When I was a research director working with Gartner’s security and risk management practice, as part of the analyst role I had the opportunity to speak with numerous CISOs and other security and risk management leaders from around the globe. Whether these leaders were from Europe, Australia, Asia, Latin America, Canada, or here in the U.S., our discussions invariably hit upon an expansive range of themes that covered everything from incident response, SOAR applications, reporting to the board of directors, privacy (notably the GDPR), New York State’s cybersecurity law for financial service firms, breach and attack simulation (BAS) tools, cyber liability insurance, finding competent staff in a tight labor market, how to work with CIOs, whether to use a cyber range, the value of ISACs, IT risk management, to which security framework is better – the NIST CSF or ISO 27001. The topics were seemingly endless. That’s because they were.
Few disciplines are as varied and as expansive as that of security. CISOs are expected to be well versed and informed on the security risks that range from application development at one end of the continuum to the specific breach requirements found in global regulations at the other. Security leaders are also expected to know the ins and outs of network security, vendor risk management, data, cloud, application, endpoint and end user security – the list goes on and on – as well as the intentions of threat actors and the TTPs of the most recent exploits. Effectively, CISOs are expected to have near perfect 360-degree visibility across nearly every dimension of risk for their organization and the technology stack used by their company and its employees.
Today’s focus on work from home (WFH), necessitated by responses to the COVID-19 pandemic, brings a fresh set of risks that CISOs and their teams must address proactively. Remote access, VPNs, credential management, and data governance over regulated data (notably PHI, PII and cardholder data) will all be stressed by this new norm. CISOs must determine whether their organization’s infrastructure to support remote work can meet the demand for these services while also being adequately secured and supporting privacy and data governance objectives. Clearly, we live in complicated times. Having a solid understanding of the organization’s security capabilities has never been more important.
The reality is that security is a comprehensive enterprise discipline with pervasive impacts for the organization. No corporate function or department is immune from security risks. Security leaders, notably the CISO, need to evaluate digital and cyber risk across multiple departments including among others:
- Human Resources
- Finance & Accounting
- Sales & Marketing
Each department brings their own unique security considerations and their own set of risks that should be adequately addressed within the security program. Security, to overstate the obvious, is not just an IT or technical discipline. Security is a multi-disciplined domain and can affect an organization’s finances, operations, reputation, and the privacy and safety of employees and customers alike. Security has enterprise risk considerations and accordingly, the pervasive nature of security requires a comprehensive review that spans both highly technical disciplines to administrative and compliance elements of security and risk management.
The CISO’s risk awareness must mirror that of the industry in which their firm operates as well as the unique organizational dynamics of their company or the CISO risks being blindsided. Indeed, the security program that the CISO oversees should be clearly aligned to the organization’s priorities and strategy (including an appropriate knowledge of the organization’s operational environment) and help mitigate risk to levels that have been formally agreed to and funded by the executive leadership team. Few CISOs, however, benefit from this level of business alignment. Too frequently, the status and risk implications of the security program are lost in translation as business stakeholders quizzically try to understand how a CVE impacts their department. As CISOs, we clearly need to translate and tie technical risk into business risk.
Effective security requires that security leaders take a comprehensive view of their organization’s security program…a view that can quite literally span from DevOps and micro services at one end of the spectrum to legal and regulatory compliance at the other. This is one of the principal reasons why conducting a comprehensive security program assessment is so valuable to both the CISO as well as other risk-focused stakeholders within the organization.
A comprehensive security program assessment makes this translation and alignment tenable. When conducted correctly, security program assessments surface risks that are either overlooked or misunderstood by business stakeholders while introducing business context and industry dynamics that may not have been adequately captured by CISOs, who are likely focused on the day-to-day of running their programs. Security program assessments should look at four broad security functions:
- Security alignment
- Security governance
- Security administration
- Security architecture
Security governance, administration and architecture are all founded on good alignment with the business’ priorities and strategy. Failing to have a security program adequately aligned to the business could result in the executive leadership team being unaware of critical risks – and their required risk treatment and remediation – that could adversely impact the organization’s strategy. Similarly, without business context, risk management decisions could be too costly for the risk at hand (effectively the cure is worse than the disease). Security program assessments that bring multiple stakeholders to the table surface these dynamics and foment risk alignment and get stakeholders to think about the enterprise risks to the organization when security is not adequately governed, administered or architected correctly to mitigate cyber and other forms of digital risks. A key outcome of a security program assessment is greater clarity on the risks at hand and the appropriate and agreed-to treatment of these risks.
Equally important, program reviews should leverage maturity modeling around assessed practices (here at EVOTEK we analyze nearly 40 dimensions of a security program spanning the four pillars noted above) on a 0-5 scale where 0 is a capability or competency that is non existent while a 5 is a process that is optimized. Too frequently, assumptions are made as to what level of maturity is appropriate for an organization. Business leaders need to understand that higher levels of maturity require organizational commitment, staffing and clearly funding. However, high maturity and the commensurate costs actually may not be appropriate based on the company’s operating environment and risk tolerances. What level of maturity a security program should have over specific security functions, application development, as an example, will depend greatly on operational and risk tolerance context. Firms that are in the business of building and developing mobile apps will clearly want mature capabilities for this domain while others that use commercial off the shelf (COTS) applications would be wasting money investing in higher levels of maturity for a security function or capability that is simply not material to their operations.
There is important nuance that surfaces when conducting a security program assessment. This context ultimately helps the CISO and the business leaders with whom the CISO works to build and oversee a security program that manages risks to levels that all stakeholders have agreed to and funded. Another key outcome that can result from conducting a security program assessment is the development of an enterprise risk register. The security program itself needs a risk register and the security team needs to understand cybersecurity risks in the context of other broader, enterprise risks. Risk registers help stakeholders ensure that material risks are documented and that their treatment plans are established. Risks can be avoided, insured against, mitigated, transferred but never ignored.
Security program assessments should offer an unbiased, arms-length and comprehensive review of an organization’s security program…a view that empowers stakeholders to tackle issues directly leaving their organizations more resilient and better prepared to address corporate strategy and execute on business initiatives without being blindsided from a security incident. Ultimately, the analyses that come with a security program assessment make risk management decisions clearer and more effective. The end result is a security program that supports corporate strategy and initiatives.