.
Many organisations will look to regulatory standards to determine their cybersecurity goals or “target state.” While there is value in meeting these baseline requirements, checking a box doesn’t necessarily equate to appropriate secure practices or addressing financial risk. Minimum, compliance-based security is not adequate security. Instead, organisations should work to really understand their critical assets, identify the vulnerabilities that affect them and create a security programme that addresses this.
By adopting a quantifiable approach to security that benchmarks internally and externally, and is aligned to business and finance objectives, it becomes much easier to define a target risk state and measure overall effectiveness. This also allows a firm to get a head start on meeting their regulatory requirements and improving communication with regulators.
CFOs need to work with CISOs in order to gain an understanding of their company’s security risk including the financial costs associated with it - both from a risk perspective, but also where technology investment might be needed. While finance can’t be expected to understand the technology or how it works, it is important to understand why it matters, including the role each new investment plays in closing the cyber exposure gap. To provide the level of detail needed to determine and reduce risks, the CISO needs to be able to determine, understand and report the following information to senior management:
Historically, cybersecurity initiatives are seldom aligned with business and finance objectives, but that must change.
Security leaders are challenged to prioritise where they focus effort — not just when it comes to vulnerabilities, but their entire cybersecurity strategy in general. By placing cyber risk management as part of an overall risk framework, business and financial executives can more easily assess whether best practices are being implemented effectively.
To do this, the CFO must work with the CISO to align cost, performance, and risk reduction objectives with business needs. This means providing a holistic understanding and assessment of the entire attack surface, with good visibility into the security of the most business-critical assets. The CFO should seek defined metrics and benchmarking processes, tied to business performance and process improvement from the CISO. Adopting this transparent, quantifiable approach will help the business understand cyber risk clearly, predict new threats, and act effectively.
The result is business-aligned security leaders that ensure their strategies are in lockstep with financial priorities. This collaboration with the CFO not only develops effective strategies and communicable metrics, but actually works to support organisational goals.
Martin Landless, Vice President for Europe at LogRhythm, explains how financial services can keep pace with outside threats.
It is more than possible to remain at the forefront of the digitalisation of the industry and to keep secure, but to do so relies upon focusing on a confluence of people, process and technology. Through this holistic focus, a culture of cybersecurity can be created that protects the important institutions through which it is fostered.
Simply put, cybersecurity is now an integral element of financial services. After all, assets and interactions have moved online. However, in the face of a cyberattack, a company can be subject to a costly halting of operations, a colossal hit to consumer confidence and a General Data Protection Regulation (GDPR) fine from which it might never recover. This is especially true throughout the COVID-19 pandemic, where, according to the National Cyber Security Centre (NCSC), cyberattacks are reaching fever pitch.
By their very nature given the sensitivity of the data they manage, financial services organisations must have a mature security operation in place to deal with the threat actors they attract. The maturity of a security operation can be measured by two important variables: mean time to detect (MTTD) threats and MTTR (mean time to respond) to them.
Reducing MTTD and MTTR is crucial and can be achieved through technological solutions which allow for the automation of workflows; this frees up the vital time of security teams to focus their attention where it is most needed. This is especially important in an industry facing a stark skills shortage, with the UK Government finding that 48% of businesses have a cybersecurity skills gap in 2020. Visibility is another salient variable, as cybersecurity teams must be able to immediately see shifts in behaviour in the network to recognise imminent threats as they arise.
Simply put, cybersecurity is now an integral element of financial services.
However, although technological innovation in the security response is a foundation of an effective culture of cybersecurity, this alone will not guarantee safety from attack.
It is upon the CISO and their security teams to make sure cybersecurity takes important precedence in the minds of all who work at an organisation – after all, it takes one employee falling victim to a phishing email to compromise a business. At the board level, CISOs must ensure that executives understand the challenges security teams encounter as an organisation navigates business dynamics.
As with all things, communication is vital in this pursuit. An aspect of this is in quantifying to the board the benefits and return on investment an effective security posture can entail. One method that a CISO can use to create a high trust environment is through partnering a member of the board with the security team.
This partner can articulate perspective to the team from a purely business standpoint, allowing the team to produce intelligence to the overall board that exhibits the business value of the security operation centre’s (SOC’s) methods and goals. This collaborative approach will encourage the understanding security teams have for business goals and the board’s understanding of security necessity.
One common event that may be viewed in a different manner by the board and security teams is when an organisation encounters business growth. Although such growth may represent that a business is in robust health, it also facilitates multiple avenues through which a company can come under cyberattack.
For a start, cybercriminals keep close watch of business news and will be aware of a company’s raised profile. In the event of new staff, through partnerships or increased employment, security teams must make sure each new employee is vetted and safely added to the system. In the case of acquisitions, security teams too must effectively monitor new structures that are added to the network, and third-party connections with whom they are not yet familiar. Indeed, a Gartner study earlier this year identified third-party cybersecurity risk as a key concern for half of legal and compliance leaders.
Key to this issue is the question of security budgets, and it is here board-level support is important. Traditional security budgets are often determined in advance and follow two common pricing models used by security vendors. These are the user-based model and capacity-based model; in the face of growth, both are fixed, and may leave security teams making difficult decisions as to where they safeguard their organisations.
Executives should instead employ a subscription-based model that offers the guarantee of scalable security at a determined rate; this will greatly alleviate the stress felt by security teams in what often should be an exciting time for an entire organisation.
Changing security budgets to better facilitate the work of SOCs represents a culture of cybersecurity being put into practice. Technological solutions are provided based on an understanding between security teams and the board on what is needed, allowing for better performance in MTTR and MTTD.
As Covid-19 has forced unprecedented circumstances and a wave of cybercrime upon security teams, it is as incumbent as ever for a culture of cybersecurity to be fostered within financial services organisations. Simply refusing increased digitalisation as a means for security will see companies become obsolete in important areas such as customer experience, where their competitors will be innovating. Instead, a holistic approach encompassing people, process and technology will be vital to forging a secure path forward in the financial services industry.
The chances are your organisation is adopting cloud computing in one way or another. Moving to the cloud can help you accelerate IT delivery, realize immediate productivity and financial efficiencies, and ultimately, drive business agility. But it can also open up the attack surface, leaving the entire organisation exposed to security threats. Here Andrew Lintell at Tufin explains the ins and outs of cloud security and offers valuable insight on making it as tamper proof as possible.
The adoption of cloud services is continuing its rapid upward trend, and the market is expected to rise 18% this year to $246.8 billion. Networks are becoming more and more complex as the modern IT infrastructure adopts private and public cloud platforms to make better use of an array of cloud services.
Yet public and private cloud services can present many challenges to chief information security officers (CISO) as they struggle to keep up with ever-evolving technologies and enrol multiple vendors to cater to different departmental needs – all in addition to the associated security risks against their businesses. Security leaders are aware that achieving business objectives depends on adopting security best practice across all levels of IT, including the cloud.
However, one of the problems is that some cloud services are being used without the knowledge of the IT department, bypassing security policies, and therefore the reach of enterprise security - otherwise known as Shadow IT. In fact, Gartner has predicted that by 2021, 27% of all corporate data traffic will bypass perimeter security (up from 10% today) and flow directly from mobile and portable devices to the cloud. This causes untold sleepless nights for CISOs and makes their job of managing and securing the use of rapidly multiplying cloud services across an entire, and often global organisation, a continuing battle. And to make things more complicated from a security point of view, many CISOs lack a single pane of glass view into their networks through which they can see and address risks.
With security now top of the agenda for organisations of all sizes, here we consider the primary challenges that CISOs need to address in order to close the security gaps that exist as they move to the cloud.
While most enterprises have already adopted private, public cloud, and hybrid network technologies, one of the biggest resulting challenges for CISOs is that cloud environments are dynamic, with limited visibility. That lack of visibility is likely the result of ownership over virtual infrastructure in public clouds now being held by central enterprise IT teams. With the inclusion of the public cloud, networks are increasingly large, fluid in change, and complex, and so are the security policies needed to manage across multiple platforms and technologies.
With this in mind, it is no surprise that surveys consistently show that cloud security is an on-going struggle for IT security professionals, with many organisations reporting that it is difficult to get the same level of visibility into cloud-based workloads as they have on their physical network. Good data governance is key, and CISOs need to know where information is being shared and stored, and what cloud services the company might be using. One department might be daily users of Dropbox, for example, and another department might prefer to communicate and share files using collaborative tools such as Slack. Regardless of who is collecting the data, the points of data aggregation and storage need to be well documented and protected given the impending requirements, and penalties of non-compliance, with GDPR.
More often than not, enterprises decide to migrate their on-premises systems over time – a kind of ‘dipping a toe’ approach to public cloud platform adoption. Alternatively, they may also take to migrating to a private cloud (or hybrid network), to maintain a higher degree of control. Regardless of their choice between the public or private cloud – or some cases, both – the problem is that cloud migration adds to the complexity of the network and inhibits visibility across the network when introducing new vendors that bring with them increasing east-west traffic. To seamlessly map and consolidate the management of these platforms to avoid business disruption, enterprises must enrol the help of network security policy management across the corporate network to ensure visibility and consolidate the management of multiple tools.
Without visibility, it’s impossible for CISOs to enforce consistent policies and mitigate risks. Traditional security tools, like firewalls and intrusion detection systems, work effectively within an organisation’s four walls, but continuous manageability becomes difficult when it comes to adding additional tool providers necessary for the cloud. With a centralised view and management over a network through a single console, organisations can overcome the lack of visibility often associated with cloud adoption and simplify the management of security policies across multiple tools, mitigating risk and ensuring compliance across the entire enterprise.
Visibility also benefits from creating a risk ranking of the cloud services in use. This should include an assessment of whether a particular service has been breached recently, whether they encrypt data in transit and if their system has been patched or configured to address high profile threats like the infamous Heartbleed, WannaCry, or ExPetr, for example.
As part of the process of moving data from a company’s internal system to the cloud, organisations are forced to examine closely how that data will be kept so that they remain compliant with laws and industry regulations. This raises a whole range of questions for security professionals. Where will our data be stored? Who is looking after it? Who will be able to see it and can we control that access? How secure is that cloud platform? Have we ensured that our deployments have been effectively and securely configured?
The type of data organisations is storing could be anything from intellectual property, to payment information, to personal data. Each data type has regulatory requirements to comply with. For example, the payment card industry data security standard (PCI-DSS) is a proprietary information security standard for organisations that handle card data, and the upcoming General Data Protection Regulation (GDPR) is the new legal framework in the EU covering personal data.
Data must be classified and organisations must understand what data is allocated to the cloud, and what may require a higher degree of storing in-house. Organisations must also know how - and where - data is being protected and backed up.
The complex IT environment that CISOs have to contend with today includes multiple endpoints subject to the fluctuations brought on by a wide range of mobile devices and desktops. End users are choosing multiple cloud vendors, but many of the features that make cloud-based applications so attractive, such as sync, share, and ease of collaboration, are the very things that put corporations at risk when it comes to cloud usage.
Securing hybrid environments requires CISOs to gain control of their security configurations in the cloud. Best practice revolves around developing a unified security policy with a detailed snapshot of the entire network, defining what type of data is in use and prescribing the appropriate measures for each type. When enterprises can quickly and accurately apply a policy – regardless of the environment – control and business agility is gained.
Finally, organisations need to control who has access to specific data sets. This means that as people come in and out of an enterprise, revoking access credentials is very important for former employees. The danger is that when people leave, they still have access to information stored through cloud providers.
Organisations need a seamless way to bring infrastructure, people, and processes together - a “single pane of glass” that can manage security policies and configuration across the whole network. With cloud infrastructure now increasingly commonplace, it’s important that organisations follow best practice such as this, to make the cloud security experience as safe, sound, and secure as possible. The alternative would leave infrastructures exposed to the security threats that lurk around every corner.