On many occasions over the past few months, I have been asked what a CISO should really be doing to answer the inevitable question from their top management - “How safe is the Company today?”.
Given that several of these occasions were festive year end parties, I felt that some of our initial conclusions were perhaps a little too honest to repeat. On reflection though, as we now enter another new year, the opinions expressed revealed some strongly felt cyber risk concerns.
Common subjects of discussion include “What should a CISO really be doing to keep a company safe?”, and the much more troubling “What does a CISO actually do anyway?”.
Fortunately, the participants in these conversations came from many different business environments and disciplines. All have an understanding of business, technology, and definitely a business-level grasp of managing cyber risk.
We eventually agreed that understanding what “safe” actually means to a business is crucial to any attempt to answer the question. Moreover, the lack of understanding around this starting point appears to be a critical factor in many of the sad stories we heard last year where organizations empirically turned out not to be as safe as their management had reported.
We all use, indeed we depend on, reliable, efficient IT systems to conduct every level of our businesses today. Indeed, in all sizes of business there is someone with a role of IT manager, or Chief Information Officer tasked with making sure that IT happens. Usually (inevitably?) they are the most technically trained and experienced IT person in the organization tasked with making all of the IT in the business work to support the profit generation strategy that the business has.
It is also well recognized that practically no business, anywhere, ever said to a CIO “give me the best security you can before you implement the systems that start making a profit for us”. For that we often appoint an equally technically aware and experienced IT security person to become our IT security manager, or our Chief of Information Security.
A common assumption behind many of the high-profile cyber breaches was that expensively acquired security technology had failed, or that the cyber attackers had simply been smarter and more technologically capable than the organizations they attacked.
In reality, it is much more likely to have been a failure to recognize which critical business capabilities needed to be kept most safe within the business that allowed adoption of generic solutions to cyber security threats. Solutions that, by default, did not measurably reduce the most significant risks to the most critical value-creating components of that business.
So, with many unhappy tales of breaches and ransomware post-mortems giving us the omnipotent power of hindsight, what should a new CISO do in his first hundred days to answer our original question?
A hundred days is a long journey to start without a map, so to help a new CISO, or indeed even a new CIO, the first 100 days of that new role should be used to determine exactly what the business does to deliver profit, value, and benefit to its shareholders, and customers.
Then to use that determination to quantify the critical information and application systems and processes that deliver the greatest value opportunities to success and profit, and then begin the prioritization of cost-effective cyber risk reduction and monitoring of threats against those systems. We can simplify this to one phrase: Develop a cyber resilience strategy.
Some of the foundation for cyber risk will certainly be technical, and fortunately be readily addressable at an IT availability level, but most threats will damage both daily business function and prevent future delivery of planned business objectives and strategies specific to that organization.
Cyber threats to those critical business objectives need to be recognized and prioritized against impact and managed for resilience at the business level. Cyber risks are fundamentally business threats that manifest through adversarial attacks using technology. This means their impacts are rarely due to IT issues alone.
Once a CISO has delivered a cyber risk posture assessment to their senior management it becomes much easier to report progress and actions against those risks in a manner that conveys that “we are getting safer” in respect of cyber risk exposure. The CISO can then explain and measure the benefits of investing in cyber risk reduction in business case terms that support the investment in technology, upgrades, process, or maintenance.
This does however require that a CISO not only understand and be able to explain the technical aspect of the control processes necessary to manage such threats to the CIO. To be truly effective, a CISO must equally be able to explain the value affecting impact of those threats in the non-technical language of the primary business function of the organization itself.
So, when you find yourself as the CISO being asked this question, your ability to truthfully answer that question, and indeed the quality of your answer in terms of actionable value for the questioner, depends on whether you yourself have previously asked your own questions to understand what safe looks like within the context of your own organization. And here’s a hint, it is very unlikely to be the exact same safe that everyone else is talking about.