CISOs are often in a situation where the CEO or a Board member asks them, “Just how secure are we?” Or “Are we secure enough?”

These questions sound simple, but are quite difficult to answer accurately. The quick answer to the question would be, “We are more secure today than we were before and are constantly striving to be better and one step ahead of the bad guys.”

However, an answer like this may stave off other questions it will not paint a complete picture. It will not show the efforts involved in trying to be a step ahead of the attackers.  In today’s world no one can assure 100% protection. It’s not a matter of “if you will be breached, but when you will be breached?” Prevention is critical. However, focusing on faster and better detection and mitigation is equally and sometimes even more important.

A key component when moving forward in a security program and then presenting to the Board is to tie security initiatives to the company’s overall business goals and subsequent initiatives. If the goal is to expand the business and garner more clients, a CISO should focus on building a security program that meets these needs while reducing risks and mitigating threats.

Shifting the way security is perceived to that of supporting and enabling the company’s objectives is crucial for today’s CISOs. Security needs to move from a cost center to a business enabler. Being successful in portraying this will provide CISOs the support and partnership needed to build a successful Security Program. Talking the language of business is what will get you there! Security metrics, which are more granular, should be a part of other business metrics that matter in making business decisions.

A definitive strategy for a successful Security Program consists of four parts:

1. What are the company (Boards) objectives
2. How does the CISO further these objectives
3. Where was the security program in relation to these objective until now
4. Based on the current threats and associated risks what is our strategy going forward

Security metrics are increasingly important in defining such a strategy. These metrics will give insight into the current threats and how your current efforts are panning out. When making decisions and relaying overall imperatives to the board it is key to choose the appropriate metrics to generate and communicate.

Metrics that will help give you paint a complete picture and make better decisions, not just in security but also across business units. Security metrics should be SMART (Specific, Measurable, Achievable, Relevant and Time-bound), similar to your goals. SMART Metrics=SMART Goals.

The Return on Investment (ROI) approach used in traditional financial metrics generally does not apply to security-related initiatives. Security is about risk management, threat mitigation and loss prevention.  It’s not a conventional investment that will result in direct profit though it can enable business. For a CISO, the way to calculate ROI on a Security Investment is by calculating how much loss was avoided due to your investment. It’s risk-based security.

Security Metrics will be helpful when they are:

1. Repeatable: A repeatable metric is something that is easy to gather and can be updated on a regular basis. It’s important to note that gathering metrics comes with a cost, similar to any other initiative in security. Suitable and repeatable metrics that leverage automation show important information that should be tracked over time.
2. Know the Audience: Boards will be more interested in knowing how the security programs impact the business and that the business’s critical assets (proprietary information, their reputation etc.) are being protected.Metrics should help the audience in decision making and not just tracking. It should enable its audience to actually take action and do something to move forward the aim of the business. Similar to any successful project implementation, one should start with gathering requirements and then working on achieving and tracking them.
3. Tangible: The challenge with security metrics is to create tangible and accurate results especially for the effectiveness of Risk and Governance controls; such as policy and process implementation. It’s critical to create metrics that can be described using numbers. Starting with a high, medium, or low is okay as long as you can further refine it, to be tangible.
4. Quality over quantity: There isn’t a fixed number of metrics that is necessary but often in this scenario ‘less is more.’ It’s best you achieve maximum value from your current metrics before adding new ones.

Defining a metrics program goals and objectives will help in developing the right strategies for generating these metrics.  One can use several specific metrics like the following:

1. Metrics showing how much potentially malicious content is being blocked or detected early enough to minimize damage.  E.g. Number of potentially malicious sites blocked, potentially malicious emails blocked, and number of viruses blocked etc.
2. Malicious content that is undetected and passes through the defenses resulting in an incident, not necessarily a breach and what is being done to improve in that area.
3. Security incident metrics that were acted upon by the Security Incident Response Team to contain and resolve. Time spent on mitigating threats will help determine the ROI of the investment.

If you do have qualitative measurements that are inaccurate or might not add value skip them. The goal is to create accurate metrics whether it’s for the effectiveness of processes or policies or for security awareness trainings to support the business.

The post Security Metrics Can Make or Break a Security Program; How to Present to the Board appeared first on Security Current.

More and more devices are being Internet-enabled daily. To securely drive an organization’s digital strategy, CISOs need to better understand business and new technologies across groups within the enterprise. It is critical to learn how to create value from their data, and understand technical capabilities for the whole business, not just in the IT domain, and how they can be leveraged.

CISOs are in an ideal position to help design the end-to-end innovation process that leads to a more productive and more secure business, and then enable it. Innovation drives efficiencies and offers a competitive advantage; secure technology is one way of capturing both.

In this digital economy, CISOs must be data-driven. And from a security perspective when you follow that data it makes it easier to secure that data path and data destination to move the entire business forward.

Big Data Security

Today, practical applications for Big Data are growing and the amount of information managed by businesses of every size is reaching astronomical proportions. This has and will continue to increase the temptation for hackers.  Big data installations often still lack the necessary administration and security protocols. As is frequently the case, security seems to be an afterthought at best. When combined with the advancements in server side attacks by hackers, Big Data Installations become increasingly vulnerable. This could lead to hackers trying to infiltrate this growing platform.

Additionally, these installations deal with a variety of data and Information classification becomes even more critical; information ownership must be addressed to facilitate any reasonable classification. Another challenge is Big Data in the cloud. Storing it in the cloud, which is not inherently secured, does not eliminate an organization’s responsibility to protect it – from both a regulatory and a commercial perspective.

Security Means Business

To strike the right balance, a CISO must effectively communicate using the language of business with the board as well as executives in various parts of the organization and then leverage technologies across the enterprise to execute their plan. Security must be run as a business, enabling innovation and growth. Communication is the key and CISOs must deliver the right message.

Stay away from technical details. And avoid fear, uncertainty and doubt (FUD). Instead express challenges and solutions in business terms, for example, if budget is x that puts us at y risk, making C-suite colleagues part of the decision. In short, CISOs need to present in a non-threatening manner the challenges while providing the solutions in business terms.  CISOs need to grow from subject matter experts to business advisers who help the C-suite improve the business and associated revenue.

Rather than thinking of cybersecurity in terms of a breach, a CISO needs to locate cyber security issues within the business decisions that a Board makes, such as mergers and acquisitions, new product launches. Security should be a part of these decisions just as legal and finance are.

Communication is the cornerstone to this. CISOs need to be “Security Communications Experts,” improving cyber security literacy across the C-suite. We must evolve from individual contributors to “Business Thought Leaders,” from Data Protectors to “Risk Managers,” from Enforcers to “Educators” and last but not the least from backstops “Trusted Advisors.”

The post The Business of Security appeared first on Security Current.

We are seeing that in quite a few organizations the Chief Information Security Officer (CISO) role is going through a period of transition. Leading organizations that didn’t have a CISO role are now actively scoping the responsibilities of this role.

To date, the security budget often remains a fraction of total IT spend, and a CISO likely will find himself or herself with key constituents in a range of departments across the organization, from IT to finance.

Within today’s reality, rather than reporting to the Chief Information Officer (CIO), which was common practice in organizations that had established CISO roles early on in the evolution of the CISO, some CISOs now are reporting to the CEO or Chief Financial Officer (CFO).

As the CISO role becomes more integral to the business and the bottom line, it is increasingly common for the CISO also to report into the board of directors or at the very minimum have a dotted line to the board.

This evolution illustrates the criticality of the CISO role and its move to a business enablement position. For example, in the event of a security incident that can directly impact revenue and reputation, the board requires an executive who understands business and security. Someone who can qualify and quantify risks in business terms and act accordingly.

As the CISO lifecycle continues we will continue to see a clustering of responsibilities in a single role of the CISO.  We are already seeing physical security which has until recently been its own domain now part of information security. As the CISO role becomes more business oriented these groupings are increasing with the security, risk and privacy better viewed holistically.

At organizations, CISO are evolving to balance risk and business. To do this today’s CISO has a hybrid of skills. They have to effectively communicate with the board and managers across business units.

This next generation CISO is able to “Run Security as a Business.”  In this respect, a CISO works with the business to facilitate innovation and growth. To success, for today’s CISO communication is the key.

CISOs need to be able to deliver the right message to secure the proper investment to make their new role a reality and success. CISOs need to present in a non-threatening manner the challenges while providing the solutions in business terms.  CISOs need to grow from subject matter experts to business advisers who help the C-suite on how to improve business and associated revenue in a secure manner. Today’s CISO is a leader and a facilitator.

Rather than thinking of cybersecurity only during a breach, CISOs need to incorporate these matters within business decisions made by the board, whether they touch on mergers and acquisitions, or new product launches. Security must be a part of these decisions just as legal and financial issues.

Another fact is that cybercrime isn’t going to go away anytime soon and security will continue to be at the forefront for the foreseeable future. With breaches and cybersecurity incidents of on the rise, CISO will have the ability to affect change on par with changes implemented by the CFO, CIO and other key executives.

I would encourage organizations, as is the case today, to continue to include the CISOs as key business partners. Rather than security being a priority only among information security specialists within the organization, it is the CISO’s role to ensure that all staff members are aware, responsible and accountable for the security that touches their jobs.

This is imperative to the continued health of the business. Communication is now a cornerstone of the CISO role. CISOs need to be “Security Communications Experts,” improving cyber security literacy across the C-suite.

CISOs are now evolving from a contributor to a “Business Thought Leader,” from a Data Protector to “Risk Manager,” from an Enforcer to an “Educator” and last but not the least from a backstop to a “Trusted Advisor.” Today’s CISOs enables business and boosts the bottom line.

The post The Evolution of the CISO appeared first on Security Current.

Just about every business today needs cyber-insurance. More and more small businesses are doing online transactions and it will only increase as we move forward.
A company with fewer amounts of data is more likely to be hacked than a firm with Big Data, because smaller firms are less likely to have robust defenses against hackers. Hackers are very opportunistic; if they can get 100 credit cards from the local restaurant, they will make the effort without hesitation.
Due to recent high profile breaches wreaking havoc on many enterprises, cyber insurance will be gaining velocity and popularity. The Board and the C-Suite will have an appetite for reducing risk, in part, by offloading it to insurance providers. Government agencies and insurance companies are already at work establishing guidelines to support the growth of the cyber insurance market.
Solutions providers will also accelerate the increased adoption of cyber insurance policies. They will tout the promise of reduced premiums for enterprises that adopt their solutions to demonstrate proof of having critical security controls in place.
Moving forward, cyber insurance companies will have two sets of customers: new clients and existing clients who are buying additional coverage. Premiums will depend on the size of the company, the industry in which it operates, the amount of data being insured and the security controls and solutions being utilized.
Cyber insurance policies, which cover the cost of conducting an investigation into a breach, will evolve to also cover the cost of brand management, loss of revenue and customers, and credit monitoring for those affected by a breach.
However, as an industry, we need to quantify cyber risk more accurately as actuarial data is often scarce. An ideal form of cyber risk management requires a balance between IT security measures and the transfer of risk via insurance solutions for cyber-risk.
Insurers’ core competency lies in pricing and underwriting risk, while cybersecurity experts specialize in using technology to deal with cyber vulnerabilities. Insurers must partner with cyber security experts to create a holistic cyber risk management plan for the businesses and organizations.
Cyber insurance companies must offer customized solutions that cover a broad range of cyber-risks because the risks faced by organizations are unique to the industry in which they operate.
The degree of cyber exposure, the scale of the organization, the type of data collected, and most importantly the organizations’ ability to handle risks are key determinants of cyber insurance policy terms and pricing.
Cyber Insurance is like health insurance; there is no need to research if it’s worth having or not. Not having cyber-insurance could prove costly. Much like health insurance offers a safety net for families, cyber insurance will help a CISO rest easier and focus on the business at hand.

The post Cyber Insurance – The New Norm: A CISO’s Perspective appeared first on Security Current.

WHAT DOES THE FUTURE LOOK LIKE? CAN WE ACTUALLY PREDICT THE FUTURE?

As a person who regularly makes predictions would tell us, the past is an important tool in determining what will happen in the future. Past experiences can be collected in the form of data to calculate probabilities of certain events happening in the future.

In the world of business, correctly seeing the future – even a few months out – can provide a competitive edge, and in the case of cyber security, can enable success against ever-present attackers. A missed guess can leave one scrambling to catch up.

SO WHAT SHOULD WE EXPECT?

• Healthcare and health insurance enterprises will continue to be prime targets for cyber criminals. Anthem and Primera breaches have paved the way for more to come. Healthcare records hold a treasure trove of data. No other single type of record contains so much Personally Identifiable Information (PII) that is often linked to financial and insurance information, and therefore highly valuable to attackers. “Get ready for Medical Identity Fraud!”
• Who cares about credit card numbers? Make way for “Personal Identity Dossiers!” With billions of dollars just there for the taking, there is no doubt that retail cyberattacks targeting credit card data will continue in 2016. However, as defenses against these are strengthened by added security measures (Chip and PIN technology), there will be a significant change in the way these thefts are committed. The criminals will evolve their tactics to gather additional data, such as information related to customer loyalty programs, shopping behavior, and more.

When collected from different sources and then analyzed using analytical tools, this data becomes “Personal Identity Dossiers,” consisting of the various credit cards the individual possesses, his/her geographical data, PII and behavior. These “Personal Identity Dossiers” are going to be worth much more than the credit card numbers.

• Additionally, breaches in the past couple of years have wreaked havoc on many brands and company reputations. Due to this, the Board and the C-Suite will have an appetite for offloading the risk to insurance providers. Cyber Insurance will gain velocity and popularity in the coming year.
• IT will continue to “Cloudify,” but at an accelerating pace. Pretty soon the small and mid-size companies will not have an on-premise data center.
• Old code, new chaos….Old source code is the new Trojan horse waiting to be exploited. A large part of what makes information systems open to attack is that they contain “undocumented features.” The more experience one has with any one piece of software, the more holes can be identified and closed. Yet, even a perfect fix lasts only until the next innovation hits the system. This shows that the art of forecasting tomorrow’s troubles is connected to the art of forecasting tomorrow’s pointless wonders!

AND HOW CAN WE PREPARE FOR THE FUTURE?

• Follow the Data – CISOs are torn in between securing legacy equipment and embracing tomorrow’s leading edge technology, and it is pushing limits. In this battle of new and old technology, our data will be our most important asset. We must innovate our business approach and risk profiles to embrace this.
• Identity and Access Management (IAM) has to be tackled – Users and their identities are the most vulnerable link in a network. CISOs are challenged with managing the identities and privileges of an increasingly diverse group of users that use a multitude of devices to log into systems both inside and outside the enterprise. A valuable Identity and Access Management solution is flexible enough to provide authentication and authorization services to Cloud, Mobile and Social Interaction within our enterprise IT solutions, while enabling improved secure collaboration with our partners and vendors.
• Managed Services Partner will be a must have – A managed security services partner will not replace your existing internal IT team, but augment it. They will bring in the expertise, threat modeling and other compliance and protection services you might not have internally, but are needed to mitigate risk in line with regulatory obligations and business goals. Remember, it is difficult to bounce back from business interruptions or unexpected losses caused by IT security gaps. The cost of avoiding such threats is typically much less than the cost of recovering from them.
• CISO Role is and will be changing significantly – CISOs must evolve to balance risk and enable business.

The post Where Do We Go From Here? The Future State of Information Security! appeared first on Security Current.